53-1003098-01 20 January 2014 Brocade Mobility RFS Controller CLI Reference Guide Supporting software release 5.5.0.
Copyright © 2014 Brocade Communications Systems, Inc. All Rights Reserved. ADX, AnyIO, Brocade, Brocade Assurance, the B-Mobility symbol, DCX, Fabric OS, ICX, MLX, MyBrocade, OpenScript, VCS, VDX, and Vyatta are registered trademarks, and HyperEdge, The Effortless Network, and The On-Demand Data Center are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned may be trademarks of their respective owners.
Contents About This Guide Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . xix Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Text formatting xix Notes xx Understanding command syntax xx Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi Getting technical help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxii Chapter 1 INTRODUCTION CLI Overview .
page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 ssh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 telnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 time-it . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 upgrade-abort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 watch . . . . . . . . .
radio-qos-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277 radius-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278 radius-server-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279 radius-user-pool-policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280 rename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281 rf-domain . . . . . . . . . . . . . . . .
file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462 firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463 global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .466 gre . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .468 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .468 ip . .
autoinstall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .556 bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .557 captive-portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .572 cdp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .573 cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .792 vrrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .795 wep-shared-key-auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .798 service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .799 Device Config Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .803 adoption-site. . . . . . . . .
no . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .880 server-listen-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .882 terminate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .883 use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .883 Chapter 11 ASSOCIATION-ACL-POLICY association-acl-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
virtual-defragmentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1006 Chapter 15 MINT-POLICY mint-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1009 level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1010 mtu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1011 router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 18 RADIO-QOS-POLICY radio-qos-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1073 accelerated-multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1073 admission-control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1074 no . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1077 smart-aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1080 service . .
no . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1178 qos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1180 rate-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1181 svp-prioritization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1184 voice-prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1185 wmm . . . . . . . . . . . . .
redistribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . route-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . router-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vrrp-state-check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . no . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
access-network-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1308 connection-capability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1309 domain-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1310 hessid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1311 internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1312 ip-address-type. . . . . . . . . . . . . . . . .
About This Guide In this chapter • Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Document Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Getting technical help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
bold text Identifies command names Identifies the names of user-manipulated GUI elements Identifies keywords Identifies text to enter at the GUI or CLI italic text Provides emphasis Identifies variables Identifies document titles code text Identifies CLI output For readability, command names in the narrative portions of this guide are presented in bold; for example, show version. Notes The following notice statement is used in this manual.
[] Of the different keywords and variables listed inside a ‘[‘ & ‘]’ pair, only one can be used. Each choice in the list is separated with a ‘|’ (pipe) symbol. For example, the command RFController# clear ...
Getting technical help To contact Technical Support, go to http://www.brocade.com/services-support/index.page for the latest e-mail and telephone contact information.
Chapter 1 INTRODUCTION This chapter describes the commands available within a device’s Command Line Interface (CLI) structure. CLI is available for wireless controllers, access points (APs), and service platforms. Access the CLI by using: • A terminal emulation program running on a computer connected to the serial port on the device (access point, wireless controller, and service platform). • A Telnet session through Secure Shell (SSH) over a network.
1 CLI Overview The CLI is used for configuring, monitoring, and maintaining the network. The user interface allows you to execute commands on supported wireless controllers, service platforms, and APs, using either a serial console or a remote access method. This chapter describes basic CLI features. Topics covered include an introduction to command modes, navigation and editing features, help features and command history. The CLI is segregated into different command modes.
1 rfs7000-37FABE>enable rfs7000-37FABE# Most of the USER EXEC mode commands are one-time commands and are not saved across device reboots. Save the command by executing ‘commit’ command. For example, the show command displays the current configuration and the clear command clears the interface. Access the GLOBAL CONFIG mode from the PRIV EXEC mode. In the GLOBAL CONFIG mode, enter commands that set general system characteristics. Configuration modes, allow you to change the running configuration.
1 TABLE 1 Controller CLI Modes and Commands User Exec Mode Priv Exec Mode Global Configuration Mode terminal l2tpv3 dhcp-server-policy time-it logging dns-whitelist traceroute mint event-system-policy watch mkdir firewall-policy write more global-association-list clrscr no help exit page host virtual-machine (Brocade Mobility RFS9510) pwd inline-password-encryption re-elect ip reload l2tpv3 remote-debug mac rename management-policy revert meshpoint rmdir meshpoint-qos
1 TABLE 1 Controller CLI Modes and Commands User Exec Mode Priv Exec Mode Global Configuration Mode write clrscr commit do end exit revert service show Getting Context Sensitive Help Enter a question mark (?) at the system prompt to display a list of commands available for each mode. Obtain a list of arguments and keywords for any command using the CLI context-sensitive help.
1 When using context-sensitive help, the space (or lack of a space) before the question mark (?) is significant. To obtain a list of commands that begin with a particular sequence, enter the characters followed by a question mark (?). Do not include a space. This form of help is called word help, because it completes a word. rfs7000-37FABE#service? service Service Commands rfs7000-37FABE#service Enter a question mark (?) (in place of a keyword or argument) to list keywords or arguments.
1 If no help is available, the help content will be empty. Backup until entering a '?' shows the help content. There are two styles of help provided: 1. Full help. Available when entering a command argument (e.g. 'show ?'). This will describe each possible argument. 2. Partial help. Available when an abbreviated argument is entered. This will display which arguments match the input (e.g. 'show ve?'). rfs7000-37FABE> Using the No Command Almost every command has a no form.
1 TABLE 2 Keystrokes Details Keystrokes Function Summary Function Details Left Arrow or Ctrl-B Back character Moves the cursor one character to the left When entering a command that extends beyond a single line, press the Left Arrow or Ctrl-B keys repeatedly to move back to the system prompt.
1 Enter a question mark (?) to obtain a list of commands beginning with that set of characters. Do not leave a space between the last letter and the question mark (?).
1 The following command displays a default Brocade Mobility 71XX Access Point profile: rfs7000-37FABE(config)#profile br71xx default-br71xx rfs7000-37FABE(config-profile-default-br71xx)# rfs7000-37FABE(config-profile-default-br71xx)#show context profile br71xx default-br71xx autoinstall configuration autoinstall firmware device-upgrade persist-images crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encrypt
1 rfs7000-37FABE(config)#show wireless br configured -----------------------------------------------------------------------------------IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY -----------------------------------------------------------------------------------1 br71xx-4AA708 00-04-96-4A-A7-08 default-br71xx default un-adopted 2 br71xx-11E6C4 00-23-68-11-E6-C4 default-br71xx default un-adopted 3 br650-000001 00-A0-F8-00-00-01 default-br650 default un-adopted -------------------------------------------------
1 When logging into the controller for the first time, you are prompted to change the password. To change user credentials: 1. Enter the username, password, role and access details.
1 4. Log into the controller through SSH using appropriate credentials. 5. Use the following credentials when logging on to the device for the first time: User Name admin Password admin123 When logging into the controller for the first time, you are prompted to change the password. To change the user credentials: rfs7000 release 5.5.0.0-018D rfs7000-37FABE login: testuser Password: Welcome to CLI Starting CLI...
Chapter 2 USER EXEC MODE COMMANDS Logging in to the wireless controller places you within the USER EXEC command mode. Typically, a login requires a user name and password. You have three login attempts before the connection attempt is refused. USER EXEC commands (available at the user level) are a subset of the commands available at the privileged level. In general, USER EXEC commands allow you to connect to remote devices, perform basic tests, and list system information.
2 > User Exec Commands Table 1 summarizes the User Exec Mode commands.
2 TABLE 1 User Exec Mode Commands (Continued) Command Description Reference service Invokes service commands to troubleshoot or debug (config-if) instance configurations page 394 show Displays running system information page 429 write Writes information to memory or terminal page 425 exit Ends the current CLI session and closes the session window page 65 captive-portal-page-upload User Exec Commands Uploads captive portal advanced pages Supported in the following platforms: • Access Points
2 captive-portal-page-upload rf-domain [|all] {from-controller} {(upload-time
2 ------------------------------------------------------------------------------CONTROLLER STATUS MESSAGE ------------------------------------------------------------------------------00-23-68-22-9D-58 Success Cancelled upgrade of 1 APs ------------------------------------------------------------------------------rfs4000-229D58> change-passwd User Exec Commands Changes the password of a logged user. When this command is executed without any parameters, the password can be changed interactively.
2 Clears parameters, cache entries, table entries, and other similar entries. The clear command is available for specific commands only. The information cleared, using this command, depends on the mode where the clear command is executed.
2 clear rtls [aeroscout|ekahau] clear rtls [aeroscout|ekahau] { {on }| on } clear spanning-tree detected-protocols {interface|on} clear spanning-tree detected-protocols {on } clear spanning-tree detected-protocols {interface [|ge <1-5>|me1| port-channel <1-3>|pppoe1|up1|vlan <1-4094>|wwan1]} {on } clear vrrp [error-stats|stats] {on } Parameters clear arp-cache {on } arp-cache Clea
2 clear crypto ike sa [|all] {on } crypto Clears encryption module database ike sa [|all] Clears Internet Key Exchange (IKE) security associations (SAs) • – Clears IKE SA entries for the peer identified by the keyword • all – Clears IKE SA entries for all peers on Optional. Clears IKE SA entries, for a specified peer or all peers, on a specified device • – Specify the name of the AP, wireless controller, or service platform.
2 vlan <1-4094> Optional. Clears all MAC addresses for a specified VLAN • <1-4094> – Specify the VLAN ID from 1 - 4094 on Optional. Clears a single MAC entry or all MAC entries, for the specified VLAN on a specified device • – Specify the name of the AP, wireless controller, or service platform.
2 clear rtls [aeroscout|ekahau] { {on }| on } rtls Clears Real Time Location Service (RTLS) statistics aeroscout Clears RTLS Aeroscout statistics ekahau Clears RTLS Ekahau statistics on This keyword is common to the ‘aeroscout’ and ‘ekahau’ parameters. • on – Optional.
2 stats Clears VRRP related statistics on This following keywords are common to the ‘error-stats’ and ‘stats’ parameters: • on – Optional. Clears VRRP statistics on a specified device • – Specify the name of the AP, wireless controller, or service platform.
2 1 1 ge5 00-23-68-0F-43-D8 forward 1 1 ge5 00-15-70-38-06-49 forward 1 1 ge5 00-23-68-13-9B-34 forward 1 1 ge5 B4-C7-99-58-72-58 forward 1 1 ge5 00-15-70-81-74-2D forward 1 1 ge5 B4-C7-99-5C-FA-2B forward 1 1 ge5 00-15-70-37-FD-F2 forward 1 1 ge5 B4-C7-99-6C-88-09 forward 1 1 ge5 B4-C7-99-71-17-28 forward 1 1 ge5 5C-0E-8B-18-10-91 forward 1 1 ge5 3C-CE-73-F4-47-83 forward 1 1 ge5 00-23-68-88-0D-AC forward 1 1 ge5 00-A0-F8-68-D5-5C forward -------------------------------------------------------Total number
2 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: clock set <1-31> <1993-2035> {on } Parameters clock set <1-31> <1993-2035> {on } clock set Sets a device’s software system clock Sets the current time (in military format hours, minutes and seconds) <1-31> Sets the numerical day of the month Sets the month of t
2 Related Commands: create-cluster Creates a new cluster on the specified device join-cluster Adds a wireless controller or service platform, as a member, to an existing cluster of controllers connect User Exec Commands Begins a console connection to a remote device using the remote device’s MiNT ID or name Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point,
2 rfs4000-229D58> rfs4000-229D58>connect ? REMOTE-DEVICE-NAME Name of remote system mint-id MiNT protocol identifier rfs4000-229D58>connect mint-id 68.22.9D.58 Entering character mode Escape character is '^]'. Brocade Mobility RFS4000 release 5.5.0.
2 [OK] rfs7000-37FABE> nx6500-31FABE>create-cluster Related Commands: cluster Initiates cluster context. The cluster context provides centralized management to configure all cluster members from any one member. join-cluster Adds a device, as a member, to an existing cluster of devices crypto User Exec Commands Enables digital certificate configuration and RSA Keypair management.
2 crypto key zeroize rsa {force {on }|on } crypto pki [authenticate|export|generate|import|zeroize] crypto pki authenticate {background {on }|on } crypto pki export [request|trustpoint] crypto pki export request [generate-rsa-key|use-rsa-key] [autogen-subject-name|subject-name] crypto pki export request [generate-rsa-key|use-rsa-key] autogen-subject-name (
2 Specify the RSA Keypair destination address in the following format: tftp://[:port]/path/file ftp://:@[:port]/path/file sftp://@[:port]>/path/file http://[:port]/path/file cf:/path/file usb:/path/file background {on } Optional. Performs export operation in the background. Optionally specify the device to perform export on. on Optional. Performs export operation on a specific device.
2 on background {on } Specify the RSA Keypair source address in the following format: tftp://[:port]/path/file ftp://:@[:port]/path/file sftp://@[:port]>/path/file http://[:port]/path/file cf:/path/file usb:/path/file Optional. Performs import operation on a specified device – Specify the name of the AP, wireless controller, or service platform. • Optional.
2 Specify CA’s location in the following format: tftp://[:port]/path/file ftp://:@[:port]/path/file sftp://@[:port]>/path/file http://[:port]/path/file cf:/path/file usb:/path/file NOTE: The CA certificate is imported from the specified location. background {on } Optional. Performs authentication in the background. Optionally specify a device on which to perform authentication. on Optional.
2 crypto pki export request [generate-rsa-key|use-rsa-key] subject-name (,email ,fqdn ,ip-address ) pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. export request Exports CSR to the CA for a digital identity certificate.The CSR contains applicant’s details and RSA Keypair’s public key.
2 Specify the destination address in the following format: tftp://[:port]/path/file ftp://:@[:port]/path/file sftp://@[:port]>/path/file http://[:port]/path/file cf:/path/file usb:/path/file background {on } Optional. Performs export operation in the background • on – Optional.
2 crypto pki generate self-signed [generate-rsa-key|use-rsa-key] subject-name {(email ,fqdn ,ip-address ,on )} pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates.
2 background {on } Optional. Performs import operation in the background • on – Optional. Performs import operation on a specified device • – Specify the name of the AP, wireless controller, or service platform. on Optional. Performs import operation on a specified device • – Specify the name of the AP, wireless controller, or service platform.
2 rfs7000-37FABE>crypto key import rsa moto123 url passphrase word background on rfs7000-37FABE RSA key import operation is started in background rfs7000-37FABE> rfs7000-37FABE>crypto pki generate self-signed word generate-rsa-key word autogen-subject-name fqdn word Successfully generated self-signed certificate rfs7000-37FABE> rfs7000-37FABE>crypto pki zeroize trustpoint word del-key on rfs7000-37FABE Successfully removed the trustpoint and associated certificates %Warning: Applications associated with the
2 Network administrators can use the device-upgrade command to schedule firmware upgrades across adopted devices within the network. Devices are upgraded based on their device names, MAC addresses, or RF Domain. The firmware image used for the upgrade can either be user-defined or built-in. The user-defined image is pulled from the defined location and applied to the device(s). Use the device-upgrade > load-image command to provide the image file name and location.
2 NOTE If the persist-images option is selected, the RF Domain manager retains the old firmware image, or else deletes it. For more information on enabling device upgrade on profiles and devices (including the ‘persist-images’ option), see device-upgrade. NOTE A NOC controller’s capacity is equal to, or higher, than that of a site controller.
2 device-upgrade load-image [br650|br6511|br1220| br71xx|br81xx|rfs4000|rfs6000|rfs7000] device-upgrade rf-domain [|all] [all|br650|br6511|br1220|br71xx|br81xx|rfs4000|rfs6000|rfs7000] {|no-reboot|from-controller|reboot-time
2 upgrade-time
2 device-upgrade cancel-upgrade [br650|br1220| br71xx|br81xx|rfs4000|rfs6000|rfs7000] all cancel-upgrade [br6511|br1220|br71xx| br81xx|rfs4000| rfs6000|rfs7000] all Cancels scheduled firmware upgrade on all devices of a specific type. Select the device type.
2 device-upgrade load-image [br650|br6511|br1220| br71xx|br81xx|rfs4000|rfs6000|rfs7000] load-image [ br6511|br71xx|br81xx|rfs 4000| rfs6000|rfs7000|] Loads device firmware image from a specified location. Select the device type and provide the location of the required device firmware image.
2 device-upgrade rf-domain [|all] [all|br650|br6511| br1220|br71xx|br81xx|rfs4000|rfs6000|rfs7000] {|no-reboot|reboot-time
2 device-upgrade rf-domain [|all] [all|br650|br6511| br1220|br71xx|br81xx|rfs4000|rfs6000|rfs7000] {from-controller {no-reboot|reboot-time
2 device-upgrade rf-domain [|all] [all|br650|br6511| |br1220|br71xx|br81xx|rfs4000|rfs6000|rfs7000] {upgrade-time
2 status versions Status of Device Upgrade Versions of device-upgrade images rfs4000-229D58>show device-upgrade rfs4000-229D58>show device-upgrade history -----------------------------------------------------------------------------------------------Device RESULT TIME RETRIES UPGRADED-BY LAST-UPDATE-ERROR -----------------------------------------------------------------------------------------------br71xx-0F43D8 failed 2013-01-05 00:21:08 3 00-23-68-22-9D-58 Update error: Unable to get update file, failur
2 Parameters None Example rfs7000-37FABE#disable rfs7000-37FABE> enable User Exec Commands Turns on (enables) the privileged mode command set. This command does not do anything in the Privilege Executable mode.
2 join-cluster user password {level [1|2]|mode [active|standby]} join-cluster Adds a access point, wireless controller, or service platform to an existing cluster Specify the cluster member’s IP address. user Specify a user account with super user privileges on the new cluster member password Specify password for the account specified in the user parameter level [1|2] Optional.
2 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: l2tpv3 tunnel [|all] l2tpv3 tunnel [down|session|up] l2tpv3 tunnel [down|up] {on } l2tpv3 tunnel
2 NOTE For more information on the L2TPv3 tunnel configuration mode and commands, see Chapter 23, L2TPV3-POLICY.
2 Log Buffer (522 bytes): Apr 30 12:24:12 2013: rfs4000-229D58 : %SYSTEM-3-LOGIN_FAIL: Log-in failed for user 'superuser' from 'pts/1' Apr 30 12:24:12 2013: %AUTH-4-WARNING: login[2901]: login failed for 'superuser' on 'pts/1' Apr 30 12:24:01 2013: rfs4000-229D58 : %SYSTEM-3-LOGIN_FAIL: Log-in failed for user 'exit' from 'pts/1' Apr 30 12:24:01 2013: %AUTH-4-WARNING: login[2901]: login failed for 'exit' on 'pts/1' Apr 29 14:50:28 2013: rfs4000-229D58 : %SYSTEM-3-UI_USER_AUTH_FAIL: UI user 'Admin' from: '192
2 mint traceroute {(destination-port <1-65535>|max-hops <1-255>| source-port <1-65535>|timseout <1-255>)} traceroute Prints the route packets trace to a device – Specify the destination device’s MiNT ID. • destination-port <1-65535> Optional. Sets the Equal-cost Multi-path (ECMP) routing destination port <1-65535> – Specify a value from 1 - 65535. The default port is 45. • max-hops <1-255> Optional.
2 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: no [adoption|captive-portal|crypto|debug|logging|mac-user-db|page|service|termin al| virtual-machine|wireless] no adoption {on } no
2 no captive-portal client [captive-portal |mac ] {on } no captive-portal client Disconnects captive portal clients from the network captive-portal • Disconnects clients of the captive portal identified by the keyword – Specify the captive portal name. mac Disconnects a client specified by its MAC address • – Specify the client’s MAC address.
2 no service locator {on } no service Disables LEDs on a specified device or all devices in the WLAN. It also resets the CLI table expand and MiNT protocol configurations. locator {on } Disables LEDs on a specified device • on – Optional. Specify the name of the AP, wireless controller, or service platform. If no device name is specified, the system disables LEDs on all devices in the WLAN.
2 Related Commands: auto-provisioning-policy Resets the adoption state of a device and all devices adopted to it captive portal Manages captive portal clients crypto Enables digital certificate configuration and RSA Keypair management.
2 Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: ping {count <1-10000>|dont-fragment {count|size}|size <1-64000>} Parameters ping {count
2 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: ssh Parameters ssh [] Specify the IP address or hostname of the remote system. Specify the name of the user requesting SSH connection with the remote system. Example rfs7000-37FABE>ssh 172.16.10.4 admin The authenticity of host '172.16.10.4 (172.16.10.
2 Brocade Mobility RFS4000 release 5.5.0.
2 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: time-it Parameters time-it time-it Verifies the time taken by a particular command to execute and provide a result – Specify the command. • Example rfs7000-37FABE>time-it enable That took 0.00 seconds..
2 Options: -F -I -l -d -n -r -v -m -p -q -s -t -w -g Set the don't fragment bit Use ICMP ECHO instead of UDP datagrams Display the ttl value of the returned packet Set SO_DEBUG options to socket Print hop addresses numerically rather than symbolically Bypass the normal routing tables and send directly to a host Verbose max_ttl Max time-to-live (max number of hops) port# Base UDP port number used in probes (default is 33434) nqueries Number of probes per 'ttl' (default 3) src_addr IP address to use as the s
2 108 bytes from 172.16.10.2: seq=2 ttl=64 time=0.458 ms 108 bytes from 172.16.10.2: seq=3 ttl=64 time=0.378 ms 108 bytes from 172.16.10.2: seq=4 ttl=64 time=0.364 ms --- 172.16.10.2 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 0.364/0.477/0.725 ms rfs7000-37FABE> exit User Exec Commands Ends the current CLI session and closes the session window For more information, see exit.
2 Installing third-party VMs saves on hardware cost and provides a unified VM management interface. • Syntax Brocade Mobility RFS9510 Supported in the following platforms: • Service Platforms — Brocade Mobility RFS9510 virtual-machine assign-usb-ports team-vowlan {on } assign-usb-ports team-vowlan Assigns USB ports to TEAM-VoWLAN on a specified device on – Optional. Specify the device name. Use the no > virtual-machine > assign-usb-ports to reassign the port to Mobility.
2 virtual-machine install type [disk|iso disk-size |vm-archive] install-media [||] {autostart|memory|on|vcpus|vif-count|vnc} virtual-machine install Installs the VM. The install command internally creates a VM template, consisting of the specified parameters, and starts the installation process. • – Specify the VM name. • type – Specify the install-media (image) type.
2 virtual-machine install [team-urc|team-rls|team-vowlan] {on } virtual-machine install Installs the VM. The install command internally creates a VM template, consisting of the specified parameters, and starts the installation process.
2 virtual-machine set [autostart [ignore|start]|memory <512-8192>|vcpus <1-4>| vif-count <0-2>|vif-mac |vif-to-vmif | vnc [disable|enable]] [|team-urc|team-rls|team-vowlan] {on } virtual-machine set Configures the VM settings • autostart – Specifies whether to autostart the VM on system reboot • ignore – Enables autostart on each system reboot • start – Disables autostart • memory – Defines the VM memory size • <512-8192> – Specify the V
2 virtual-machine start [|team-urc|team-rls|team-vowlan] {on } virtual-machine start Starts the VM, based on the parameters passed. Select one of the following options: – Starts the VM identified by the keyword. Specify the VM name. team-urc – Starts the VM TEAM-URC team-rls – Starts the VM TEAM-RLS team-vowlan – Starts the VM TEAM-VoWLAN The following keywords are common to all of the above parameters: • on – Optional.
2 virtual-machine console [adsp|team-cmt] virtual-machine console Connects to the ADSP or TEAM-CMT VM’s console, based on the parameters passed. Select one of the following console options: • – Connects to the console of the VM identified by the keyword. Specify the VM name.
2 virtual-machine set memory <512-8192> [adsp|team-cmt] {on } virtual-machine set memory Modifies the ADSP or TEAM-CMT VM’s memory, in MB, based on the parameter passed. Specify a value from 512 - 8192 MB. • on – Optional. Executes the command on a specified device or devices • – Specify the service platform name. In case of multiple devices, list the device names separated by commas.
2 Exporting an installed VM: #virtual-machine export on In the preceding example, the command copies the VM archive on to the URL (VM should be in stop state). nx4500-5CFA2B>virtual-machine install team-urc Virtual Machine install team-urc command successfully sent. nx4500-5CFA2B> NOTE Use the show > virtual-machine > [configuration|debugging|export|statistics] command to view installed VM details.
Chapter PRIVILEGED EXEC MODE COMMANDS 3 Most PRIV EXEC commands set operating parameters. Privileged-level access should be password protected to prevent unauthorized use. The PRIV EXEC command set includes commands contained within the USER EXEC mode. The PRIV EXEC mode also provides access to configuration modes, and includes advanced testing commands. The PRIV EXEC mode prompt consists of the hostname of the device followed by a pound sign (#).
3 ping pwd raid re-elect reload remote-debug rename revert rmdir self service show smart-cache ssh telnet terminal time-it traceroute upgrade upgrade-abort virtual-machine watch write clrscr exit Send ICMP echo messages Display current directory RAID operations Perform re-election Halt and perform a warm reboot Troubleshoot remote system(s) Rename a file Revert changes Delete a directory Config context of the device currently logged into Service Commands Show running system information Content Cache Opera
3 TABLE 1 Privileged Exec Commands (Continued) Command Description Reference copy Copies a file from any location to the wireless controller, service platform, or access point page 95 create-cluster Creates a new cluster on a specified device page 96 crypto Enables encryption page 97 delete Deletes a specified file from the system page 107 device-upgrade Configures device firmware upgrade parameters page 108 diff Displays the differences between two files page 115 dir Displays the li
3 TABLE 1 Privileged Exec Commands (Continued) Command Description Reference virtual-machine Installs, configures, and monitors the status of virtual machines (VMs). This command is specific to the Brocade Mobility RFS9510 series service platforms.
3 archive tar /xtract [|] tar Manipulates (creates, lists or extracts) a tar file /xtract Extracts content from a tar file Defines tar filename Sets the tar file URL Specify a directory name. When used with /create, dir is the source directory for the tar file. When used with /xtract, dir is the destination file where contents of the tar file are extracted.
3 drwx -rw- 176128 Sat Jan 1 00:00:09 2000 Fri Feb 15 14:32:51 2013 startuplog out.
3 IMAGE BUILD DATE INSTALL DATE VERSION ------------------------------------------------------------------------------Primary 01:29:2013 22:34:21 01:16:2013 22:34:00 5.5.0.0-018D Secondary 01:25:2013 21:56:47 01:13:2013 22:57:12 5.5.0.
3 all Uploads to all APs upload-time
3 ------------------------------------------------------------------------------rfs4000-229D58> rfs4000-229D58>captive-portal-page-upload cancel-upload 00-04-96-4A-A7-08 ------------------------------------------------------------------------------CONTROLLER STATUS MESSAGE ------------------------------------------------------------------------------00-23-68-22-9D-58 Success Cancelled upgrade of 1 APs ------------------------------------------------------------------------------rfs4000-229D58> cd Privilege
3 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: change-passwd {} Parameters change-passwd {} Optional.
3 NOTE Refer to the interface details below when using clear - ge – Brocade Mobility RFS4000 supports 5 GEs, Brocade Mobility RFS6000 supports 8 GEs, Brocade Mobility RFS7000 supports 4 GEs - me1 – Available in both Brocade Mobility RFS7000 and Brocade Mobility RFS6000 - up1– Uplink interface on Brocade Mobility RFS4000 Syntax: clear [arp-cache|cdp|counters|crypto|event-history|firewall|gre|ip|l2tpv3-stats| license|lldp|logging|mac-address-table|mint|role|rtls|smart-cache|spanning-tr ee| vrrp] clea
3 clear mint mlcp history {on } clear role ldap-stats {on } clear rtls [aeroscout|ekahau] clear rtls [aeroscout|ekahau] { {on }| on } clear spanning-tree detected-protocols {interface|on } clear spanning-tree detected-protocols {interface [|ge <1-5>|me1| port-channel <1-3>|pppoe1|vlan <1-4094>|wwan1]} {on } clear vrrp [error-stats|stats] {on } Parameters clear arp-cach
3 clear counters interface [|all|ge <1-5>|me1|port-channel <1-3>| pppoe1|vlan <1-4094>|wwan1] Clears interface counters for a specified interface – Clears a specified interface counters. Specify the interface name. all – Clears all interface counters ge <1-5> – Clears GigabitEthernet interface counters. Specify the GigabitEthernet interface index from 1 - 5. • me1 – Clears FastEthernet interface counters • port-channel <1- 3> – Clears port-channel interface counters.
3 flows Clears established firewall sessions on The following keywords are common to the DHCP, DOS, and flows parameters: • on – Optional. Clears DHCP snoop table entries, denial of service statistics, or the established firewall sessions on a specified device • – Specify the name of the AP, wireless controller, or service platform. clear gre stats {on } gre stats Clears GRE tunnel statistics on Optional.
3 clear license borrowed {on } license borrowed {on } Releases or revokes all licenses borrowed by a site controller on – Optional. Specifies the borrowing controller’s name. If no device name is specified, the system clears all borrowed licenses on the logged device.
3 xge <1-4> Clears MAC address forwarding table for the specified TenGigabitEthernet interface • <1-4> – Specify the GigabitEthernet interface index from 1 - 4. This interface is supported only on the NX9000 series service platforms. on Optional. Clears the MAC address forwarding table, for the selected interface, on a specified device • – Specify the name of the AP, wireless controller, or service platform.
3 Optional. Clears spanning tree entries on different interfaces – Clears detected spanning tree entries on a specified interface. Specify the interface name. • ge <1-5> – Clears detected spanning tree entries for the selected GigabitEthernet interface. Select the GigabitEthernet interface index from 1 - 5. • me1 – Clears FastEthernet interface status • port-channel <1-3> – Clears detected spanning tree entries for the selected port channel interface.
3 2013-01-31 00:49:54 rfs4000-229D58 SYSTEM LOGIN Successfully logged in user 'admin' with privilege 'superuser' from 'ssh' 2013-01-31 00:49:31 rfs4000-229D58 SYSTEM LOGOUT Logged out user 'admin' with privilege 'superuser' from '192.168.100.225' 2013-01-31 00:16:32 rfs4000-229D58 SYSTEM LOGOUT Logged out user 'admin' with privilege 'superuser' from '192.168.100.
3 1 1 up1 B4-C7-99-58-72-58 forward 1 1 up1 B4-C7-99-71-17-28 forward -------------------------------------------------------Total number of MACs displayed: 9 nx4500-5CFA2B# clock Privileged Exec Mode Commands Sets a device’s system clock Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mob
3 Supported in the following platforms: • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: cluster start-election Parameters cluster start-election start-election Starts a new cluster master election Example rfs7000-37FABE#cluster start-election rfs7000-37FABE# Related Commands: create-cluster Creates a new cluster on a specified device join-cluster Adds a controller, as cluster member, to an e
3 rfs7000-37FABE(config-device-00-15-70-37-FA-BE)# rfs7000-37FABE#configure terminal Enter configuration commands, one per line. rfs7000-37FABE(config)# End with CNTL/Z.
3 Copies a file (config,log,txt...etc) from any location to the access point, wireless controller, or service platform and vice-versa NOTE Copying a new config file to an existing running-config file merges it with the existing running-config file on the wireless controller. Both the existing running-config and the new config file are applied as the current running-config. Copying a new config file to a start-up config file replaces the existing start-up config file with the parameters of the new file.
3 A cluster's load balance is typically distributed evenly amongst its members. An administrator needs to define how often the profile is load balanced for radio distribution, as radios can come and go and members join and exit the cluster.
3 This command also enables trustpoint configuration. Trustpoints contain the CA’s identity and configuration parameters.
3 crypto pki export trustpoint {background {on }|on |passphrase {background {on }|on }} crypto pki generate self-signed [generate-rsa-key| use-rsa-key] [autogen-subject-name|subject-name] crypto pki generate self-signed [generate-rsa-key|use-rsa-key] autogen-subject-name {(email ,fqdn , ip-address ,on
3 {passphrase } on Specify the RSA Keypair destination address in the following format: tftp://[:port]/path/file ftp://:@[:port]/path/file sftp://@[:port]>/path/file http://[:port]/path/file cf:/path/file usb:/path/file • passphrase – Optional. Encrypts RSA Keypair before exporting • – Specify a passphrase to encrypt the RSA Keypair. Optional.
3 {passphrase } Specify the RSA Keypair source address in the following format: tftp://[:port]/path/file ftp://:@[:port]/path/file sftp://@[:port]>/path/file http://[:port]/path/file cf:/path/file usb:/path/file • passphrase – Optional. Decrypts the RSA Keypair before importing it • – Specify the passphrase to decrypt the RSA Keypair. on Optional.
3 crypto pki export request [generate-rsa-key|use-rsa-key] autogen-subject-name (url ,email ,fqdn ,ip-address ) pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. export request Exports CSR to the CA for digital identity certificate. The CSR contains applicant’s details and RSA Keypair’s public key.
3 Sets the organization name (2 to 64 characters in length) Sets the organization unit (2 to 64 characters in length) {background {on } Specify the CA’s location in the following format: tftp://[:port]/path/file ftp://:@[:port]/path/file sftp://@[:port]>/path/file http://[:port]/path/file cf:/path/file usb:/path/file NOTE: The CSR is exported to th
3 crypto pki generate self-signed [generate-rsa-key|use-rsa-key] autogen-subject-name {(email ,fqdn ,ip-address ,on )} pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates.
3 email Optional. Exports the CSR to a specified e-mail address • – Specify the CA’s e-mail address. fqdn Optional. Exports the CSR to a specified FQDN • – Specify the CA’s FQDN. ip address Optional. Exports the CSR to a specified device or system • – Specify the CA’s IP address. on Optional. Exports the CSR on a specified device • – Specify the name of the AP, wireless controller, or service platform.
3 background {on } on passphrase {background {on }| on } Optional. Performs import operation in the background • on – Optional. Performs import operation on a specified device • – Specify the name of the AP, wireless controller, or service platform. Optional. Performs import operation on a specified device • – Specify the name of the AP, wireless controller, or service platform. Optional.
3 Related Commands: no Removes server certificates, trustpoints and their associated certificates delete Privileged Exec Mode Commands Deletes a specified file from the device’s file system Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade
3 device-upgrade Privileged Exec Mode Commands Enables firmware upgrade on an adopted device or a set of adopted devices (access points, wireless controllers, and service platforms) This command simplifies device upgradation within a hierarchically managed (HM) network. For more information on HM networks, see device-upgrade. NOTE A NOC controller’s capacity is equal to, or higher than that of a site controller.
3 device-upgrade cancel-upgrade [|all] device-upgrade cancel-upgrade [br650|br6511|br1220| br71xx|br81xx|rfs4000|rfs6000|rfs7000] all device-upgrade cancel-upgrade on rf-domain [|all] device-upgrade load-image [br650|br6511|br1220| br71xx|br81xx|rfs4000|rfs6000|rfs7000] device-upgrade rf-domain [|all] [all|br650|br6511| br1220|br71xx|br81xx|rfs4000|rfs6000|rfs7000] {|no-reboot|from-controller|reboot-time
3 upgrade-time
3 device-upgrade cancel-upgrade [br650|br1220| br71xx|br81xx|rfs4000|rfs6000|rfs7000] all cancel-upgrade [br650| br6511|br1220|br71xx| br81xx|rfs4000| rfs6000|rfs7000] all Cancels scheduled firmware upgrade on all devices of a specific type. Select the device type.
3 device-upgrade load-image [br650|br6511|br1220| br71xx|br81xx|rfs4000|rfs6000|rfs7000] load-image [br650| br6511|br1220|br71xx|br 81xx|rfs4000| rfs6000|rfs7000] Loads device firmware image from a specified location. Select the device type and provide the location of the required device firmware image.
3 no-reboot {staggered-reboot} Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted) reboot-time
3 device-upgrade rf-domain [|all] [all|br650|br6511|br1220|br71xx|br81xx|rfs4000|rfs6000|rfs7000] {upgrade-time
3 status versions Status of Device Upgrade Versions of device-upgrade images rfs4000-229D58#show device-upgrade rfs4000-229D58#show device-upgrade history -----------------------------------------------------------------------------------------------Device RESULT TIME RETRIES UPGRADED-BY LAST-UPDATE-ERROR -----------------------------------------------------------------------------------------------br71xx-0F43D8 failed 2013-01-05 00:21:08 3 00-23-68-22-9D-58 Update error: Unable to get update file, failur
3 diff [|] [|] The first is the source file for the diff command. The second is used for comparison. The first is the source file’s URL. The second is the second file’s URL. Example rfs4000-229D58#diff startup-config running-config --- startup-config +++ running-config @@ -1,3 +1,4 @@ +!### show running-config ! ! Configuration of Brocade Mobility RFS4000 version 5.5.0.
3
Optional. Lists files in the named file path all-filesystems Optional. Lists files on all file systems Example rfs4000-229D58#dir Directory of flash:/.3 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: disable Parameters None Example rfs7000-37FABE#disable rfs7000-37FABE> edit Privileged Exec Mode Commands Edits a text file on the device’s file system S
3 dhcp 1 message-type request option-codes exact hexstring 5e4d36780b3a7f ! client-identity-group ClientIdentityGroup client-identity TestClientIdentity precedence 1 ! ip access-list BROADCAST-MULTICAST-CONTROL permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic" permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit $ deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-descripti$ deny ip any 224.0.0.
3 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: erase [cf:|flash:|nvram:|startup-config|usb1:] Parameters erase [cf:|flash:|nvram:|startup-config|usb1:] cf: Erases everything in the device's cf: file
3 halt {on } halt {on } Halts a specified device • on – Optional. Enter the name of the AP, wireless controller, or service platform. If the device name is not specified, the logged device is halted. Example rfs7000-37FABE#halt on rfs7000-37FABE rfs7000-37FABE# join-cluster Privileged Exec Mode Commands Adds a device (access point, wireless controller, or service platform), as cluster member, to an existing cluster of devices.
3 After adding the device to a cluster, execute the “write memory” command to ensure the configuration persists across reboots. Example rfs7000-37FABE#join-cluster 172.16.10.10 user admin password admin123 Joining cluster at 172.16.10.10... Done Please execute “write memory” to save cluster configuration. rfs7000-37FABE# nx6500-31FABE#join-cluster 172.16.10.10 user admin password admin123 Joining cluster at 172.16.10.10... Done Please execute “write memory” to save cluster configuration.
3 l2tpv3 tunnel session [down|up] {on } l2tpv3 tunnel Establishes or brings down an L2TPv3 tunnel – Specify the tunnel name. • Establishes or brings down a session in the specified tunnel session [down|up] • – Specify the session name. • down – Brings down the specified tunnel session • up – Establishes the specified tunnel session on Optional.
3 logging monitor {<0-7>|alerts|critical|debugging|emergencies|errors|informational| notifications|warnings} monitor Sets terminal lines logging levels. The logging severity levels can be set from 0 - 7. The system configures default settings, if no logging severity level is specified. • <0-7> – Optional. Enter the logging severity level from 0 - 7. The various levels and their implications are: • alerts – Optional. Immediate action needed (severity=1) • critical – Optional.
3 mint ping MINT-ID {count <1-10000>|size <1-64000>|timeout <1-10>} ping count <1-10000> size <1-64000> timeout <1-10> Sends a MiNT echo message to a specified destination – Specify the destination device’s MiNT ID. • Optional. Sets the pings to the MiNT destination <1-10000> – Specify a value from 1 - 60. The default is 3. • Optional. Sets the MiNT payload size in bytes <1-64000> – Specify a value from 1 - 640000 bytes. The default is 64 bytes. • Optional.
3 mkdir Privileged Exec Mode Commands Creates a new directory in the file system Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: mkdir
Parameters mkdir <3 drwx -rw- 176128 Sat Jan 1 00:00:09 2000 Fri Feb 15 14:32:51 2013 startuplog out.tar rfs4000-229D58# more Privileged Exec Mode Commands Displays files on the device’s file system. This command navigates and displays specific files in the device’s file system. Provide the complete path to the file more . The more command also displays the startup configuration file.
3 The no commands have their own set of parameters that can be reset. These parameters depend on the context in which the command is being used.
3 no captive-portal client [captive-portal |] {on } no captive-portal client Disconnects captive portal clients from the network captive-portal Disconnects captive portal clients • – Specify the captive portal name. on Disconnects a specified client – Specify the client’s MAC address. • Optional.
3 trace The following command is common to the ‘ssm’ and ‘wireless’ parameters: trace – Traces SSM or wireless related services • Configures the pattern to match pattern {| on } • – Optional. Specify the pattern to ignore. Reverses the match pattern specified. • on – Optional. Matches the specified pattern on specified device. • – Specify the name of the AP, wireless controller, or service platform.
3 no mac-user-db user [|all] no mac-user-db user Deletes a specified user or all users from the MAC registration user database This command is available only on the NX9000 series service platforms. Deletes the user, identified by the keyword, from the MAC registration user database • – Specify the username. all Deletes all users from the MAC registration user database no raid locate no raid locate Disables flashing of LEDs on RAID drives.
3 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: page Parameters None Example rfs7000-37FABE#page rfs7000-37FABE# Related Commands: no Disables controller paging ping Privileged Exec Mode Commands Sen
3 dont-fragment {count|size} Optional. Sets the dont-fragment bit in the ping packet. Packets with the dont-fragment bit specified, are not fragmented. When a packet, with the dont-fragment bit specified, exceeds the specified Maximum Transmission Unit (MTU) value, an error message is sent from the device trying to fragment it. • count <1-10000> – Sets the pings to the specified destination from 1 - 10000. The default is 5. • size – <1-64000> – Sets the size of ping payload size from 1 - 64000 bytes.
3 drwx drwx drwx drwx drwx drwx drwx drwx -rw- 176128 Sat Wed Fri Wed Sat Sat Sat Sat Fri Jan Jan Feb Jan Jan Jan Jan Jan Feb 1 16 15 16 1 1 1 1 15 00:00:08 22:26:53 14:50:49 22:57:14 00:00:08 00:00:09 00:00:09 00:00:09 14:32:51 2000 2013 2013 2013 2000 2000 2000 2000 2013 cache crashinfo testdir archived_logs upgrade hotspot floorplans startuplog out.
3 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: reload reload reload reload reload reload {cancel|force|in|on} {on } {cancel|force} {on } {in <1-999>} {list
3 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: rename Parameters rename Specify the file to rename.
3 rmdir Privileged Exec Mode Commands Deletes an existing directory from the file system (only empty directories can be removed) Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS95
3 drwx -rw- 176128 Sat Jan 1 00:00:09 2000 Fri Feb 15 14:32:51 2013 startuplog out.
3 ssh Specify the remote systems’s IP address or hostname. Specify the name of the user requesting the SSH connection. Usage Guidelines: To exit the other device’s context, use the command that is relevant to that device. Example rfs7000-37FABE#ssh 172.16.10.8 admin admin@172.16.10.
3 terminal Privileged Exec Mode Commands Sets the number of characters per line, and the number of lines displayed within the terminal window Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade M
3 Syntax: time-it Parameters time-it time-it Verifies the time taken by a particular command to execute and provide a result – Specify the command name. • Example rfs7000-37FABE#time-it config terminal Enter configuration commands, one per line. That took 0.00 seconds.. rfs7000-37FABE(config)# End with CNTL/Z.
3 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: upgrade [|] {background|on } Parameters upgrade [|] {background|on } Specify the target firmware i
3 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: upgrade-abort {on } Parameters upgrade-abort {on } upgrade-abort Aborts an ongoing software image upgrade
3 exit Privileged Exec Mode Commands Ends the current CLI session and closes the session window For more information, see exit.
3 virtual-machine assign-usb-ports team-vowlan {on } assign-usb-ports team-vowlan Assigns USB ports to TEAM-VoWLAN on a specified device on – Optional. Specify the device name. Use the no > virtual-machine > assign-usb-ports to reassign the port to Mobility. TEAM-RLS VM cannot be installed when USB ports are assigned to TEAM-VoWLAN.
3 virtual-machine install type [disk|iso disk-size |vm-archive] install-media [||] {autostart|memory|on|vcpus|vif-count|vnc} virtual-machine install Installs the VM. The install command internally creates a VM template, consisting of the specified parameters, and starts the installation process. • – Specify the VM name. • type – Specify the install-media (image) type.
3 virtual-machine install [team-urc|team-rls|team-vowlan] {on } virtual-machine install Installs the VM. The install command internally creates a VM template, consisting of the specified parameters, and starts the installation process.
3 virtual-machine set [autostart [ignore|start]|memory <512-8192>|vcpus <1-4>| vif-count <0-2>|vif-mac |vif-to-vmif | vnc [disable|enable]] [|team-urc|team-rls|team-vowlan] {on } virtual-machine set Configures the VM settings • autostart – Specifies whether to autostart the VM on system reboot • ignore – Enables autostart on each system reboot • start – Disables autostart • memory – Defines the VM memory size • <512-8192> – Specify the V
3 virtual-machine start [|team-urc|team-rls|team-vowlan] {on } virtual-machine start Starts the VM, based on the parameters passed. Select one of the following options: – Starts the VM identified by the keyword. Specify the VM name. team-urc – Starts the VM TEAM-URC team-rls – Starts the VM TEAM-RLS team-vowlan – Starts the VM TEAM-VoWLAN The following keywords are common to all of the above parameters: • on – Optional.
3 virtual-machine console [adsp|team-cmt] virtual-machine console Connects to the ADSP or TEAM-CMT VM’s console, based on the parameters passed. Select one of the following console options: • – Connects to the console of the VM identified by the keyword. Specify the VM name.
3 virtual-machine set memory <512-8192> [adsp|team-cmt] {on } virtual-machine set memory Modifies the ADSP or TEAM-CMT VM’s memory, in MB, based on the parameter passed. Specify a value from 512 - 8192 MB. • on – Optional. Executes the command on a specified device or devices • – Specify the service platform name. In case of multiple devices, list the device names separated by commas.
3 Exporting an installed VM: #virtual-machine export on In the preceding example, the command copies the VM archive on to the URL (VM should be in stop state). nx4500-5CFA2B>virtual-machine install team-urc Virtual Machine install team-urc command successfully sent. nx4500-5CFA2B> NOTE Use the show > virtual-machine > [configuration|debugging|export|statistics] command to view installed VM details.
3 raid [check|install|locate|remove|silence|spare] raid [check|silence] raid [install|locate|remove|spare] drive <0-4> Parameters raid [check|silence] check Starts a consistency check on the RAID array. Use the show > raid command to view consistency check status. A consistency check verifies the data stored in the array. When regularly executed, it helps protect against data corruption, and ensures data redundancy. Consistency checks also warn of potential disk failures.
Chapter GLOBAL CONFIGURATION COMMANDS 4 This chapter summarizes the global-configuration commands in the CLI command structure. The term global indicates characteristics or features effecting the system as a whole. Use the Global Configuration Mode to configure the system globally, or enter specific configuration modes to configure specific elements (such as interfaces or protocols). Use the configure terminal command (under PRIV EXEC) to enter the global configuration mode.
4 help host igmp-snoop-policy inline-password-encryption ip l2tpv3 mac management-policy meshpoint meshpoint-qos-policy mint-policy nac-list no nx45xx nx65xx nx9000 passpoint-policy password-encryption profile radio-qos-policy radius-group radius-server-policy radius-user-pool-policy rename rf-domain rfs4000 rfs6000 rfs7000 role-policy routing-policy self smart-cache-policy smart-rf-policy url-list wips-policy wlan wlan-qos-policy write clrscr commit do end exit revert service show Description of the inte
4 Global Configuration Commands Table 2 summarizes the Global Configuration commands.
4 TABLE 2 Global Config Commands Command Description Reference nac-list Configures a network ACL page 259 no Negates a command or sets its default page 263 passpoint-policy Creates a new passpoint policy and enters its configuration mode page 270 password-encryption Enables password encryption page 271 profile Configures profile related commands page 272 radio-qos-policy Configures a radio qos policy page 277 radius-group Configures a RADIUS group page 278 radius-server-policy Con
4 Configures an Authentication, Accounting, and Authorization (AAA) policy. This policy configures multiple servers for authentication and authorization. Up to six servers can be configured for providing AAA services.
4 NOTE For more information on the AAA policy commands, see Chapter 8, AAA-POLICY. aaa-tacacs-policy Global Configuration Commands Configures AAA Terminal Access Controller Access-Control System (TACACS) policy. This policy configures multiple servers for authentication and authorization. A TACACS Authentication server should be configured when the server preference is authenticated server.
4 NOTE For more information on the AAA-TACACS policy commands, see Chapter 26, AAA-TACACS-POLICY. advanced-wips-policy Global Configuration Commands Configures an advanced Wireless Intrusion Prevention System (WIPS) policy. WIPS prevents unauthorized access to a network.
4 NOTE For more information on WIPS, see Chapter 10, ADVANCED-WIPS-POLICY. alias Global Configuration Commands Configures network, VLAN, host, string, and network-service aliases Aliases are objects having a unique name and content that is determined by the alias type (network, VLAN, and network-service).
4 • network-group alias – Maps a name to a single or a range of addresses of devices, hosts, and network configurations. Network configurations are complete networks in the form 192.168.10.0/24 or IP address range in the form 192.168.10.10-192.168.10.20. A network-group alias can contain a maximum of eight (8) host entries, eight (8) network entries, and eight (8) IP address-range entries. A maximum of 32 network-group alias entries can be created.
4 alias network alias network-group [address-range|host|network] alias network-group [address-range to { to }|host {}| network {}] alias network-service proto [<0-254>||eigrp|gre| igmp|igp|ospf|vrrp] {(<1-65535>||bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp| n
4 alias network-group [address-range to { to }|host {}| network {}] network Creates a network-group alias • – Specify the network-group alias name. Alias name should begin with ‘$’. The network-group aliases are used in ACLs, to define the network-specific components.
4 proto [<0-254>| |eigrp|gre| igmp|igp|ospf|vrrp] Use one of the following options to associate an Internet protocol with this network-service alias: • <0-254> – Identifies the protocol by its number. Specify the protocol number from 0 - 254. This is the number by which the protocol is identified in the Protocol field of the IPv4 header and the Next Header field of IPv6 header. For example, the User Datagram Protocol’s (UDP) designated number is 17. • – Identifies the protocol by its name.
4 alias vlan <1-4094> alias vlan Creates a VLAN alias identified by the keyword – Specify the VLAN alias name. Alias name should begin with ‘$’. <1-4094> Maps the VLAN alias to a VLAN ID • <1-4094> – Specify the VLAN ID from 1 - 4094. • Example rfs4000-229D58(config)#alias address-range $TestAddRanAlias 192.168.13.10 to 192.168.13.13 rfs4000-229D58(config)# rfs4000-229D58(config)#alias network $TestNetworkAlias 192.168.13.
4 rfs4000-229D58(config)# Example 1: rfs4000-229D58(config)# alias network-group $test host 192.168.1.10 192.168.1.11 rfs4000-229D58(config)# alias network-group $test network 192.168.2.0/24 192.168.3.0/24 rfs4000-229D58(config)# alias network-group $test address-range 192.168.4.10 to 192.168.4.20 In the preceding example, the network-group alias ‘$test’ includes hosts 192.168.1.10 and 192.168.1.11, networks 192.168.2.0/24 and 192.168.3.0/24 and address-range 192.168.4.10 to 192.168.4.20.
4 Related Commands: no Removes an existing network, VLAN, service, or string alias br650 Global Configuration Commands Adds an Brocade Mobility 650 Access Point to the network. If a profile for the AP is not available, a new profile is created.
4 Supported in the following platforms: • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: br6511 Parameters br6511 Specify the Brocade Mobility 6511 Access Point’s MAC address.
4 Parameters br1220 Specify the Brocade Mobility 1220 Access Point’s MAC address.
4 rfs7000-37FABE(config-device-00-23-68-99-BF-A8)# rfs7000-37FABE(config)#show wireless br configured -------------------------------------------------------------------------------------IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY -------------------------------------------------------------------------------------1 br7131-889EC4 00-15-70-88-9E-C4 default-br7131 default un-adopted 5 br650-3481BC 5C-0E-8B-34-81-BC default-br650 default un-adopted 6 br6511-08456A 5C-0E-8B-08-45-6A default-br6511 default un-adop
4 IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY ----------------------------------------------------------------------------------------1 br7131-889EC4 00-15-70-88-9E-C4 default-br7131 default un-adopted 5 br650-3481BC 5C-0E-8B-34-81-BC default-br650 default un-adopted 6 br6511-08456A 5C-0E-8B-08-45-6A default-br6511 default un-adopted 8 br1220-7BF224 5C-0E-8B-7B-F2-24 default-br1220 default un-adopted 11 br7131-99BFA8 00-23-68-99-BF-A8 default-br71xx default un-adopted 12 br8132-BEF116 C4-01-FA-BE-F1-16 defaul
4 1 br7131-889EC4 00-15-70-88-9E-C4 default-br7131 default un-adopted 5 br650-3481BC 5C-0E-8B-34-81-BC default-br650 default un-adopted 6 br6511-08456A 5C-0E-8B-08-45-6A default-br6511 default un-adopted 8 br1220-7BF224 5C-0E-8B-7B-F2-24 default-br1220 default un-adopted 11 br7131-99BFA8 00-23-68-99-BF-A8 default-br71xx default un-adopted 12 br8132-BEF116 C4-01-FA-BE-F1-16 default-br81xx default un-adopted -------------------------------------------------------------------------------------rfs7000-37FABE(co
4 do end exit help revert service show write Run commands from Exec mode End current mode and change to EXEC mode End current mode and down to previous mode Description of the interactive help system Revert changes Service Commands Show running system information Write running configuration to memory or terminal rfs7000-37FABE(config-assoc-acl-test)# Related Commands: no Resets values or disables commands NOTE For more information on the association-acl-policy, see Chapter 11, ASSOCIATION-ACL-POLICY.
4 clrscr commit do end exit help revert service show write Clears the display screen Commit all changes made in this session Run commands from Exec mode End current mode and change to EXEC mode End current mode and down to previous mode Description of the interactive help system Revert changes Service Commands Show running system information Write running configuration to memory or terminal rfs7000-37FABE(config-auto-provisioning-policy-test)# Related Commands: no Removes an existing Auto Provisioning p
4 Captive portals use a Web provisioning tool to create guest user accounts directly on the controller, service platform, or access point. The connection medium defined for the Web connection is either HTTP or HTTPS. Both HTTP and HTTPS use a request and response procedure to disseminate information to and from requesting wireless clients.
4 clrscr commit do end exit help revert service show write Clears the display screen Commit all changes made in this session Run commands from Exec mode End current mode and change to EXEC mode End current mode and down to previous mode Description of the interactive help system Revert changes Service Commands Show running system information Write running configuration to memory or terminal rfs7000-37FABE(config-captive-portal-test)# Related Commands: no Removes an existing captive portal captive-porta
4 Command Description Reference webpage-auto-uploa d Enables automatic upload of advanced Web pages on a captive portal page 200 webpage-location Specifies the location of Web pages used for captive portal authentication page 201 clrscr Clears the display screen page 385 commit Commits (saves) changes made in the current session page 386 end Ends and exits the current mode and moves to the PRIV EXEC mode page 234 exit Ends the current mode and moves to the previous mode page 387 help D
4 Related Commands: no Reverts to the default permitted access time (1440 minutes) access-type captive-portal-mode commands Defines the captive portal’s access type Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Serv
4 When enabled, accounting for clients entering and exiting the captive portal is initiated. Accounting is the method of collecting and sending security server information for billing, auditing, and reporting user data. This data includes information, such as start and stop times, executed commands (such as PPP), number of packets and number of bytes transmitted etc. Accounting enables tracking of captive portal services consumed by clients.
4 Related Commands: no Disables accounting records for this captive portal bypass captive-portal-mode commands Enables bypassing of captive portal detection requests from wireless clients Certain devices, such as Apple IOS devices send Captive Network Assistant (CNA) requests to detect existence of captive portals. When enabled, the bypass option does not allow CNA requests to be redirected to the captive portal pages.
4 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: connection-mode [http|https] Parameters connection-mode [http|https] http Sets HTTP as the default connection mode. This is the default setting.
4 custom-auth info info Configures information used for RADIUS lookup when custom-auth RADIUS access type is configured – Guest data needs to be provided. Specify the name, e-mail address, and telephone number of the user. • Example rfs7000-37FABE(config-captive-portal-test)#custom-auth info bob, bob@motorolasolutions.com rfs7000-37FABE(config-captive-portal-test)#show context captive-portal test access-type logging access-time 35 custom-auth info bob,\ bob@motorolasolutions.
4 Example rfs7000-37FABE(config-captive-portal-test)#data-limit 200 action log-and-disconnect rfs7000-37FABE(config-captive-portal-test)# rfs7000-37FABE(config-captive-portal-test)#show context captive-portal test data-limit 200 action log-and-disconnect rfs7000-37FABE(config-captive-portal-test)# Related Commands: no Removes data limit enforcement for captive portal clients inactivity-timeout captive-portal-mode commands Defines an inactivity timeout in seconds.
4 logout-fqdn captive-portal-mode commands Configures the Fully Qualified Domain Name (FQDN) address to logout of the session from the client Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade M
4 no [access-time|access-type|accounting|bypass|connection-mode|custom-auth|data-l imit| inactivity-timeout|logout-fqdn|post-authentication-vlan|radius-vlan-assignmen t| redirection|server|simultaneous-users|terms-agreement|use|webpage| webpage-auto-upload|webpage-location] no [access-time|access-type|connection-mode|data-limit|inactivity-timeout| logout-fqdn|post-authentication-vlan|radius-vlan-assignment|simultaneous-user s| terms-agreement|webpage-auto-upload|webpage-location] no accounting [radius|syslo
4 no webpage-auto-upload Disables automatic upload of advanced Web pages on a captive portal no webpage-location Resets the use of custom Web pages for login, welcome, terms, and failure page. The default is automatically created Web pages.
4 no-service Resets the no-service page settings. The no-service Web page is displayed when critical services (such as, AAA server, captive portal server, DHCP server, and AP to controller connectivity) are not reachable and the user cannot access the captive portal.
4 The following example shows the captive portal ‘test’ settings after the ‘no’ commands are executed: rfs7000-37FABE(config-captive-portal-test)#show context captive-portal test access-time 35 custom-auth info bob,\ bob@motorolasolutions.
4 Syntax: post-authentication-vlan <1-4096> Parameters post-authentication-vlan <1-4096> post-authentication-vlan <1-4096> Assigns a VLAN for this captive portal’s users after they have authenticated and logged on to the network • <1-4096> – Specify the VLAN’s number from 1 - 4096.
4 rfs4000-229D58(config-captive-portal-test)#show context captive-portal test post-authentication-vlan 1 radius-vlan-assignment rfs4000-229D58(config-captive-portal-test)# Related Commands: no Disables assignment of a RADIUS VLAN for this captive portal post-authentication-vlan Assigns a post authentication RADIUS VLAN for this captive portal’s users redirection captive-portal-mode commands Enables redirection of client connections to specified destination ports Supported in the following platforms: •
4 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: server [host|mode] server host server mode [centralized|centralized-controller {hosting-vlan-interface <0-4096>}| self] Parameters server ho
4 simultaneous-users captive-portal-mode commands Specifies the number of MAC addresses that can simultaneously use a particular username. This option is disabled by default.
4 • Service Platforms — Brocade Mobility RFS9510 Syntax: terms-agreement Parameters None Example rfs7000-37FABE(config-captive-portal-test)#terms-agreement rfs7000-37FABE(config-captive-portal-test)#show context captive-portal test access-time 35 custom-auth info bob,\ bob@motorolasolutions.com connection-mode https inactivity-timeout 750 server host 172.16.10.
4 use [aaa-policy |dns-whitelist ] aaa-policy Configures a AAA policy with this captive portal. AAA policies validate user credentials and provide captive portal access to the network. • – Specify the AAA policy name. dns-whitelist Configures a DNS whitelist to use with this captive portal. DNS whitelists restrict captive portal access. – Specify the DNS whitelist name.
4 • welcome – This page is displayed to welcome an authenticated user to the captive portal. These Web pages, which interact with captive portal users, can be located either on the controller or an external location.
4 no-service Indicates the page is displayed when certain critical services are unavailable and the user fails to access the captive portal. The no-service page asserts the captive portal service is temporarily unavailable due to technical reasons. Once the services become available, the captive portal user is automatically connected back to the services available through the captive portal.
4 description Indicates the content is the description portion of each of the following internal Web pages: acknowledgment, agreement, fail, login, no-service, and welcome footer Indicates the content is the footer portion of each of the following internal Web pages: acknowledgment, agreement, fail, no-service, and welcome page. The footer portion contains the signature of the organization that hosts the captive portal.
4 org-signature Specifies the company’s signature information, included in the bottom of Web pages along with a small image Specify the company’s name or signature depending on the option selected. Example rfs7000-37FABE(config-captive-portal-test)#webpage external fail http://www.motorolasolutions.com rfs7000-37FABE(config-captive-portal-test)#show context captive-portal test access-time 35 custom-auth info bob,\ bob@motorolasolutions.
4 rfs7000-37FABE(config-captive-portal-test)#show context captive-portal test webpage-auto-upload logout-fqdn logout.testuser.
4 server host 172.16.10.
4 2013-01-28 19:56:31 rfs4000-229D58 SYSTEM UI_USER_AUTH_SUCCESS UI user 'admin' from: '192.168.100.173' authentication successful 2013-01-27 20:15:20 rfs4000-229D58 SYSTEM LOGOUT Logged out user 'admin' with privilege 'superuser' from '192.168.100.204' 2013-01-27 20:14:45 rfs4000-229D58 SYSTEM LOGIN Successfully logged in user 'admin' with privilege 'superuser' from 'ssh' 2013-01-27 19:53:25 rfs4000-229D58 SYSTEM LOGOUT Logged out user 'admin' with privilege 'superuser' from '192.168.100.
4 Creates a new client identity and enters its configuration mode. Client identity is a set of unique fingerprints used to identify a class of devices. This information is used to configure permissions and access rules for the identified class of devices in the network. The client-identity feature enables device fingerprinting. Device fingerprinting is a technique of collecting, analyzing, and identifying traffic patterns originating from remote computing devices.
4 2. Successful identification of different device types depends on the uniqueness of the configured fingerprints. DHCP fingerprinting identifies clients based on the patterns (fingerprints) in the DHCP discover and request messages sent by clients. If different operating systems have the same fingerprints. it will be difficult to identity the device type. 3.
4 When accessing a network, DHCP discover and request messages are passed between wireless clients and the DHCP server. These messages contain DHCP options and option values that differ from device to device and are based on the DHCP implementation in the device’s operating system (OS). Options and option values contained in a client’s messages are parsed and compared against the configured DHCP option values to identify the device.
4 exact The following keyword is common to the discover and request message types: exact – Specifies that the DHCP options received in the client’s discover/request messages is an exact match with the configured option code string • starts-with The following keyword is common to the ‘discover’ and ‘request’ message types: • starts-with – Specifies that the DHCP options received in the client’s discover/request messages starts with the configured option code string ascii The following keywords a
4 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: dhcp-match-message-type [all|any|discover|request] Parameters dhcp-match-message-type [all|any|discover|request] dhcp-match-message-type [all|any|discover| request] Specifies the DHCP message type to consider for matching • all – Matches all message types: discover and request.
4 no [dhcp <1-16>|dhcp-match-message-type] dhcp <1-16> Removes the DHCP option match criteria rule identified by the <1-16> keyword <1-16> – Specify the DHCP option match criteria rule index • dhcp-match-message-type Removes the DHCP message type to match Example The following example shows the client identity ‘test’ settings before the ‘no’ commands are executed: rfs4000-229D58(config-client-identity-test)#show context client-identity test dhcp 2 message-type discover option 2 exact hexstring 012456c2
4 A client identity group is a collection of client identities. Each client identity included in a client identity group is set a priority value that indicates the priority for that identity when device fingerprinting. Device Fingerprinting relies on specific information sent by a wireless client when acquiring IP address and other configuration information from a DHCP server.
4 rfs4000-229D58(config-client-identity-group-test)# client-identity-group-mode commands client-identity-group The following table summarizes a new client identity group configuration mode commands.
4 client-identity TestClientIdentity dhcp 1 message-type request option-codes exact hexstring 5e4d36780b3a7f ! client-identity test dhcp 2 message-type discover option 2 exact hexstring 012456c22c44 dhcp 1 message-type request option 60 exact ascii MSFT5.
4 dhcp 10 message-type request option 55 exact hexstring 01792103060f1c333a3b77 dhcp 11 message-type request option 55 exact hexstring 01792103060f1c2c333a3b77 dhcp 12 message-type request option 60 exact ascii "dhcpcd 4.0.15" ! client-identity Android-3 dhcp 4 message-type request option 55 exact hexstring 012103061c333a3b dhcp 5 message-type request option 60 starts-with ascii dhcpcd-5.2.
4 ! client-identity Windows-8 dhcp 1 message-type request option 55 exact hexstring 010f03062c2e2f1f2179f9fc2b dhcp 5 message-type request option 60 exact ascii "MSFT 5.0" ! client-identity Windows-Phone-7-5 dhcp 11 message-type request option 55 exact hexstring 0103060f2c2e2f dhcp 12 message-type request option-codes exact hexstring 3536323d37 ! client-identity Windows-XP dhcp 4 message-type request option 55 exact hexstring 010f03062c2e2f1f21f92b dhcp 5 message-type request option 60 exact ascii "MSFT 5.
4 Syntax: no client-identity Parameters no client-identity no client-identity Disassociates a specified client identity from this client identity group • – Specify the client identity name.
4 clone TLO TLO Creates a new TLO by cloning an existing top-level object. The new object has the same configuration as the cloned object. • – Specify the existing object’s (to be cloned) name • – Provide the new object’s name. NOTE: Enter clone and press Tab to list objects available for cloning.
4 customize [hostname-column-width|show-wireless-client|show-wireless-client-stats| show-wireless-client-stats-rf|show-wireless-meshpoint| show-wireless-meshpoint-neighbor-stats|show-wireless-meshpoint-neighbor-stats -rf| show-wireless-radio|show-wireless-radio-stats|show-wireless-radio-stats-rf] customize hostname-column-width <1-64> customize show-wireless-client (br-name <1-64>,auth,client-identity <1-32>,bss,enc, hostname <1-64>,ip,last-active,location <1-64>,mac,radio-alias <3-67>,radio-id, radio-type,
4 customize hostname-column-width <1-64> hostname-column-width <1-64> Configures default width of the hostname column in all show commands <1-64> – Sets the hostname column width from 1 - 64 characters • customize show-wireless-client (br-name <1-64>,auth,client-identity <1-32>, bss,enc,hostname <1-64>,ip,last-active,location <1-64>,mac,radio-alias <3-67>, radio-id,radio-type,role <1-32>,state,username <1-64>,vendor,vlan,wlan) show-wireless-client Customizes the show wireless client command output br-n
4 rx-bytes Includes the rx-bytes column, which displays the total number of bytes received by the wireless client rx-errors Includes the rx-error column, which displays the total number of errors received by the wireless client rx-packets Includes the rx-packets column, which displays the total number of packets received by the wireless client rx-throughput Includes the rx-throughput column, which displays the receive throughput at the wireless client tx-bytes Includes the tx-bytes column, which di
4 is-root Includes the is-root column, which displays the current root state of the meshpoint mesh-name <1-64> Includes the mesh-name column, which displays the meshpoint’s name • <1-64> – Sets the mesh-name column width from 1 - 64 characters mpid Includes the mpid column, which displays the meshpoint identifier in the AA-BB-CC-DD-EE-FF format next-hop-hostname <1-64> Includes the next-hop-hostname column, which displays the next-hop AP’s name (the AP next in the path to the bound root) • <1-64> – S
4 average-retry-number Includes the average-retry-number column, which displays the average number of retransmissions made per packet.
4 radio-mac Includes the radio-mac column, which displays the radio’s base MAC address rx-bytes Includes the rx-bytes column, which displays the total number of bytes received by the radio rx-errors Includes the rx-error column, which displays the total number of errors received by the radio rx-packets Includes the rx-packets column, which displays the total number of packets received by the radio rx-throughput Includes the rx-throughput column, which displays the receive throughput at the radio t
4 The following examples demonstrate how to customize the show > wireless > meshpoint command output.
4 -------------------------------------------------------------------------------------------------------------------------------------MESH HOSTNAME HOPS IS-ROOT CONFIG-AS-ROOT ROOT-HOSTNAME ROOT-BOUND-TIME NEXT-HOP-HOSTNAME NEXT-HOP-USE-TIME -------------------------------------------------------------------------------------------------------------------------------------c00466 br7131-96F998 1 NO NO br7131-96FAAC 1 days 02:10:40 br7131-96FAAC 1 days 02:10:40 c00466 br7131-96FAAC 0 YES YES N/A N/A N/A N/A
4 br650 Optional. Filters out devices other than Brocade Mobility 650 Access Points br6511 Optional. Filters out devices other than Brocade Mobility 6511 Access Points br1220 Optional. Filters out devices other than Brocade Mobility 1220 Access Points br71xx Optional. Filters out devices other than Brocade Mobility 71XX Access Points rfs4000 Optional. Filters out devices other than Brocade Mobility RFS4000s rfs6000 Optional.
4 device-categorization device-categorization Configures a device categorization list Proper classification and categorization of devices (access points, clients etc.) helps suppress unnecessary unauthorized access point alarms, allowing network administrators to focus on alarms on devices actually behaving in a suspicious manner. An intruder with a device erroneously authorized could potentially perform activities that harm your organization.
4 rfs7000-37FABE(config-device-categorization-rfs7000)# Related Commands: no Removes an existing device categorization list device-categorization-mode commands device-categorization The following table summarizes device categorization configuration commands.
4 mark-device <1-1000> [sanctioned|neighboring] br {mac |ssid {mac }} <1-1000> Configures the device categorization entry index number sanctioned Marks a device as sanctioned. A sanctioned device is authorized to use network resources. neighboring Marks a device as neighboring. A neighboring device is a neighbor in the same network as this device. br {mac | ssid } • • Marks a specified AP as sanctioned or neighboring based on its MAC address or SSID mac – Optional.
4 no mark-device <1-1000> [sanctioned|neighboring] br {mac |ssid {mac }} Parameters no mark-device <1-1000> [sanctioned|neighboring] br {mac |ssid {mac }} no mark-device Removes a device from the marked devices list <1-1000> Specify the mark device entry index.
4 Configures DHCP server policy parameters, such as class, address range, and options. A new policy is created if it does not exist.
4 dns-whitelist Global Configuration Commands Configures a DNS whitelist. A DNS whitelist is a list of domains allowed access to the network. The following table lists DNS Whitelist configuration mode commands. Command Description Reference dns-whitelist Creates a DNS whitelist and enters its configuration mode page 231 dns-whitelist-mode commands Summarizes DNS whitelist configuration mode commands page 232 dns-whitelist dns-whitelist Configures a DNS whitelist.
4 Related Commands: no Removes an existing DNS Whitelist dns-whitelist-mode commands dns-whitelist The following table summarizes DNS Whitelist configuration mode commands.
4 Example rfs7000-37FABE(config-dns-whitelist-test)#permit motorolasolutions.com suffix rfs7000-37FABE(config-dns-whitelist-test)#show context dns-whitelist test permit motorolasolutions.
4 end Global Configuration Commands Ends and exits the current mode and moves to the PRIV EXEC mode The prompt changes to the PRIV EXEC mode.
4 Event system policies enable administrators to create notification mechanisms using one, some, or all of the SNMP, syslog, controller forwarding, or email notification options available to the controller or service platform. Each listed event can have customized notification settings defined and saved as part of an event policy. Thus, policies can be configured and administrated in respect to specific sets of client association, authentication or encryption, and performance events.
4 event-system-policy-mode commands event-system-policy The following table summarizes event system policy configuration mode commands.
4 diag dot11 dot1x fwu isdn l2tpv3 licmgr mesh mgmt nsm pm radconf radio smrt smtpnot system test vrrp test wips Diag module 802.11 management module 802.
4 br Configures AP event messages adopted – Event AP adopted message adopted-to-controller – Event AP adopted to wireless controller message br-adopted – Event access port adopted message br-autoup-done – Event AP autoup done message br-autoup-fail – Event AP autoup fail message br-autoup-needed – Event AP autoup needed message br-autoup-no-need – Event AP autoup not needed message br-autoup-reboot – Event AP autoup reboot message br-autoup-timeout – Event AP autoup timeout messag
4 certmgr cfgd cluster crm dhcpsvr Configures certificate manager related event messages ca-cert-actions-failure – Event CA certificate actions failure message ca-cert-actions-success – Event CA certificate actions success message ca-key-actions-failure – Event CA key actions failure message ca-key-actions-success – Event CA key actions success message cert-expiry – Event certificate expiry message crl-actions-failure – Event Certificate Revocation List (CRL) actions failure m
4 diag Configures diagnostics module related event messages • autogen-tech-sprt – Event autogen technical support message • buf-usage – Event buffer usage message • cpu-load – Event CPU load message • cpu-usage-too-high – Event CPU usage high message • cpu-usage-too-high-recovery – Event recovery from high CPU usage message • disk-usage – Event disk usage message • elapsed-time – Event elapsed time message • fan-underspeed – Event fan underspeed message • fd-count – Event forwar
4 dot11 Configures 802.
4 isdn Configures file Integrated Service Digital Network (ISDN) module related event messages • isdn-alert – Event ISDN alert message • isdn-crit – Event ISDN critical message • isdn-debug – Event ISDN debug message • isdn-emerg – Event ISDN emergency message • isdn-err – Event ISDN error message • isdn-info – Event ISDN info message • isdn-notice – Event ISDN notice message • isdn-warning – Event ISDN warning message l2tpv3 Configures L2TPv3 related event messages • l2tpv3-t
4 nsm pm radconf radio smrt Configures Network Service Module (NSM) related event message dhcpc-err – Event DHCP certification error message dhcpdefrt – Event DHCP defrt message dhcpip – Event DHCP IP message dhcpipchg – Event DHCP IP change message dhcpipnoadd – Event DHCP IP overlaps static IP address message dhcplsexp – Event DHCP lease expiry message dhcpnak – Event DHCP server returned DHCP NAK response dhcpnodefrt – Event interface no default route message if-failback –
4 smtpnot system test vrrp Configures SMTP module related event messages cfg – Event cfg message cfginc – Event cfg inc message net – Event net message proto – Event proto message smtpauth – Event SMTP authentication message smtperr – Event SMTP error message smtpinfo – Event SMTP information message • • • • • • • Configures system module related event messages clock-reset – Event clock reset message cold-start – Event cold start message config-commit – Event configuration co
4 snmp Logs an SNMP event syslog Logs an event to syslog default Performs the default action for the event off Switches the event off, when the event happens, and no action is performed on Switches the event on, when the event happens, and the configured action is taken Example rfs7000-37FABE(config-event-system-policy-event-testpolicy)#event aaa radius-discon-msg email on forward-to-switch default snmp default syslog default rfs7000-37FABE(config-event-system-policy-ev
4 Example rfs7000-37FABE(config-event-system-policy-TestPolicy)#event br adopted syslog default rfs7000-37FABE(config-event-system-policy-TestPolicy)# rfs7000-37FABE(config-event-system-policy-TestPolicy)#no event br adopted syslog rfs7000-37FABE(config-event-system-policy-TestPolicy)# Related Commands: event Configures the action taken for each event firewall-policy Global Configuration Commands Configures a firewall policy.
4 stateful-packet-inspection-l2 storm-control virtual-defragmentation clrscr commit do end exit help revert service show write Enable stateful packet inspection in layer2 firewall Storm-control Enable virtual defragmentation for IPv4 packets (recommended for proper functioning of firewall) Clears the display screen Commit all changes made in this session Run commands from Exec mode End current mode and change to EXEC mode End current mode and down to previous mode Description of the interactive help syste
4 Syntax: global-association-list Parameters global-association-list Map this global association list to a device (controller) or a controller profile.Once associated, the controller applies this association list to requests received from all adopted APs. For more information, see use.
4 ip access-list BROADCAST-MULTICAST-CONTROL .............................................................................
4 host Parameters host Specify the device’s hostname. All discovered devices are displayed when ‘Tab’ is pressed to auto complete this command. Example rfs7000-37FABE(config)#host rfs7000-37FABE rfs7000-37FABE(config-device-00-04-96-42-14-79)# inline-password-encryption Global Configuration Commands Stores the encryption key in the startup configuration file By default, the encryption key is not stored in the startup-config file.
4 This command moves the same password to the startup-config and encrypts it with the master key. Related Commands: no Disables storing of the encryption key in the startup configuration file ip Global Configuration Commands Configures IP access control lists Access lists define access permissions to the network using a set of rules. Each rule specifies an action taken when a packet matches the rule. If the action is deny, the packet is dropped. If the action is permit, the packet is allowed.
4 rfs7000-37FABE(config-ip-acl-test)# Related Commands: no Removes an IP access control list NOTE For more information on Access Control Lists, see Chapter 12, ACCESS-LIST. l2tpv3 Global Configuration Commands Configures a Layer 2 Tunnel Protocol Version 3 (L2TPv3) tunnel policy, used to create one or more L2TPv3 tunnels. The L2TPv3 policy defines the control and encapsulation protocols needed for tunneling layer 2 frames between two IP nodes.
4 no reconnect-attempts reconnect-interval retry-attempts retry-interval rx-window-size tx-window-size clrscr commit end exit help revert service show write control connection Negate a command or set its defaults Maximum number of attempts to reestablish the tunnel.
4 Syntax: mac access-list Parameters mac access-list access-list Configures a MAC access control list • – Specify the ACL name. If the access control list does not exist, it is created.
4 Syntax: management-policy Parameters management-policy Specify the management policy name. If the policy does not exist, it is created.
4 Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: meshpoint [|containing ] Parameters meshpoint [|containing ]
4 NOTE For more information on Meshpoint configuration, see Chapter 27, MESHPOINT meshpoint-qos-policy Global Configuration Commands Configures a set of parameters that defines the meshpoint quality of service (QoS) policy Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000,
4 NOTE For more information on meshpoint QoS policy configuration, see Chapter 27, MESHPOINT mint-policy Global Configuration Commands Configures the global MiNT policy Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 •
4 NOTE For more information on MiNT policy configuration, see Chapter 15, MINT-POLICY. nac-list Global Configuration Commands A Network Access Control (NAC) policy configures a list of devices that can access a network based on their MAC addresses. The following table lists NAC list configuration mode commands.
4 help revert service show write Description of the interactive help system Revert changes Service Commands Show running system information Write running configuration to memory or terminal rfs7000-37FABE(config-nac-list-test)# Related Commands: no Removes a NAC list nac-list-mode commands nac-list The following table summarizes NAC list configuration mode commands.
4 Parameters exclude [ precedence <1-1000>|precedence <1-1000>] Specifies a range of MAC addresses or a single MAC address to exclude from the NAC enforcement list • – Specify the first MAC address in the range. NOTE: Use this parameter to specify a single MAC address. precedence <1-1000> Specifies the last MAC address in the range (optional if a single MAC is added to the list) • – Specify the last MAC address in the range.
4 exclude 00-04-96-B0-BA-2A 00-04-96-B0-BA-2A precedence 1 include 00-15-70-38-06-49 00-15-70-38-06-49 precedence 2 rfs7000-37FABE(config-nac-list-test)# no nac-list-mode commands Cancels an exclude or include NAC list rule Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000,
4 nac-list test include 00-15-70-38-06-49 00-15-70-38-06-49 precedence 2 rfs7000-37FABE(config-nac-list-test)# Related Commands: exclude Specifies MAC addresses excluded from the NAC enforcement list include Specifies MAC addresses included in the NAC enforcement list no Global Configuration Commands Negates a command, or reverts configured settings to their default Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mo
4 no device {containing } {(filter type [br650|br6511|br1220|br71xx|br81xx])} no customize [hostname-column-width|show-wireless-client|show-wireless-client-stats| show-wireless-client-stats-rf|show-wireless-meshpoint|show-wireless-meshpoint neighbor-stats|show-wireless-meshpoint-neighbor-stats-rf|show-wireless-radio| show-wireless-radio-stats|show-wireless-radio-stats-rf] no password-encryption secret 2 no profile {br650|br6511|br1220|br71xx|br81xx| containing|filter} no wlan [
4 no firewall-policy Deletes the specified firewall policy no global-association-policy Deletes the specified global association policy no inline-password-encryption Disables storing of the encryption key in the startup configuration file no ip access-list Deletes the specified IP access list no l2tpv3 policy Deletes the specified L2TPv3 policy no mac access-list Deletes the specified MAC access list no
4 no alias [address-range |host | network |network-group [address-range|host|network]|network-service | vlan ] no alias Removes an existing network, VLAN, or service alias. Select the alias type. The options are: network, vlan, and service.
4 containing Optional. Removes devices with hostname containing the substring specified by the keyword filter type • Optional. Filters devices based on the device type selected type – Select the access point or wireless controller type.
4 advanced-wips-policy Delete an advanced-wips policy alias Alias br650 Delete an Brocade Mobility 650 Access Point access point br6511 Delete an Brocade Mobility 6511 Access Point access point br1220 Delete an Brocade Mobility 1220 Access Point access point br71xx Delete an Brocade Mobility 71XX Access Point access point br81xx Delete an Brocade Mobility 1240 Access Point access point ap82xx Delete an AP82XX access point association-acl-policy Delete an association-acl policy auto-provisioning-policy Delet
4 service Service Commands rfs7000-37FABE(config)# nx4500-5CFA2B(config)#no ? aaa-policy Delete a aaa policy aaa-tacacs-policy Delete a aaa tacacs policy advanced-wips-policy Delete an advanced-wips policy alias Alias br650 Delete an Brocade Mobility 650 Access Point access point br6511 Delete an Brocade Mobility 6511 Access Point access point br1220 Delete an Brocade Mobility 1220 Access Point access point br71xx Delete an Brocade Mobility 71XX Access Point access point br81xx Delete an Brocade Mobility
4 smart-cache-policy smart-rf-policy url-list wips-policy wlan wlan-qos-policy Delete Delete Delete Delete Delete Delete a a a a a a content caching smart-rf-policy URL list wips policy wlan object wireless lan QoS configuration policy service Service Commands nx4500-5CFA2B(config)# passpoint-policy Global Configuration Commands Creates a new passpoint policy and enters its configuration mode The passpoint policy implements the Hotspot 2.
4 ip-address-type nai-realm net-auth-type no operator roam-consortium venue wan-metrics Configure the advertised ip-address-type Configure a NAI realm for the hotspot Add a network authentication type to the hotspot Negate a command or set its defaults Add configuration related to the operator of the hotspot Add a roam consortium for the hotspot Set the venue parameters of the hotspot Set the wan-metrics of the hotspot clrscr Clears the display screen commit Commit all changes made in this session do Run
4 nx6500-31FABE(config)#password-encryption secret 2 symbol nx6500-31FABE(config)# Related Commands: no Disables password encryption profile Global Configuration Commands Configures profile related commands. If no parameters are given, all profiles are selected.
4 profile {containing } {filter type [br650|br6511| br1220|br71xx|br81xx|rfs4000|rfs6000|rfs7000]} profile Configures device profile commands containing Optional. Configures profiles that contain a specified sub-string in the hostname • – Specify a substring in the profile name to filter profiles. filter type Optional. An additional filter used to configure a specific type of device profile.
4 autogen-uniqueid autoinstall bridge captive-portal cdp cluster configuration-persistence controller critical-resource crypto device-upgrade dot1x dscp-mapping email-notification enforce-version environmental-sensor events export floor gre http-analyze interface ip l2tpv3 l3e-lite-table led legacy-auto-downgrade legacy-auto-update lldp load-balancing logging mac-address-table mac-auth memory-profile meshpoint-device meshpoint-monitor-interval min-misconfiguration-recovery-time mint misconfiguration-reco
4 preferred-controller-group preferred-tunnel-controller radius rf-domain-manager router spanning-tree tunnel-controller use vrrp wep-shared-key-auth clrscr commit do end exit help revert service show write Controller group this system will prefer for adoption Tunnel Controller Name this system will prefer for tunneling extended vlan traffic Configure device-level radius authentication parameters RF Domain Manager Dynamic routing Spanning tree Tunnel Controller group this controller belongs to Set settin
4 crypto device-upgrade dot1x dscp-mapping email-notification enforce-version environmental-sensor events export floor gre http-analyze interface ip l2tpv3 l3e-lite-table led legacy-auto-downgrade legacy-auto-update lldp load-balancing logging mac-address-table mac-auth memory-profile meshpoint-device meshpoint-monitor-interval min-misconfiguration-recovery-time mint misconfiguration-recovery-time neighbor-inactivity-timeout neighbor-info-interval no noc ntp power-config preferred-controller-group preferr
4 spanning-tree tunnel-controller use vrrp wep-shared-key-auth clrscr commit do end exit help revert service show write Spanning tree Tunnel Controller group this controller belongs to Set setting to use VRRP configuration Enable support for 802.
4 Example rfs7000-37FABE(config)#radio-qos-policy test rfs7000-37FABE(config-radio-qos-test)#? Radio QoS Mode commands: accelerated-multicast Configure multicast streams for acceleration admission-control Configure admission-control on this radio for one or more access categories no Negate a command or set its defaults smart-aggregation Configure smart aggregation parameters wmm Configure 802.
4 Example rfs7000-37FABE(config)#radius-group testgroup rfs7000-37FABE(config-radius-group-testgroup)#? Radius user group configuration commands: guest Make this group a Guest group no Negate a command or set its defaults policy Radius group access policy configuration rate-limit Set rate limit for group clrscr commit do end exit help revert service show write Clears the display screen Commit all changes made in this session Run commands from Exec mode End current mode and change to EXEC mode End current m
4 Example rfs7000-37FABE(config)#radius-server-policy testpolicy rfs7000-37FABE(config-radius-server-policy-testpolicy)#? Radius Configuration commands: authentication Radius authentication chase-referral Enable chasing referrals from LDAP server crl-check Enable Certificate Revocation List( CRL ) check ldap-group-verification Enable LDAP Group Verification setting ldap-server LDAP server parameters local RADIUS local realm nas RADIUS client no Negate a command or set its defaults proxy RADIUS proxy server
4 Parameters radius-user-pool-policy Specify the RADIUS user pool policy name. If the policy does not exist, it is created.
4 rename tlo rename tlo Renames an existing TLO object • – Specify the TLO’s name. This is the TLO that is to be renamed. • – Specify the new name for this TLO Enter rename and press Tab to list top level objects available for renaming.
4 permit ip any any rule-precedence 100 rule-description "permit all IP traffic" ! mac access-list PERMIT-ARP-AND-IPv4 permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic" --More-rfs4000-229D58(config) rfs4000-229D58(config)#clone ip_acl BROADCAST-MULTICAST-CONTROL TestIP_CLONED rfs4000-229D58(config)#commit rfs4000-229D58(config)#show context ! ! Configuration of Brocade Mobility RFS4000 version 5.5.0.0-018D ! ! version 2.
4 dhcp 1 message-type request option-codes exact hexstring 5e4d36780b3a7f ! client-identity-group ClientIdentityGroup client-identity TestClientIdentity precedence 1 ! ip access-list BROADCAST-MULTICAST-CONTROL permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic" permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies" deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios" deny ip any 224.0.0.
4 RF Domains allow administrators to assign configuration data to multiple devices deployed in a common coverage area, such as in a floor, building, or site. Each RF Domain contains policies that set the Smart RF or WIPS configuration. RF Domains also enable administrators to override WLAN SSID name and VLAN assignments. This enables the deployment of a global WLAN across multiple sites and unique SSID name or VLAN assignments to groups of access points servicing the global WLAN.
4 rf-domain {|containing } Parameters rf-domain {|containing } rf-domain Creates a new RF Domain or enters its configuration context Optional. Specify the RF Domain name (should not exceed 32 characters and should represent the intended purpose). Once created, the name cannot be edited. containing Optional.
4 The following table summarises RF Domain configuration commands.
4 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: alias [address-range|host|network|network-group|network-service|string|vlan] alias address-range to al
4 alias host host Creates a host alias for this RF Domain. Or associates an existing host alias with this RF Domain. A host alias maps a name to a single network host. • – Specify the host alias name. Alias name should begin with ‘$’. Associates the network host’s IP address with this host alias – Specify the network host’s IP address.
4 alias network-service proto [<0-254>||eigrp|gre| igmp|igp|ospf|vrrp] {(<1-65535>||bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp| ntp|pop3|proto|sip|smtp|sourceport [<1-65535>|]|ssh|telnet|tftp|www)} alias network-service Creates a network-service alias for this RF Domain. Or associates an existing network-service alias with this RF Domain.
4 alias string alias string Creates a string alias for this RF Domain. Or associates an existing string alias with this RF Domain. String aliases map a name to an arbitrary string value. For example, alias string $DOMAIN test.brocade.com’. In this example, the string alias name is: $DOMAIN and the string value it is mapped to is: test.brocade.com. In this example, the string alias refers to a domain name. • – Specify the string alias name.
4 rfs4000-229D58(config-rf-domain-test)#show context rf-domain test no country-code alias network-service $kerberos proto tcp 749 750 80 alias vlan $TestVLANAlias 10 rfs4000-229D58(config-rf-domain-test)# nx9500-6C8809(config-rf-domain-test)#alias string $test motorolasolutions.com nx9500-6C8809(config-rf-domain-test)#show context rf-domain test no country-code alias string $test motorolasolutions.
4 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: channel-list [2.4GHz|5GHz|dynamic] channel-list dynamic channel-list [2.
4 • Service Platforms — Brocade Mobility RFS9510 Syntax: contact Parameters contact contact Specify contact details, such as name and number. Example rfs7000-37FABE(config-rf-domain-default)#contact Bob+919621212577 rfs7000-37FABE(config-rf-domain-default)#show context rf-domain default contact Bob+919621212577 no country-code channel-list 2.
4 channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10 control-vlan 1 rfs7000-37FABE(config-rf-domain-default)# Related Commands: no Disables the VLAN designated for controlling RF Domain traffic controller-managed rf-domain-mode commands Configures the adopting controller (wireless controller, access point, or service platform) as this RF Domain’s manager. In other words, the RF Domain is controller managed, and the managing controller is the device managing the RF Domain.
4 Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: country-code Parameters country-code country-code Configures the RF Domain’s country of operation <
4 layout map-location units [feet|meters] {(area |floor )} Parameters layout area {(floor|map-location)} layout Configures the RF Domain’s layout in terms of area, floor, and location on a map area Configures the RF Domain’s area name – Specify the area name. After configuring the RF Domain’s area of functioning, optionally specify the floor name (and number), and/or the map location.
4 Configures the RF Domain’s physical location. The location could be as specific as the building name or floor number. Or it could be generic and include an entire site. The location defines the physical area where a common set of device configurations are deployed and managed by a RF Domain policy.
4 Syntax: mac-name Parameters mac-name mac-name Configures a relevant name for each MAC address Specifies the MAC address – Specify a friendly name for this MAC address to use in events and statistics. • Example rfs7000-37FABE(config-rf-domain-default)#mac-name 11-22-33-44-55-66 TestDevice rfs7000-37FABE(config-rf-domain-default)#show context rf-domain default location SanJose contact Bob+919621212577 country-code in channel-list 2.
4 Parameters no [alias|channel-list|contact|control-vlan|controller-managed|country-code|layo ut| location|mac-name|override-smartrf|override-wlan|sensor-server|stats|timezone | tree-node|use] no alias Removes aliases associated with this RF Domain no channel-list Removes the channel list for the 2.4 GHz and 5.0 GHz bands. Also disables dynamic update of a channel list.
4 rfs7000-37FABE(config-rf-domain-default)#show context rf-domain default contact Bob+919621212577 country-code in layout area Ecospace floor Floor5 map-location www.fiestfloor.
4 override-smartrf channel-list [2.4GHz|5GHZ] override-smartrf Enables dynamic channel switching for Smart RF radios channel-list Configures a list of channels for 2.4 GHz and 5.0 GHz Smart RF radios 2.4GHz Selects the 2.4 GHz Smart RF radio channels • – Specify a list of channels separated by commas. 5GHz Selects the 5.0 GHz Smart RF radio channels • – Specify a list of channels separated by commas.
4 overrides-wlan [ssid |vlan-pool <1-4094> {limit <0-8192>}|wpa-wpa2-psk ] Configures the WLAN name The name should not exceed 32 characters and should represent the WLAN coverage area. After creating the WLAN, configure its override parameters. ssid Configures a override SSID associated with this WLAN The SSID should not exceed 32 characters.
4 WIPS is not supported on a WLAN basis, rather sensor functionality is supported on the access point radio(s) available to each controller managed WLAN. When an access point radio is functioning as a WIPS sensor, it is able to scan in sensor mode across all legal channels within the 2.4 and 5.0 GHz bands. Sensor support requires a Brocade AirDefense WIPS Server on the network. Sensor functionality is not provided by the access point alone.
4 Configures stats settings that define how RF Domain statistics are updated Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: stats [open-window|update-interval] stats
4 Related Commands: no Resets stats related settings timezone rf-domain-mode commands Configures the RF Domain’s geographic time zone. Configuring the time zone is essential for RF Domains deployed across different geographical locations.
4 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: tree-node [campus|city|country|region] {(campus|city|country|region)} Parameters tree-node [campus|city|country|region] {(campus|city|country|region)} tre
4 Related Commands: no Removes the RF Domain’s tree-node configuration use rf-domain-mode commands Enables the use of Smart RF and WIPS with this RF Domain Assigns an existing Wireless IPS (WIPS) policy to the RF Domain A WIPS policy provides protection against wireless threats and acts as a key layer of security complementing wireless VPNs, encryption and authentication. A WIPS policy uses a dedicated sensor for actively detecting and locating rogue AP devices.
4 override-wlan test vlan-pool 2 limit 20 layout area Ecospace floor Floor5 map-location www.fiestfloor.
4 Syntax: rfs6000 Parameters rfs6000 Specify the Brocade Mobility RFS6000’s MAC address.
4 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: role-policy Parameters role-policy Specify the role policy name.
4 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: role-policy Parameters role-policy Specify the role policy name.
4 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: self Parameters None Example rfs7000-37FABE(config)#self rfs7000-37FABE(config-device-00-15-70-37-FA-BE)# smart-rf-policy Global Configuration Commands C
4 interference-recovery smart-ocs-monitoring Recover issues due to excessive noise and interference Recover issues due to faulty neighbor radios Negate a command or set its defaults Configure smart-rf sensitivity (Modifies various other smart-rf configuration items) Smart off channel scanning clrscr commit end exit help revert service show write Clears the display screen Commit all changes made in this session End current mode and change to EXEC mode End current mode and down to previous mode Descriptio
4 br-detection enable event history-throttle-duration no signature use Rogue AP detection Enable this wips policy Configure an event Configure the duration for which event duplicates are not stored in history Specify events which will contribute to smart-rf wifi interference calculations Negate a command or set its defaults Signature to configure Set setting to use clrscr commit do end exit help revert service show write Clears the display screen Commit all changes made in this session Run commands from
4 A WLAN is a data-communications system that flexibly extends the functionality of a wired LAN. A WLAN links two or more computers or devices using spread-spectrum or OFDM modulation based technology. WLANs do not require lining up devices for line-of-sight transmission, and are thus, desirable for wireless networking. Roaming users can be handed off from one access point to another, like a cellular phone system.
4 rfs7000-37FABE(config-wlan-1)#? Wireless LAN Mode commands: accounting acl answer-broadcast-probes association-list authentication-type bridging-mode broadcast-dhcp broadcast-ssid captive-portal-enforcement client-access client-client-communication client-load-balancing controller-assisted-mobility data-rates description downstream-group-addressed-forwarding dynamic-vlan-assignment eap-types encryption-type enforce-dhcp fast-bss-transition http-analyze ip kerberos mac-authentication mac-registration
4 proxy-arp-mode radio-resource-measurement radius relay-agent shutdown ssid time-based-access use vlan vlan-pool-member wep128 wep64 wireless-client wpa-wpa2 clrscr commit do end exit help revert service show write 802.11w) related configuration (DEMO FEATURE) Configure handling of ARP requests with proxy-arp is enabled Configure support for 802.
4 The following table summarizes WLAN configuration mode commands.
4 Command Description Reference relay-agent Enables support for DHCP relay agent information (option 82) feature on this WLAN page 351 shutdown Closes a WLAN page 352 ssid Configures a WLAN’s SSID page 353 time-based-access Configures time-based client access page 354 use Defines WLAN mode configuration settings page 355 vlan Sets VLAN assignment for a WLAN page 357 vlan-pool-member Adds a member VLAN to the pool of VLANs for a WLAN page 358 wep128 Configures WEP128 parameters page
4 accounting [radius|wait-client-ip] accounting syslog [host|mac-address-format] accounting syslog host {port <1-65535>} {proxy-mode [none|through-controller|through-rf-domain-manager]}] accounting syslog mac-address-format [middle-hyphen|no-delim|pair-colon|pair-hyphen| quad-dot] case [lower|upper] Parameters accounting [radius|wait-client-ip] accounting radius Enables support for WLAN RADIUS accounting messages. This option is disabled by default.
4 Example rfs7000-37FABE(config-wlan-test)#accounting syslog host 172.16.10.4 port 2 proxy-mode none rfs7000-37FABE(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none accounting syslog host 172.16.10.4 port 2 rfs7000-37FABE(config-wlan-test)# acl wlan-mode commands Defines the actions taken based on an ACL rule configuration Use the use > ip-access-list to associate an ACL with the WLAN.
4 acl exceed-rate wireless-client-denied-traffic <0-1000000> {blacklist <0-86400>| disassociate} Parameters acl exceed-rate wireless-client-denied-traffic <0-1000000> {blacklist <0-86400>| disassociate} acl exceed-rate Sets the actions taken based on an ACL rule configuration (for example, drop a packet) exceed-rate – Action is taken when the rate exceeds a specified value • wireless-client-denied-traf fic <0-1000000> Sets the action to deny traffic to the wireless client when the rate exceeds the spec
4 Example rfs7000-37FABE(config-wlan-1)#answer-broadcast-probes rfs7000-37FABE(config-wlan-1)# association-list wlan-mode commands Attaches an existing global association list with this WLAN. For more information on global association lists, see global-association-list.
4 authentication-type [eap|eap-mac|eap-psk|kerberos|mac|none] Parameters authentication-type [eap|eap-mac|eap-psk|kerberos|mac|none] authentication-type Configures a WLAN’s authentication type The authentication types are: EAP, EAP-MAC, EAP-PSK, Kerberos, MAC, and none. eap Configures EAP authentication (802.1X) EAP is the de-facto standard authentication method used to provide secure authenticated access to controller managed WLANs.
4 accounting syslog host 172.16.10.
4 • Service Platforms — Brocade Mobility RFS9510 Syntax: broadcast-dhcp validate-offer Parameters broadcast-dhcp validate-offer validate-offer Validates the broadcast DHCP packet destination (a wireless client associated to the radio) before forwarding over the air Example rfs7000-37FABE(config-wlan-test)#broadcast-dhcp validate-offer rfs7000-37FABE(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type eap accounting syslog host 172.16.10.
4 Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: captive-portal-enforcement {fall-back} Parameters captive-portal-enforcement {fall-back} captive-portal-enforcement
4 None Example rfs7000-37FABE(config-wlan-1)#client-access rfs7000-37FABE(config-wlan-1)# client-client-communication wlan-mode commands Allows frame switching from one client to another on a WLAN This option is enabled by default. It allows clients to exchange packets with other clients. It does not necessarily prevent clients on other WLANs from sending packets to this WLAN, but as long as this setting is also disabled on that WLAN, clients are not permitted to interoperate.
4 client-load-balancing {allow-single-band-clients [2.4Ghz|5Ghz]| band-discovery-intvl <0-10000>|capability-ageout-time <0-10000>} client-load-balancing {max-probe-req|probe-req-intvl} [2.4Ghz|5Ghz] <0-10000> Parameters client-load-balancing {allow-single-band-clients [2.4Ghz|5Ghz]| band-discovery-intvl <0-10000>|capability-ageout-time <0-10000>} client-load-balancing Configures client load balancing on a WLAN allow-single-band-clients [2.4GHz|5GHz] Optional.
4 Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: controller-assisted-mobility Parameters None Example rfs4000-229D58(config-wlan-test)#controller-assisted-mobility
4 data-rates 5GHz custom [12|18|24|36|48|54|6|9|basic-1|basic-11|basic-12|basic-18| basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54|basic-6|basic-9| basic-mcs-1s|mcs-1s|mcs2s|mcs3s] Parameters data-rates 2.4GHz [b-only|bg|bgn|default|g-only|gn] data-rates Specifies the 802.11 rates supported when mapped to a 2.
4 1,11,2,5.5 The following data rates are specific to the 2.4 GHz channel: • 1 – 1-Mbps • 11 – 11-Mbps • 2 – 2-Mbps • 5.5 – 5.5-Mbps [12,18,24,36,48,54,6,9, basic-1,basic-11, basic-12,basic-18, basic-2, basic-36,basic-48, basic-5.5, basic-54,basic-6, basic-9,basic-mcs-1s, mcs-1s,mcs2s,mcs-3s] The following data rates are common to both the 2.4 GHz and 5.
4 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: description Parameters description Specify a WLAN description The WLAN’s description should help differentiate it from others with s
4 Parameters None Example rfs4000-229D58(config-wlan-test)#downstream-group-addressed-forwarding rfs4000-229D58(config-wlan-test)# dynamic-vlan-assignment wlan-mode commands Configures dynamic VLAN assignment on this WLAN Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Br
4 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: eap-types [allow|deny] [aka|all|fast|peap|sim|tls|ttls] {(aka|all|fast|peap|sim|tls|ttls)} Parameters eap-types [allow|deny] [aka|all|fast|peap|sim|tls|tt
4 Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: encryption-type [ccmp|keyguard|none|tkip|tkip-ccmp|wep128|web128-keyguard|wep64] Parameters encryption-type [ccmp|k
4 Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: enforce-dhcp Parameters None Example rfs7000-37FABE(config-wlan-test)#enforce-dhcp rfs7000-37FABE(config-wlan-test)
4 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: fast-bss-transition Parameters None Example rfs7000-37FABE(config-wlan-test)#fast-bss-transition rfs7000-37FABE(config-wlan-test)# rfs7000-37FABE(config-wlan-test)#show context wlan test ssid test vlan 1 bridging-mode tunnel encryption-type none authentication-type none fast-bss-transition rfs7000-37FABE(config-wlan-test)# http-analyze wlan-mode co
4 http-analyze syslog host {port <1-65535>} {proxy-mode [none| through-controller|through-rf-domain-manager]} syslog host Forwards client and URL information to a syslog server • host – Specify the syslog server’s IP address or hostname port <1-65535> Optional. Specifies the UDP port to connect to the syslog server from 1 - 65535 proxy-mode [none| through-controller| through-rf-domain-manag er] Optional.
4 ip dhcp trust ip dhcp Configures the IP settings for DHCP packets trust Sets DHCP responses as trusted for a WLAN/range Example rfs7000-37FABE(config-wlan-test)#ip dhcp trust rfs7000-37FABE(config-wlan-test)#show context wlan test description TestWLAN ssid test bridging-mode local encryption-type tkip-ccmp authentication-type eap accounting syslog host 172.16.10.4 port 2 data-rates 2.
4 kerberos server [primary|secondary|timeout] kerberos server [primary|secondary] host {port <1-65535>} kerberos server timeout <1-60> Parameters kerberos password [0 |2 |] kerberos Configures a WLAN’s Kerberos authentication parameters The parameters are: password, realm, and server. password Configures a Kerberos Key Distribution Center (KDC) server password. The password should not exceed 127 characters.
4 encryption-type tkip-ccmp authentication-type eap kerberos server timeout 12 kerberos server primary host 172.16.10.2 accounting syslog host 172.16.10.4 port 2 data-rates 2.
4 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: mac-registration [external|group-name] mac-registration external host {proxy-mode [none|through-controller| through-rf-domain-manager]} mac-r
4 mac-registration external host 172.16.10.
4 ssid test bridging-mode local encryption-type tkip-ccmp authentication-type eap kerberos server timeout 12 kerberos server primary host 172.16.10.2 accounting syslog host 172.16.10.4 port 2 data-rates 2.
4 authentication-type broadcast-dhcp broadcast-ssid captive-portal-enforcement client-access client-client-communication client-load-balancing controller-assisted-mobility data-rates description downstream-group-addressed-forwarding eap-types encryption-type enforce-dhcp fast-bss-transition http-analyze ip kerberos mac-authentication mac-registration motorola-extensions protected-mgmt-frames proxy-arp-mode radio-resource-measurement radius relay-agent shutdown ssid time-based-access use vlan vlan-pool-mem
4 service Service to monitor to show no-service page to user rfs7000-37FABE(config-wlan-test)# The test settings before execution of the no command: rfs7000-37FABE(config-wlan-test)#show context wlan test description TestWLAN ssid test bridging-mode local encryption-type tkip-ccmp authentication-type eap kerberos server timeout 12 kerberos server primary host 172.16.10.2 accounting syslog host 172.16.10.4 port 2 data-rates 2.
4 client-load-balancing band-discovery-intvl 2 acl exceed-rate wireless-client-denied-traffic 20 disassociate broadcast-dhcp validate-offer http-analyze controller rfs7000-37FABE(config-wlan-test)# proxy-arp-mode wlan-mode commands Enables proxy ARP mode for handling ARP requests Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access P
4 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: radio-resource-measurement {channel-report} Parameters radio-resource-measurement {channel-report} radio-resource-measureme nt {channel-report} Enables s
4 Parameters radius [dynamic-authorization|nas-identifier |nas-port-id | vlan-assignment] dynamic-authorization Enables support for disconnect and change of authorization messages (RFC5176) nas-identifier Configures the WLAN NAS identifier sent to the RADIUS server. The NAS identifier should not exceed 256 characters. nas-port-id Configures the WLAN NAS port ID sent to the RADIUS server. The NAS port identifier should not exceed 256 characters.
4 relay-agent dhcp-option82 relay-agent dhcp-option82 Supports DHCP option 82. When enabled, this feature allows the DHCP relay agent to insert the relay agent information option (option 82) in client requests forwarded to the DHCP server.
4 If the shutdown on-meshpoint-loss feature is enabled, the WLAN status changes only if the meshpoint and the WLAN are mapped to the same VLAN. If the meshpoint is mapped to VLAN 1 and the WLAN is mapped to VLAN 2, then the WLAN status does not change on loss of the meshpoint.
4 encryption-type none authentication-type none protected-mgmt-frames mandatory radius vlan-assignment motorola-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 acl exceed-rate wireless-client-denied-traffic 20 disassociate proxy-arp-mode strict broadcast-dhcp validate-offer shutdown on-unadoption http-analyze controller rfs7000-37FABE(config-wlan-test)# time-based-access wlan-mode commands Configures time-based client access to the n
4 Usage Guidelines: Ensure the system clock is configured correctly.
4 use [aaa-policy |association-acl-policy | captive-portal |passpoint-policy | wlan-qos-policy ] aaa-policy Uses an existing AAA policy with a WLAN – Specify the AAA policy name.
4 Keep in mind IP and non-IP traffic on the same layer 2 interface can be filtered by applying both an IP ACL and a MAC ACL to the interface.
4 vlan [<1-4094>|] <1-4094> Sets a WLAN’s VLAN ID. This command starts a new VLAN assignment for a WLAN index. All prior VLAN settings are erased. Use this command to assign just one VLAN to the WLAN. Utilizing a single VLAN per WLAN is a more typical deployment scenario than using a VLAN pool. Assigns a VLAN alias to the WLAN. The VLAN alias should to existing and configured. A VLAN alias maps a name to a VLAN ID.
4 Parameters vlan-pool-member {limit <0-8192>} vlan-pool-member Adds a member VLAN to a WLAN’s VLAN pool Define the VLANs available to this WLAN. It is either a single index, or a list of VLAN IDs (for example, 1,3,7), or a range (for example, 1-10) limit <0-8192> Optional.
4 wep128 keys-from-passkey wep128 transmit-key <1-4> Parameters wep128 key <1-4> [ascii|hex] [0 |2 |] wep128 Configures WEP128 parameters. The parameters are: key, key-from-passkey, and transmit-key. key <1-4>] Configures pre-shared hex keys • <1-4> – Configures a maximum of four key indexes. Select the key index from 1 - 4.
4 rfs7000-37FABE(config-wlan-test)# wep64 wlan-mode commands Configures WEP64 parameters Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: wep64 [key|keys-from-passkey
4 Example rfs7000-37FABE(config-wlan-test)#wep64 key 1 ascii motor rfs7000-37FABE(config-wlan-test)#wep64 transmit-key 1 rfs7000-37FABE(config-wlan-test)#show context wlan test ssid testWLAN1 vlan-pool-member 1 limit 1 vlan-pool-member 2 limit 1 vlan-pool-member 3 limit 1 vlan-pool-member 4 limit 1 vlan-pool-member 5 limit 1 vlan-pool-member 6 limit 1 vlan-pool-member 7 limit 1 vlan-pool-member 8 limit 1 vlan-pool-member 9 limit 1 vlan-pool-member 10 limit 1 bridging-mode local encryption-type none authenti
4 wireless-client [count-per-radio <0-256>|cred-cache-ageout <60-86400>| hold-time <1-86400>|inactivity-timeout <60-86400>|max-firewall-sessions <10-10000>| reauthentication <30-86400>|tx-power <0-20>|vlan-cache-ageout <60-86400>] wireless-client roam-notification [after-association|after-data-ready|auto] Parameters wireless-client [count-per-radio <0-256>|cred-cache-ageout <60-86400>| hold-time <1-86400>|inactivity-timeout <60-86400>|max-firewall-sessions <10-10000>| reauthentication <30-86400>|tx-power <
4 rfs7000-37FABE(config-wlan-test)#wireless-client reauthentication 35 rfs7000-37FABE(config-wlan-test)#wireless-client tx-power 12 rfs7000-37FABE(config-wlan-test)#show context wlan test ssid testWLAN1 vlan-pool-member 1 limit 1 vlan-pool-member 2 limit 1 vlan-pool-member 3 limit 1 vlan-pool-member 4 limit 1 vlan-pool-member 5 limit 1 vlan-pool-member 6 limit 1 vlan-pool-member 7 limit 1 vlan-pool-member 8 limit 1 vlan-pool-member 9 limit 1 vlan-pool-member 10 limit 1 bridging-mode local encryption-type no
4 wpa-wpa2 [exclude-wpa2-tkip|opp-pmk-caching|pmk-caching|preauthentication| use-sha256-akm] wpa-wpa2 handshake [attempts|init-wait|priority|timeout] wpa-wpa2 handshake [attempts <1-5>|init-wait <5-1000000>|priority [high|normal]| timeout <10-5000> {10-5000}] wpa-wpa2 key-rotation [broadcast|unicast] <30-86400> wpa-wpa2 psk [0 |2 |] wpa-wpa2 tkip-countermeasures holdtime <0-65535> Parameters wpa-wpa2 [exclude-wpa2-tkip|opp-pmk-caching|pmk-caching|preauthentication| use-sha256-akm] wpa-wpa
4 broadcast <30-86400> Configures the periodic rotation of keys used for broadcast and multicast traffic. This parameter specifies the interval, in seconds, at which keys are rotated. • <30-86400> – Specify a value from 30 - 86400 seconds. unicast <30-86400> Configures a periodic interval for the rotation of keys, used for unicast traffic • <30-86400> – Specify a value from 30 - 86400 seconds. wpa-wpa2 Modifies TKIP-CCMP (WPA/WPA2) related parameters psk Configures a pre-shared key.
4 Invokes service commands applicable in the WLAN configuration mode Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: service [allow-ht-only|allow-open-passpoint|cred-
4 enforce-pmkid-validation Validates the Predictive real-time pairwise master key identifier (PMKID) contained in a client’s association request against the one present in the wpa-wpa2 handshake This functionality is based on the Proactive Key Caching (PKC) extension of the 802.11i EEEE standard. Whenever a wireless client successfully authenticates with a AP it receives a pairwise master key (PMK). PKC allows clients to cache this PMK and reuse it for future re-authentications with the same AP.
4 captive-portal external-server Enables external captive portal server failure monitoring. This feature is disabled by default. When enabled, this feature enables APs to display, to an externally located captive portal’s user, the no-service page when the captive portal’s server is not reachable. dhcp crm vlan <1-4094> Enables external DHCP server failure monitoring. Also configures a DHCP failover VLAN. This feature is disabled by default.
4 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: wlan-qos-policy Parameters wlan-qos-policy Specify the WLAN QoS policy name.
4 smart-cache-policy Global Configuration Commands The following table lists the smart cache policy configuration commands.
4 Example nx4500-5CFA2B(config)#smart-cache-policy ? SMART-CACHE-POLICY Name of the content caching to be configured ( will be created if it does not exist ) nx4500-5CFA2B(config)#smart-cache-policy test nx4500-5CFA2B(config-smart-cache-policy-test)# nx4500-5CFA2B(config-smart-cache-policy-test)#? Content Cache Policy Mode commands: access-log Log all client requests aging Configure the refresh pattern cache Configure cache management forward-proxy Configure address and port for forward caching proxy servic
4 access-log smart-cache-policy-mode commands Enables or disables client request logging. When enabled, this feature logs client access details to the /var/log/smart-cache.log. This feature is enabled by default.
4 aging precedence <1-100> [|ignore-case ] min-age <0-525600> freshness-factor <0-100> max-age <0-525600> {(override-expire|override-lastmod| reload-into-ims)} Parameters aging precedence <1-100> [|ignore-case ] min-age <0-525600> freshness-factor <0-100> max-age <0-525600> {(override-expire|override-lastmod| reload-into-ims)} aging precedence <1-100> Configures content cache aging rules and assigns a precedence to each rule • precedence <1-100> – Specify a precedence for this agin
4 Related Commands: no Removes an existing aging rule (refresh pattern) cache smart-cache-policy-mode commands Configures cache management settings This command specifies content cache rules that determine if a content is cached or not. Use this feature to filter content before caching. By default content is not cached.
4 destination-domain Optional. Specifies the destination domain’s hostname to match. The domain name can be an FQDN. The specified value is matched against the hostname part of the HTTP request URL. A leading asterisk or period in the domain name is treated as a wild card. For example, www.brocade.com, brocade.com, *.brocade.com and .com are all valid values. The destination domain parameter will NOT match against URLs that have an IP address instead of a hostname.
4 Supported in the following platforms: • Service Platforms — Brocade Mobility RFS9510 Syntax: forward-proxy {ip|protocol|vlan} forward-proxy {ip port <1-32768>} forward-proxy {protocol [all|ftp|gopher|https]} forward-proxy {vlan } Parameters forward-proxy (ip port <1-32768>} ip port <1-32768> Optional. Configures the IP address and TCP port for forward proxying This is the IP address where the forward smart caching proxy server is listening. The default port is 1.
4 Configures HTTP filters. This command configures rules to deny or permit HTTP access. A deny rule specifies the destination domains and source and destination IPs to deny content access. A permit rule specifies the destination domains and source and destination IPs to permit content access.
4 cache size 30 aging precedence 1 ignore-case \\.jgp$ min-age 100 freshness-factor 75 max-age 200 reload-into-ims http-access precedence 4 deny destination-domain .
4 nx4500-5CFA2B(config-content-cache-policy-test)#no forward-proxy vlan 10-20 nx4500-5CFA2B(config-smart-cache-policy-test)#no aging precedence 1 nx4500-5CFA2B(config-smart-cache-policy-test)#no access-log rotate The following example displays the content cache policy ‘test’ settings after the no commands are executed: nx4500-5CFA2B(config-smart-cache-policy-test)#show context smart-cache-policy test cache size 30 http-access precedence 4 deny destination-domain .
4 Related Commands: no Removes an ACL parent-proxy smart-cache-policy-mode commands Enables or disables upper-layer parent proxy on this smart cache policy The parent proxy server requires users to authenticate to access Web sites like WinRoute. This setting is disabled by default.
4 Parameters smart-cache enable smart-cache enable Enables smart content caching. When enabled, devices using this smart-cache policy act as forward proxy. Example nx4500-5CFA2B(config-smart-cache-policy-test)#smart-cache enable nx4500-5CFA2B(config-smart-cache-policy-test)# Related Commands: no Disables smart content caching transparent-proxy smart-cache-policy-mode commands Enables or disables the transparent proxy mode on a device. This is the default mode of proxying.
4 parent-proxy host 192.168.13.8 port 21 transparent-proxy vlan 10-20 cache size 30 http-access precedence 4 deny destination-domain .
Chapter 5 COMMON COMMANDS This chapter describes the CLI commands used in the USER EXEC, PRIV EXEC, and GLOBAL CONFIG modes. The PRIV EXEC command set contains commands available within the USER EXEC mode. Some commands can be entered in either mode. Commands entered in either the USER EXEC or PRIV EXEC mode are referred to as EXEC mode commands. If a user or privilege is not specified, the referenced command can be entered in either mode.
5 Syntax: clrscr Parameters None Example The terminal window or screen before the clrscr command is executed: rfs4000-229D58#device-upgrade ? DEVICE-NAME Name/MAC address of device all Upgrade all devices Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility R
5 commit {write}{memory} Parameters commit {write}{memory} write Optional. If a commit succeeds, the configuration is written to memory memory Optional. Writes to memory Example rfs7000-37FABE#commit write memory [OK] rfs7000-37FABE# exit Common Commands The exit command works differently in the User Exec, Priv Exec, and Global Config modes. In the Global Config mode, it ends the current mode and moves to the previous mode, which is Priv Exec mode. The prompt changes from (config)# to #.
5 • Partial help is provided when an abbreviated argument is entered and you want to know what arguments match the input (for example 'show ve?').
5 : show crypto pki trustpoints (WORD|all|)(|(on DEVICE-NAME)) \ Show running system information \ Encryption related commands \ Public Key Infrastructure related commands \ Display the configured trustpoints \ Display a particular trustpoint's details \ Display details for all trustpoints \ On AP/Controller \ AP / Controller name : show crypto isakmp sa (|(on DEVICE-NAME)) \ Show running system information \ Encryption Module \ Show ISAKMP related statistics \ Show all ISAKMP Security Associations \ On AP/
5 +--> Physical interface (interface GE,ME,UP etc) | | | +--> [[ RATE-LIMIT-TRUST-POLICY ]] | +--> Vlan interface (interface VLAN1/VLAN36 etc) | +--> Radio interface (interface RADIO1, RADIO2 etc) | | | +--> Radio specific Configuration | | | +--> [[ RADIO-QOS-POLICY ]] | | | +--> [[ ASSOC-ACL-POLICY ]] | | | +--> [[ WLAN ]] | +--> [[ MANAGEMENT-POLICY ]] | +--> [[ DHCP-SERVER-POLICY ]] | +--> [[ FIREWALL-POLICY ]] | +--> [[ NAT-POLICY ]] .....................................................................
5 : service advanced-wips clear-event-history (dos-eap-failure-spoof|id-theft-out-of-sequence|id-theft-eapol-success-spoofdetected|wlan-jack-attack-detected|essid-jack-attack-detected|monkey-jack-att ack-detected|null-probe-response-detected|fata-jack-detected|fake-dhcp-server -detected|crackable-wep-iv-used|windows-zero-config-memory-leak|multicast-all -systems-on-subnet|multicast-all-routers-on-subnet|multicast-ospf-all-routers -detection|multicast-ospf-designated-routers-detection|multicast-rip2-routers
5 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: no Parameters None Usage Guidelines: The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated. Example Global Config mode: No command options Enter configuration commands, one per line. End with CNTL/Z.
5 firewall-policy global-association-list igmp-snoop-policy inline-password-encryption ip l2tpv3 mac management-policy meshpoint meshpoint-qos-policy nac-list passpoint-policy password-encryption profile radio-qos-policy radius-group radius-server-policy radius-user-pool-policy rf-domain rfs4000 controller rfs6000 controller rfs7000 controller role-policy routing-policy smart-rf-policy wips-policy wlan wlan-qos-policy service Configure firewall policy Delete a global association list Remove device onboard
5 captive-portal crypto debug logging page service terminal wireless Captive portal commands Encryption related commands Debugging functions Modify message logging facilities Toggle paging Service Commands Set terminal line parameters Wireless Configuration/Statistics commands rfs7000-37FABE> Related Commands: no User Exec Commands mode no Priv Exec Commands mode no Global Config Commands mode revert Common Commands Reverts changes made, in the current session, to their last saved configuration Sup
5 • • • • Syntax (User Exec Mode) Syntax (Privilege Exec Mode) Syntax (Privilege Exec Mode: Brocade Mobility RFS9510) Syntax (Global Config Mode) Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Bro
5 service clear device-upgrade history {on } service clear captive-portal-page-upload history {on } service clear [command-history|reboot-history|upgrade-history|virtual-machine-history] {on } service clear noc statistics service clear unsanctioned aps {on } service clear wireless [br|client|controller-mobility-database|dns-cache|radio|wlan] service clear wireless controller-mobility-database service clear wireless [br|client] statistics {}
5 service show advanced-wips stats [br-table|client-table|connected-sensors-status| termination-entries] service show block-adopter-config-update service show captive-portal [servers|user-cache] {on } service show [cli|configuration-revision|mac-vendor |noc diag|snmp session| xpath-history] service show [command-history|crash-info|info|mem|process|reboot-history| startup-log|sysinfo|top|upgrade-history|watchdog] {on } service show dhcp-lease {|pppoe1|vlan <
5 service wireless client beacon-request mode [active|passive|table] ssid [|any] channel-report [|none] {on } service wireless client quiet-element [start|stop] service wireless client trigger-bss-transition url {on } service wireless dump-core-snapshot service wireless meshpoint zl [on ] {} service wireless qos delete-tspec tid <0-7> service wireless trace pattern {on } ser
5 id-theft-eapol-success-spoof -detected Optional. Clears IDs theft - EAPOL success spoof detection event history id-theft-out-of-sequence Optional. Clears IDs theft-out-of-sequence detection event history invalid-channel-advertized Optional. Clears invalid channel advertizement detection event history invalid-management-frame Optional. Clears invalid management frames detection event history ipx-detection Optional.
5 service [block-adopter-config-update|request-full-config-from-adopter] block-adopter-config-update Blocks the configuration updates sent from the NOC server request-full-config-from-adp oter Configures a request for full configuration updates from the adopter device In an hierarchically managed (HM) network devices are deployed in two levels. The first level consists of the Network Operations Center (NOC) controllers.
5 service clear wireless [br|client] {} {(on )} clear wireless [br|client] statistics {on } Clears wireless statistics counters based on the parameters passed • br statistics – Clears applicable AP statistics counters • client statistics – Clears applicable wireless client statistics counters The following keywords are common to the ‘br’ and ‘client’ parameters: – Optional. Clears statistics counters for a specified AP or client.
5 service cli-tables-skin [ansi|hashes|minimal|none|percent|stars|thick|thin|utf-8] {grid} cli-tables-skin [ansi|hashes|minimal| none|percent|stars|thick| thin|uf-8] Selects a formatting layout or skin for CLI tabular outputs • ansi – Uses ANSI characters for borders • hashes – Uses hashes (#) for borders • minimal – Uses one horizontal line between title and data rows • none – Displays space separated items with no decoration • percent – Uses the percent sign (%) for borders • stars – Uses asterisks (*) f
5 service load-balancing clear-client-capability [|all] {on } load-balancing Enables wireless load balancing by clearing client capability records clear-client-capability [|all] Clears a specified client or all client’s capability records • – Clears capability records of a specified client. Specify the client’s MAC address in the AA-BB-CC-DD-EE-FF format. • all – Clears the capability records of all clients on Optional.
5 service radius test [|] <1024-65535> {wlan ssid } {(on )} radius test [|] Tests a RADIUS server’s account. This command sends an access-request packet to the RADIUS server. Use this command to confirm time and data/bandwidth parameters for valid wireless clients.
5 user-cache Displays cached user details for a captive portal on Optional. Displays server information or cached user details on a specified device • – Specify the name of the AP, wireless controller, or service platform.
5 on Optional. Displays DHCP lease information for a specified device pppoe1 Optional. Displays DHCP lease information for a PPP over Ethernet interface vlan <1-4094> Optional. Displays DHCP lease information for a VLAN interface • <1-4094> – Specify a VLAN index from 1 - 4094. wwan1 Optional. Displays DHCP lease information for a Wireless WAN interface on The following keywords are common to all of the above: • on – Optional.
5 service show rf-domain-manager diag {} {(on )} show Displays running system statistics based on the parameters passed rf-domain-manager Displays RF Domain manager information diag Displays RF Domain manager related diagnostics statistics Optional. Specify the MAC address or hostname of the RF Domain manager. on Optional.
5 info This parameter is common to client and meshpoint neighbor parameters. Displays information for a specified wireless client or neighbor stats This parameter is common to client and meshpoint neighbor parameters. Displays information for a specified wireless client or neighbor Displays information for a specified wireless client or neighbor on This parameter is common to client and meshpoint neighbor parameters.
5 Optional. Clears WLAN Smart RF configuration on a device identified by its MAC address. Specify the device’s MAC address in the AA-BB-CC-DD-EE-FF format. Optional. Clears WLAN Smart RF configuration on a device identified by its hostname. Specify the device’s hostname. on Optional. Clears WLAN Smart RF configuration on all devices in a specified RF Domain • – Specify the RF Domain name.
5 mode [active|passive|table] ssid [|any] Specifies the beacon measurement mode.
5 service wireless qos delete-tspec tid <0-7> wireless qos delete-tspec Sends a delete TSPEC request to a wireless client Specify the MAC address of the wireless client. tid <0-7> Deletes the Traffic Identifier (TID) • <0-7> – Select the TID from 0 - 7. service wireless trace pattern {on } wireless trace Displays the wireless module trace based on parameters passed pattern Configures the pattern to match – Specify the pattern to match.
5 service delete sessions service mint [clear|debug-log|expire|flood] service mint [clear [lsp-db|mlcp]|debug-log [flash-and-syslog|flash-only]| expire [lsp|spf]|flood [csnp|lsp]] service pktcap on [bridge|deny|drop|ext-vlan|interface|radio|rim|router|vpn|wireless] service pktcap on [bridge|deny|drop|ext-vlan|rim|router|vpn|wireless] {(acl-name ,count <1-1000000>,direction [any|inbound|outbound],filter , hex,rate <1-100>,snap <1-2048>,tcpdump,verbose,write [file|url|tzsp [
5 service delete sessions delete sessions Deletes session cookies • – Provide a list of cookies to delete. service mint [clear [lsp-dp|mlcp]|debug-log [flash-and-syslog|flash-only]| expire [lsp|spf]|flood [csnp|lsp]] mint clear [lsp-dp|mlcp] Enables MiNT protocol management (clears LSP database, enables debug logging, enables running silence etc.
5 filter [|arp|capwap|cdp| dot11|dropreason|dst| ether|host|icmp| igmp|ip|ipv6|l2|l3|l4|lldp |mint|net|not|port|priorit y|radio|src|tcp|udp| vlan|wlan] Optional. Filters packets based on the option selected (must be used as a last option) The filter options are: • – Defines user defined packet capture filter • arp – Matches ARP packets • capwap – Matches CAPWAP packets • cdp – Matches CDP packets • dot11 – Matches 802.
5 service pktcap on radio [<1-1024>|all] {(acl-name ,count <1-1000000>,direction [any|inbound|outbound],filter ,hex,promiscuous,rate <1-100>,snap <1-2048>, tcpdump,verbose,write [file|url|tzsp ])} pktcap on radio Captures data packets on a radio (802.11) <1-1024> Captures data packets on a specified radio • <1-1024> – specify the radio index from 1 - 1024. all Captures data packets on all radios acl-name Optional.
5 direction [any|inbound|outbound] filter hex rate <1-100> snap <1-2048> Optional. Changes the packet direction with respect to a device. The direction can be set as any, inbound, or outbound. Optional. Filters packets based on the option selected (must be used as a last option) – Define a packet capture filter or select any one of the available options. • Optional. Provides binary output of the captured packets Optional.
5 service analytics [clear-data|get-last-detailed-status|migrate|nfsserver|primary| restart|secondary|start|start-detailed-status|status|stop] service analytics [clear-data|get-last-detailed-status|migrate|restart|start| start-detailed-status|status|stop] service analytics nfsserver [|] service analytics primary [|] service analytics secondary [|] service copy [|analytics-support|mac-user-db|tech-support] service copy service copy analytics-support [<
5 service analytics primary [|] service analytics Provides analytics services primary [|] Configures the analytics primary server. Use one of the following options to identify the primary server: • – Specifies the primary server’s IP address • – Specifies the primary server’s hostname service analytics secondary [|] service analytics Provides analytics services secondary [|] Configures the analytics primary server.
5 In an NOC managed network, the analytics engine parses and processes Smart RF events as they are received. The analytics engine parses the new channel and power information from the Smart RF event, as opposed to retrieving the event from the devices themselves.
5 +-include-factory [show (running-config|session-config) (|include-factory)] +-interface [show running-config interface (|`WORD|ge <1-4>|me1|pc <1-4>|vlan <1-4094>') (|include-factory)] +-WORD [show running-config interface (|`WORD|ge <1-4>|me1|pc <1-4>|vlan <1-4094>') (|include-factory)] +-include-factory [show running-config interface (|`WORD|ge <1-4>|me1|pc <1-4>|vlan <1-4094>') (|include-factory)] +-ge +-<1-4> [show running-config interface (|`WORD|ge <1-4>|me1|pc <1-4>|vlan <1-4094>') (|include-factor
5 Feb 15 14:44:19 2013 admin 192.168.100.225 46 clock set 14:45:30 15 Feb 2013 Feb 15 14:41:10 2013 admin 192.168.100.225 46 clear event-history Feb 15 14:38:28 2013 admin 192.168.100.225 46 boot system primary Feb 15 14:35:54 2013 admin 192.168.100.225 46 boot system secondary Jan 31 01:07:59 2013 admin 192.168.100.225 46 clock set 14:25:35 15 Feb 2013 Jan 31 01:07:47 2013 admin 192.168.100.225 46 clock set 14:25:35 15 02 2013 Jan 31 01:05:58 2013 admin 192.168.100.
5 Please export these files or delete them for more space. rfs7000-37FABE> rfs4000-229D58>service show upgrade-history on rfs4000-229D58 Configured size of upgrade history is 50 Date & Time Old Version New Version Status ===================================================================== Jan 16 22:28:19 2013 5.5.0.0-017D 5.5.0.0-018D Successful Jan 13 22:51:38 2013 5.5.0.0-015D 5.5.0.0-017D Successful Dec 04 01:25:18 2012 5.5.0.0-011D 5.5.0.0-015D Successful Oct 04 22:25:03 2012 5.4.2.0-012D 5.5.0.
5 no accounting radius no accounting syslog rfs7000-37FABE> System Information: Free RAM: 68.0% (169 of 249) Min: 10.0% File Descriptors: free: 24198 used: 960 max: 25500 CPU load averages: 1 min: 0.0% 5 min: 0.0% 15 min: 0.
5 • Service Platforms — Brocade Mobility RFS9510 Syntax: show Parameters None Example rfs7000-37FABE#show ? adoption advanced-wips boot captive-portal captive-portal-page-upload cdp clock cluster commands context critical-resources crypto debug debugging device-upgrade dot1x environmental-sensor event-history event-system-policy file firewall global gre interface ip ip-access-list l2tpv3 ldap-agent licenses lldp logging mac-access-list mac-address-table macauth mint ntp password-encryption powe
5 session-changes session-config sessions site-config-diff smart-rf spanning-tree startup-config terminal timezone upgrade-status version vrrp what wireless wwan Configuration changes made in this session This session configuration Display CLI sessions Difference between site configuration on the NOC and actual site configuration Smart-RF Management Commands Display spanning tree information Startup configuration Display terminal configuration parameters The timezone Display last image upgrade status Displ
Chapter 6 SHOW COMMANDS Show commands display configuration settings or statistical information. Use this command to view the current running configuration as well as the start-up configuration. The show command also displays the current context’s configuration. This chapter describes the ‘show’ CLI commands used in the USER EXEC, PRIV EXEC, and GLOBAL CONFIG modes. Commands entered in either USER EXEC mode or PRIV EXEC mode are referred to as EXEC mode commands.
6 TABLE 4 Show Commands Command Description Reference event-history Displays event history page 460 event-system-policy Displays event system policy configuration information page 461 file Displays file system information page 462 firewall Displays wireless firewall information page 463 global Displays global information for network devices based on the parameters passed page 466 gre Displays GRE tunnel related information page 468 interface Displays interface status page 468 ip D
6 TABLE 4 Show Commands Command Description Reference terminal Displays terminal configuration parameters page 512 timezone Displays timezone information for the system and managed devices page 513 upgrade-status Displays image upgrade status page 513 version Displays a device’s software and hardware version page 514 vrrp Displays Virtual Router Redundancy Protocol (VRRP) protocol details page 515 what Displays details of a specified search phrase page 516 wireless Displays wireless
6 captive-portal-page-upload cdp clock cluster commands context critical-resources crypto debug debugging device-upgrade dot1x environmental-sensor event-history event-system-policy file firewall global gre interface ip ip-access-list l2tpv3 ldap-agent licenses lldp logging mac-access-list mac-address-table macauth mint mirroring ntp password-encryption power pppoe-client privilege raid reload remote-debug rf-domain-manager role route-maps rtls running-config session-changes session-config sessions site-con
6 vrrp what wireless wwan VRRP protocol Perform global search Wireless commands Display wireless WAN Status (config)# rfs7000-37FABE(config)#show clock 2013-02-15 15:28:26 UTC rfs7000-37FABE(config)# PRIVILEGE EXEC Mode #show ? adoption advanced-wips boot captive-portal captive-portal-page-upload cdp clock cluster commands context critical-resources crypto debug debugging device-upgrade dot1x environmental-sensor event-history event-system-policy file firewall global gre interface ip ip-ac
6 route-maps rtls running-config session-changes session-config sessions site-config-diff slot smart-cache smart-rf spanning-tree startup-config terminal timezone upgrade-status version virtual-machine vrrp what wireless wwan Display Route Map Statistics RTLS Statistics Current operating configuration Configuration changes made in this session This session configuration Display CLI sessions Difference between site configuration on the NOC and actual site configuration Expansion slots stats Content caching
6 mac-address-table macauth mint mirroring ntp password-encryption power pppoe-client privilege rf-domain-manager role route-maps rtls running-config session-changes session-config sessions site-config-diff slot smart-rf spanning-tree startup-config terminal timezone version vrrp what wireless wwan Display MAC address table MAC AUTH MiNT protocol Show mirroring sessions Network time protocol Password encryption Show power over ethernet command PPP Over Ethernet client Show current privilege level Show RF D
6 nx9500-6C874D(config)#show virtual-machine configuration ------------------------------------------------------------------------------NAME AUTOSTART MEMORY(MB) VCPUS ------------------------------------------------------------------------------Mobility 16384 adsp start 16384 12 team-cmt start 1024 1 ------------------------------------------------------------------------------nx9500-6C874D(config)# adoption show commands Displays adoption related information, and is common to the User Exec, Priv Exec, a
6 Parameters show adoption offline adoption Displays adoption related information. It also displays configuration errors. offline Displays non-adopted status of the logged device and its adopted access points show adoption config-errors adoption Displays adoption related information. It also displays configuration errors.
6 Example rfs4000-229D58(config)#show adoption offline ---------------------------------------------------------------------------------------------MAC HOST-NAME TYPE RF-DOMAIN TIME OFFLINE ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Total number of devices displayed: 2 rfs4000-229D58(config)# rfs4000-229D58(config)#show adoption log adoptee on rfs4000-229D58 2013-03-
6 show advanced-wips configuration [events {thresholds}|terminate-list] show advanced-wips stats [br-table|client-table|connected-sensors|detected-aps| detected-clients-for-br|event-history|server-listening-port] show advanced-wips stats [br-table|client-table|connected-sensors|event-history| server-listening-port] show advanced-wips stats [detected-aps|detected-clients-for-br ] {neighboring|sanstioned|unsanctioned} Parameters show advanced-wips configuration [events {thresholds}|terminate-list] co
6 POLICY SLNO NAME TRIGGER-S TRIGGER-U TRIGGER-N MITIGATION --------------------------------------------------------------------------------------------------test 1 essid-jack-attack-detected N N N test 2 unauthorized-bridge N N N test 3 wlan-jack-attack-detected N N N test 4 multicast-igrp-routers-detection N N N test 5 multicast-igmp-detection N N N test 6 dos-eapol-logoff-storm N N N test 7 probe-response-flood N N N test 8 monkey-jack-attack-detected N N N test 9 dos-rts-flood N N --More-rfs7000-37FABE(
6 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: show boot {on } Parameters show boot {on } boot Displays primary and secondary image boot configuration details (build date, in
6 show captive-portal client {filter|on|satistics} show captive-portal client {filter} {captive-portal|ip|state|vlan|wlan} show captive-portal client {filter} {captive-portal [| not ]} show captive-portal client {filter} {ip [|not ]} show captive-portal client {filter} {state [pending|success|not[pending|success]]} show captive-portal client {filter} {vlan [|not ]} show captive-portal client {filter} {wlan [|not ]} show captive-
6 show captive-portal client {filter} {vlan [|not ]} captive-portal client Displays captive portal client information filter Optional. Defines additional filters vlan [| not ] Optional. Displays captive portal clients based on the VLAN ID passed • – Specify the VLAN ID.
6 --------------------------------------------------------------------------------------------------------------RF-Domain: default, sub-total of captive portal clients displayed = 0 =========================================================================== =========================================================================== RF-Domain: new-l3-rf-dmn CLIENT IP CAPTIVE-PORTAL WLAN VLAN STATE SESSION TIME ---------------------------------------------------------------------------------------------------
6 Total number of captive portal clients displayed: 2 rfs4000-229D58# captive-portal-page-upload show commands Displays captive portal page information, such as upload history, upload status, and page file download status Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Br
6 ------------------------------------------------------------------------------rfs7000-37FABE> rfs7000-37FABE>show captive-portal-page-upload history -------------------------------------------------------------------------------------AP RESULT TIME RETRIES UPLOADED-BY LAST-UPLOAD-ERROR -------------------------------------------------------------------------------------No upload history is present rfs7000-37FABE> rfs7000-37FABE>show captive-portal-page-upload load-image-status No captive portal advanced p
6 IP Address: 169.254.230.196 Platform: Brocade Mobility 7131 Access Point, Capabilities: Router Switch Interface: ge1, Port ID (outgoing port): ge1 Hold Time: 131 sec advertisement version: 2 Native VLAN: 1 Duplex: full Version : 5.4.1.0-018R ------------------------Device ID: br7131-139B34 Entry address(es): IP Address: 172.16.10.
6 show clock {on } clock Displays a system’s clock on Optional. Displays system clock on a specified device • – Specify the name of the AP, wireless controller, service platform, or RF Domain. Example rfs7000-37FABE(config)#show clock 2013-02-15 15:38:47 UTC rfs7000-37FABE(config)# cluster show commands Displays cluster information (cluster configuration parameters, members, status etc.
6 ------------------------------------------------------------------------------------------------------70.37.FA.BE 00-15-70-37-FA-BE Active 0 0 50 50 5.4.2.
6 show debugging (|(on DEVICE-OR-DOMAIN-NAME)) show debugging cfgd show debugging fib(|(on DEVICE-NAME)) show debugging adoption (|(on DEVICE-OR-DOMAIN-NAME)) show debugging wireless (|(on DEVICE-OR-DOMAIN-NAME)) show debugging snmp (|(on DEVICE-NAME)) show debugging ssm (|(on DEVICE-NAME)) show debugging voice (|(on DEVICE-OR-DOMAIN-NAME)) show debugging captive-portal (|(on DEVICE-OR-DOMAIN-NAME)) show debugging dhcpsvr (|(on DEVICE-NAME)) show debugging role (|(on DEVICE-OR-DOMAIN-NAME)) show debugging d
6 show context {include-factory|session-config {include-factory}} include-factory Optional. Includes factory defaults session-config include-factory Optional. Displays running system information in the current context • include-factory – Optional. Includes factory defaults Example rfs4000-229D58(config)#show context ! ! Configuration of Brocade Mobility RFS4000 version 5.5.0.0-034B ! ! version 2.
6 show critical-resources {on } critical-resources Displays critical resources information on Optional. Displays critical resource information on a specified device • – Specify the name of the AP, wireless controller, or service platform.
6 peer on Optional. Displays IKE SA statistics for a specified peer • – Specify the peer’s IP address in the A.B.C.D format Optional. Displays IKE SA statistics on a specified device – Specify the name of the AP, wireless controller, or service platform. • show crypto ike sa {version [1|2]} {peer } {(on )} crypto ike sa version [1|2] Displays IKE SA details Optional.
6 all Optional. Displays details of all trustpoints on The following keyword is recursive and common to the ‘trustpoint-name’ and ‘all’ parameters: • on – Optional. Displays trustpoints configured on a specified device • – Specify the name of the AP, wireless controller, or service platform.
6 CA Certificate details: Serial Number: 01 Subject Name: CN=70.37.fa.be:2010-04-26-15-00-39, Issuer Name: CN=70.37.fa.
6 00-23-68-22-9D-58 br71xx none 00-23-68-22-9D-58 br6511 none 00-23-68-22-9D-58 rfs7000 none 00-23-68-22-9D-58 br650 5.5.0.
6 Displays dot1x information on interfaces Dot1x (or 802.1x) is an IEEE standard for network authentication. Devices supporting dot1x allow the automatic provision and connection to the wireless network without launching a Web browser at login. When within range of a dot1x network, a device automatically connects and authenticates without needing to manually login.
6 port-channel <1-2> on Displays dot1x for a specified port channel interface <1-2> – Select the interface index from 1 - 2. • The following keywords are common to all of the above parameters: • on – Optional. Displays dot1x interface information on a specified device • – Specify the name of AP, wireless controller, or service platform.
6 NOTE The environmental senor is supported only on an Brocade Mobility 1240 Access Point. When executed on any controller (other than an Brocade Mobility 1240 Access Point), the show > environmental-sensor > command displays environmental-sensor details for adopted Brocade Mobility 1240 Access Points (if any).
6 1-hour 6-hour 24-hour 0 0 0 temperature-sensor: Enabled(Demo) current value: -40.00 deg. C ------------------------------min/average/max ------------------------------20-minute 0/0/0 1-hour 0/0/0 6-hour 0/0/0 24-hour 0/0/0 light-sensor: Enabled threshold-high:+400.00 threshold-low:+200.00 holdtime:11 action radio-shutdown: radio-1 and radio-2 light-on:1 light-on/off event sent:0/0 current value: 0.
6 ap8132-711634#show env-sensor history 20-min ---------------------------------------------------------------------------------------------------------timestamp Motion Temperature Light Humidity --------------------------------------------------------------------------------------------------------2013-11-20 13:51:35 UTC 0 66 79 59 2013-11-20 13:53:35 UTC 0 66 79 59 2013-11-20 13:55:35 UTC 0 65 79 58 2013-11-20 13:57:35 UTC 1 66 80 59 2013-11-20 13:59:35 UTC 0 66 79 59 2013-11-20 14:02:35 UTC 0 65 79 60 20
6 2013-11-20 14:43:35 80 2013-11-20 14:45:35 80 2013-11-20 14:47:35 81 2013-11-20 14:49:35 80 ap8132-711634# UTC 0 64 3 66 0 66 0 66 59 UTC 60 UTC 61 UTC 61 #show env-sensor history 24-hr ---------------------------------------------------------------------------------------------------------timestamp Motion Temperature Light Humidity --------------------------------------------------------------------------------------------------------2013-11-20 10:10:20 UTC 27 66 80 60 2013-11-20
6 Syntax: show event-history {on } Parameters show event-history {on } event-history Displays event history report on • Optional. Displays event history report on a device or RF Domain – Specify the name of the AP, wireless controller, service platform, or RF Domain.
6 Displays detailed event system policy configuration Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: show event-system-policy [config|detail]
6 Parameters show file [information |systems] information Displays file information • – Specify the file name.
6 show firewall [dhcp snoop-table|dos stats] {on } dhcp snoop-table Displays DHCP snoop table entries • snoop-table – Displays DHCP snoop table entries DHCP snooping acts as a firewall between non-trusted hosts and the DHCP server. Snoop table entries contain MAC address, IP address, lease time, binding type, and interface information of non-trusted interfaces. dos stats Displays Denial of Service (DoS) statistics This option is not available in the User Exec mode.
6 min-idle <1-4294967295> Optional. Filters firewall flows idle for at least the specified duration. Specify a min-idle value from 1 4294967295 bytes. min-pkts <1-4294967295> Optional. Filters firewall flows with at least the given number of packets. Specify a min-bytes value from 1 4294967295 bytes. not Optional. Negates the filter expression selected port <1-65535> Optional. Matches either the source or destination port. Specify a port from 1 - 65535. src <1-65535> Optional.
6 rfs7000-37FABE(config)# rfs7000-37FABE(config)#show firewall flows stats on rfs7000-37FABE Active Flows 2 TCP flows 1 UDP flows 0 DHCP flows 1 ICMP flows 0 IPsec flows 0 L3/Unknown flows 0 rfs7000-37FABE(config)# global show commands Displays global information for network devices based on the parameters passed Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Poi
6 show global device-list filter (rf-domain [|not ]) global device-list Displays global information for all network devices. Use the following keywords to specify additional filters: offline, online, and rf-domain. filter rf-domain [| not ] Optional. Specifies additional filters • rf-domain – Optional. Displays global information for all devices in a specified RF Domain • – Optional.
6 gre show commands Displays GRE tunnel info Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: show gre info Parameters show gre info show gre info Displays Generic R
6 show interface {|brief|counters|ge <1-4>|me1|on|port-channel <1-2>| pppoe1|switchport|vlan <1-4094>|wwan1} {on } interfaces Optional. Displays system interface status based on the parameters passed Optional. Displays status of the interface specified by the parameter. Specify the interface name. brief Optional. Displays a brief summary of the interface status and configuration counters Optional.
6 -------------------------------------------------------------------------------------ge1 UP access 1 ge2 UP access 1 ge3 UP access 1 ge4 UP access 1 -------------------------------------------------------------------------------------A '*' next to the VLAN ID indicates the native vlan for that trunk port rfs7000-37FABE(config)# rfs7000-37FABE(config)#show interface vlan 1 Interface vlan1 is UP Hardware-type: vlan, Mode: Layer 3, Address: 00-15-70-37-FA-BE Index: 4, Metric: 1, MTU: 1500 IP-Address: 172.16.
6 ge4 00-...
6 nx6500-31FABE(config)# ip show commands Displays IP related information Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: show ip [arp|ddns|default-gateways|dhcp|dhc
6 show ip arp {} {(on )} ip arp Displays Address Resolution Protocol (ARP) mappings Optional. Displays ARP mapping on a specified VLAN. Specify the VLAN name. on The following keyword is recursive and common to the ‘vlan-name’ parameter: • on – Optional. Displays ARP configuration details on a specified device • – Specify the name of the AP, wireless controller, or service platform.
6 mrouter vlan <1-4095> {on } Displays the IGMP snooping multicast router (mrouter) configuration Displays the IGMP snooping multicast router configuration for a VLAN • <1-4095> – Specify the VLAN ID from 1 - 4095. • on – Optional. Displays the IGMP snooping mrouter configuration on a specified device • – Specify the name of the AP or wireless controller.
6 pppoe1 Displays Point-to-point Protocol over Ethernet (PPPoE) interface route table details wwan1 Displays Wireless WAN route table details on The following keywords are recursive and common to all of the above parameters: • on – Displays route table details, based on the parameters passed, on a specified device • – Specify the name of the AP, wireless controller, or service platform.
6 | 172.16.10.0/24 | direct | C | vlan1 | default | 172.16.10.9 | CG | vlan1 +-------------------------+--------------------+------------+------------Flags: C - Connected G - Gateway rfs7000-37FABE(config)# | | rfs7000-37FABE(config)#show ip route pc on rfs7000-37FABE ------------------------------------------------------------------------------DESTINATION GATEWAY FLAGS INTERFACE ------------------------------------------------------------------------------192.168.0.0/24 direct C me1 172.16.10.
6 DESTINATION GATEWAY FLAGS INTERFACE ------------------------------------------------------------------------------172.16.10.
6 ------------------------------------------------------------------------------rfs4000-229D58# ip-access-list show commands Displays IP access list statistics NOTE This command is not available in the USER EXEC Mode.
6 rfs4000-229D58(config-ip-acl-auto-tunnel-acl)#show context ip access-list auto-tunnel-acl permit ip host 200.200.200.99 30.30.30.1/24 rule-precedence 2 permit ip host 200.200.200.99 any rule-precedence 3 rfs4000-229D58(config-ip-acl-auto-tunnel-acl)# The following example dispalys the statistics for the ‘auto-tunnel-acl’ ACL: rfs4000-229D58#show ip-access-list stats IP Access-list: auto-tunnel-acl permit ip host 200.200.200.99 30.30.30.1/24 rule-precedence 2 Hitcount: 0 permit ip host 200.200.200.
6 l2tpv3 {on } l2tpv3 {on } Displays a L2TPv3 tunnel and session details or summary • on – Optional. Displays L2TPv3 information on a specified access point or wireless controller • – Specify the name of AP, wireless controller, or service platform.
6 Control connection id : 2238970979 Peer Address : 30.1.1.1 Local Address : 30.1.1.
6 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: show ldap-agent join-status {on } Parameters show ldap-agent join-status {on } ldap-agent {on } Displays if a specified device (LDAP agent) has successfully joined a LDAP server’s domain • on – Optional. Specifies the device name.
6 At the time of adoption, access points and adaptive access points are provided license by the adopting controller. These license packs can be installed on both the NOC and site controllers. When a AP/AAP is adopted by a controller, the controller pushes a license on to the device. At this point the various possible scenarios are: • AP/AAP license packs installed on the NOC controller only.
6 Value Used AAP-LICENSE Value Used : 263 : 0 : 329 : 3 Cluster Licenses: AP-LICENSE Value : 257 Used : 0 AAP-LICENSE Value : 257 Used : 2 Active Members: --------------------------------------------------------------------------------------------------MEMBER SERIAL LIC TYPE VALUE LENT TOTAL NO.APS NO.
6 00-15-70-37-FA-BE rfs7000-37FABE AAP 1 00-00-00-04-04-0A rfs4000-04040A 93 days, 5 hours 00-15-70-37-FA-BE rfs7000-37FABE AAP 1 00-00-00-04-04-0B rfs4000-04040B 93 days, 5 hours 00-15-70-37-FA-BE rfs7000-37FABE AAP 1 00-00-00-04-04-0D rfs4000-04040D 93 days, 5 hours 00-15-70-37-FA-BE rfs7000-37FABE AAP 2 00-23-68-88-1E-4B rfs4000-881E4B current 00-15-70-81-70-1D rfs6000-81701D AP 1 00-23-68-88-1E-4B rfs4000-881E4B current ------------------------------------------------------------------------------------
6 show lldp report {detail} {(on )} lldp report detail on Displays an LLDP neighbors table or aggregated LLDP neighbors table Displays an aggregated LLDP neighbors table detail – Optional.
6 Jan 23 19:50:40 2013: rfs4000-229D58 : %SYSTEM-3-LOGIN_FAIL: Log-in failed for user 'admin' from 'ssh' Jan 22 00:04:14 2013: rfs4000-229D58 : %SYSTEM-3-UI_USER_AUTH_FAIL: UI user 'Admin' from: '192.168.13.10' authentication failed Jan 21 23:56:32 2013: rfs4000-229D58 : %SYSTEM-3-UI_USER_AUTH_FAIL: UI user 'admin' from: '192.168.13.10' authentication failed rfs4000-229D58(config)# mac-access-list-stats show commands Displays MAC access list statistics NOTE This command is not present in USER EXEC mode.
6 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: show mac-address-table {on } Parameters show mac-address-table {on } mac-address-table on Displays MAC address ta
6 show macauth [all|interface [|ge <1-5>|port-channel <1-3>|up1]] {(on )} macauth Displays MAC authentication related information for all interfaces or all interfaces all Displays MAC authentication related information for all interfaces interface [| ge <1-5>| port-channel <1-3>|up1] Displays MAC authentication related information for a specified interface.
6 Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: show mint [config|dis|id|info|known-adopters|links|lsp|lsp-db|mlcp|neighbors|route| stats|tunnel-controller|tunneled
6 tunnel-controller Displays details of MiNT VLAN network tunnel wireless controllers for extended VLAN load balancing details {(on )} The following keywords are common to the ‘dis’, ‘links’, ‘neighbors’, and ‘tunnel-controller’ parameters: • details – Optional. Displays detailed MiNT information • on – Optional.
6 rfs7000-37FABE(config)#show mint route on rfs7000-37FABE Destination : Next-Hop(s) 70.37.FA.BE : 70.37.FA.BE via self rfs7000-37FABE(config)# rfs7000-37FABE(config)#show mint known-adopters on rfs7000-37FABE 70.37.FA.BE rfs7000-37FABE(config)# rfs7000-37FABE(config)#show mint config Base priority 180 DIS priority 180 Control priority 180 UDP/IP Mint encapsulation port 24576 Global Mint MTU 1500 rfs7000-37FABE(config)# ntp show commands Displays Network Time Protocol (NTP) information.
6 rfs7000-37FABE>show ntp status Clock is synchronized, stratum 0, actual frequency is 0.0000 Hz, precision is 2**0 reference time is 00000000.00000000 (Feb 07 06:28:16 UTC 2036) clock offset is 0.000 msec, root delay is 0.000 msec root dispersion is 0.
6 Parameters show pppoe-client [configuration|status] {on } pppoe-client Displays PPPoE client information (configuration and status) configuration Displays detailed PPPoE client configuration status Displays detailed PPPoE client status on The following keywords are common to ‘configuration’ and ‘status’ parameters: • on – Optional.
6 rfs7000-37FABE(config)# reload show commands Displays scheduled reload information for a specific device NOTE This command is not present in the USER EXEC mode.
6 show rf-domain-manager {on } Parameters show rf-domain-manager {on } rf-domain-manager Displays RF Domain manager selection details on • Optional. Displays RF Domain manager selection details on a specified device or domain – specify the name of the AP, wireless controller, service platform, or RF Domain.
6 No ROLE statistics found.
6 Parameters show rtls [aeroscout|ekahau] {} {(on )} rtls Displays access point RTLS statistics aeroscout Displays access point Aeroscout statistics ekahau Displays access point Ekahau statistics Optional. Displays Aeroscout or Ekahau statistics for a specified access point. Specify the MAC address or hostname of the access point.
6 ry| interface|ip-access-list|mac-access-list|management-policy|meshpoint|profile| radio-qos-policy|rf-domain|smart-rf-policy|wlan|wlan-qos-policy} show running-config {aaa-policy|association-acl-policy|auto-provisioning-policy| captive-portal-policy|dhcp-server-policy|firewall-policy|management-policy| radio-qos-policy|smart-rf-policy|wlan-qos-policy} {include-factory} show running-config {device [|self]} {include-factory} show running-config {include-factory} show running-config {inter
6 smart-rf-policy Optional. Displays Smart RF policy configuration wlan-qos-policy Optional. Displays WLAN QoS policy configuration include-factory The following keyword is common to all policies: – Specify the name of the policy. • The following keyword is common to all policies: include-factory – Optional.
6 show running-config {meshpoint } {include-factory} running-config Displays current running configuration meshpoint Optional. Displays meshpoint configuration • – Specify the meshpoint name include-factory Optional.
6 show running-config {wlan } {include-factory} running-config Displays current running configuration wlan Optional. Displays current configuration for a WLAN • – Displays current configuration for a specified WLAN. Specify the WLAN name. include-factory Optional.
6 wmm video txop-limit 94 wmm video aifsn 1 wmm video cw-min 3 wmm video cw-max 4 wmm voice txop-limit 47 wmm voice aifsn 1 wmm voice cw-min 2 --More-nx6500-31FABE(config)# session-changes show commands Displays configuration changes made in the current session Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Co
6 show session-config {include-factory} Parameters show session-config {include-factory} session-config include-factory Displays current session configuration • include-factory – Optional. Includes factory defaults Example rfs4000-229D58(config)#show session-config ! ! Configuration of Brocade Mobility RFS4000 version 5.5.0.0-036B ! ! version 2.
6 Parameters show sessions {on } sessions Displays CLI sessions initiated on a device on Optional. Displays CLI sessions on a specified device • – Specify the name of the AP, wireless controller, or service platform. Example rfs4000-229D58(config)#show sessions INDEX COOKIE NAME START TIME 1 49 admin 2013-02-15 15:45:10 superuser 2 2 snmp 2013-01-16 22:37:59 superuser 3 3 snmp2 2013-01-16 22:37:59 superuser FROM 192.168.100.225 ROLE 127.0.0.1 127.0.0.
6 Example nx9500-6C874D#show site-config-diff 5C-0E-8B-18-06-F4 ---- Config diff for switch 5C-0E-8B-18-06-F4 ---rfs6000 5C-0E-8B-18-06-F4 interface pppoe1 no shutdown nx9500-6C874D# smart-rf show commands Displays Smart RF management commands Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocad
6 Optional. Uses an administrator defined name to identify an access point on Optional. Displays access point details on a specified RF Domain. Specify the domain name. show smart-rf br (activity|energy|neighbors} [|] {(on )} br Displays AP related commands activity Optional. Displays AP activity for a specified AP or all APs energy Optional. Displays AP energy for a specified AP or all APs neighbors Optional.
6 Optional. Displays radio activity for a specified radio • – Specify the radio’s MAC address. all-11an Optional. Displays radio activity of all 11a radios in the configuration all-11bgn Optional. Displays radio activity of all 11bg radios in the configuration on Optional. Displays radio activity of all radios within a specified RF Domain – Specify the RF Domain name.
6 spanning-tree show commands Displays spanning tree utilization information Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: show spanning-tree mst {configuration|det
6 interface [| age <1-4>|me1| port-channel <1-2>| pppoe1| van <1-4094> wwan1] Displays detailed MST configuration for a specified interface • – Displays detailed MST configuration for a specified interface. Specify the interface name. • age <1-4> – Displays GigabitEthernet interface MST configuration • <1-4> – Select the GigabitEthernet interface index from 1 - 4.
6 rfs7000-37FABE(config)#show spanning-tree mst detail % Bridge up - Spanning Tree Disabled % CIST Root Path Cost 0 - CIST Root Port 0 - CIST Bridge Priority 32768 % Forward Delay 15 - Hello Time 2 - Max Age 20 - Max hops 20 % 1: CIST Root Id 800000157037fabf % 1: CIST Reg Root Id 800000157037fabf % 1: CIST Bridge Id 800000157037fabf % portfast bpdu-filter disabled % portfast bpdu-guard disabled % portfast portfast errdisable timeout disabled % portfast errdisable timeout interval 300 sec % cisco interopera
6 Syntax: show startup-config {include-factory} Parameters show startup-config {include-factory} startup-config include-factory Displays startup configuration script • include-factory – Optional. Includes factory defaults Example rfs4000-229D58(config)#show startup-config ! ! Configuration of Brocade Mobility RFS4000 version 5.5.0.0-036B ! ! version 2.
6 show terminal Parameters None Example rfs7000-37FABE(config)#show terminal Terminal Type: xterm Length: 24 Width: 200 rfs7000-37FABE(config)# timezone show commands Displays a device’s timezone Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, B
6 • Service Platforms — Brocade Mobility RFS9510 Syntax: show upgrade-status {detail|on} show upgrade-status {detail} {(on )} Parameters show upgrade-status {detail} {(on )} upgrade-status Displays last image upgrade status and log detail Optional. Displays last image upgrade status in detail on The following keyword is recursive and common to the ‘detail’ parameter: • on – Optional.
6 • Service Platforms — Brocade Mobility RFS9510 Syntax: show version {on } Parameters show version {on } version {on } Displays software and hardware versions on all devices or a specified device • on – Optional. Displays software and hardware versions on a specified device • – Specify the name of the AP, wireless controller, or service platform. Example rfs4000-229D58(config)#show version Brocade Mobility RFS4000 version 5.5.0.
6 stats Displays virtual router statistics <1-255> The following keyword is common to all of the above parameters: • <1-255> – Optional. Displays information for a specified Virtual Router. Specify the router's ID from 1 -255. on The following keyword is recursive and common to the ‘<1-255>’ parameter: • on – Optional. Displays specified router information on a specified device – Specify the name of the AP, wireless controller, or service platform.
6 Parameters show what [contain|is] {on } contain Searches on all the items that contain a specified word • – Specify a word to search (for example, MAC address, hostname etc.). is Searches on an exact match • – Specify a word to search (for example, MAC address, hostname etc.). on Optional.
6 Syntax: show wireless [br|client|meshpoint|mobility-database|radio|regulatory|rf-domain| sensor-server|unsanctioned|wips|wlan] show show show show wireless br {configured|detail|load-balancing|on } wireless br {configured} wireless br {detail} {} {(on )} wireless br {load-balancing} {client-capability|events|neighbors} {(on )} show wireless client {association-history|detail|filter|on | statistics|tspec} show wireless
6 show wireless radio {statistics} {detail|window-data} {} {<1-3>| filter } {(on )} show wireless radio {tspec} {|filter|on |option} show wireless radio {wlan-map} {on } show wireless regulatory [channel-info |country-code |device-type] show wireless regulatory device-type [br650|br6511|br1220|br7131|br71xx|rfs4000|rfs6000|rfs7000] show wireless rf-domain statistics {detail} {(on
6 load-balancing {client-capability| events|neighbors} on Optional. Displays load balancing status. Use additional filters to view specific details. • client-capability – Optional. Displays client band capability • events – Optional. Displays client events • neighbors – Optional. Displays neighboring clients The following keyword is recursive and common to the ‘client-capability’, ‘events’, and ‘neighbors’ parameters: on – Optional.
6 Optional. Filters clients based on their state data-ready – Selects wireless clients in the data-ready state not [data-ready|roaming] – Inverts match selection. Selects wireless clients neither ready nor roaming Roaming – Selects roaming clients filter state [data-ready| not [data-ready| roaming]| roaming] • • • on The following keyword is common to the ‘ready’, ‘not’, and ‘roaming’ parameters: • on – Optional.
6 show wireless meshpoint {config} {filter [device |rf-domain ]} wireless Displays wireless configuration parameters meshpoint Displays meshpoint related information config Optional. Displays all meshpoint configuration filters [device | Optional. Provides additional filter options, such as device name and RF Domain name.
6 [| detail|statistics {rf}] Select one of the following parameter to view neighbor related information • – Displays detailed multicast information for a specified meshpoint. Specify the meshpoint name. • detail – Displays detailed multicast information for all meshpoints • statistics – Displays neighbors related statistics • rf – Optional.
6 filter on Optional. Provides additional filters – Optional. Filters based on the radio MAC address • Optional. After specifying the radio MAC address, further refine the search by specifying a device or RF Domain. • – Specify the name of the AP, wireless controller, service platform, or RF Domain.
6 show wireless radio {tspec} {|filter|on | option} wireless Displays wireless configuration parameters radio Displays radio operation status and other related information tspec Optional.Displays TSPEC information on a radio Optional. Specify the MAC address or hostname, or append the interface number to form the radio ID in the AA-BB-CC-DD-EE-FF:RX or HOSTNAME:RX format. filter on Optional.
6 show wireless sensor-server {on } wireless sensor- server {on } Displays wireless configuration parameters Displays AirDefense sensor server configuration details on – Optional.
6 device Optional. Filters WLAN information based on the device name • – Specify the device name. rf-domain Optional. Filters WLAN information based on the RF Domain • – Specify the RF Domain name. show wlan {statistics {|detail} {(on )} wireless Displays wireless configuration parameters wlan Displays WLAN related information based on the parameters passed statistics {|detail} Optional.
6 The above output can be customized, using the customize > show-wireless-client command, as follows: rfs7000-37FABE(config)#customize show-wireless-client mac ip vendor vlan radio-id state wlan location radio-alias radio-type rfs7000-37FABE(config)#commit rfs7000-37FABE(config)#show wireless client ---------------------------------------------------------------------------------------------------------------------------------------------------------------MAC IP VENDOR VLAN RADIO-ID STATE WLAN AP-LOCATION R
6 bs Bahamas bh Bahrain bb Barbados by Belarus be Belgium bm Bermuda .............................................................
6 Configured band ratio 2.4ghz to 5ghz Current band ratio 2.4ghz to 5ghz Average 2.4ghz channel load in neighborhood Average 5ghz channel load in neighborhood Load on this AP's 2.
6 Group-Addr Subscriber Name Subscriber MPID Timeout (mSecs) ------------------------------------------------------------------------------01-00-5E-01-01-01 ap6532-000001 00-23-68-2E-64-B2 N/A ------------------------------------------------------------------------------Total number of meshpoint displayed: 1 ap6532-000001# ap6532-000001#show wireless meshpoint neighbor detail Neighbors @00-23-68-00-00-01 (ap6532-000001), mesh1 [00-23-68-2E-64-B2] -------------------------------------------------------------
6 ------------------------------------------------------------------------------01-00-5E-01-01-01 ap6532-000001 00-23-68-2E-64-B2 -1 ------------------------------------------------------------------------------Total number of meshpoint displayed: 1 ap6532-000001# ap6532-000001#show wireless meshpoint path detail Paths @00-23-68-00-00-01 (ap6532-000001), mesh1 [00-23-68-2E-64-B2] ---------------------------------------------------------------------------------------------------------------------------------
6 Total number of clients displayed: 2 rfs4000-22A24E# wwan show commands Displays wireless WAN status Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: show wwan [con
6 +------------------------------------------| Access Port Name : None | User Name : None +------------------------------------------rfs7000-37FABE(config)# smart-cache show commands Displays details on the cached entry for a specific URL or all URLs NOTE Smart content caching is a licensed feature and can be enabled only if a license is procured and applied to the device. For more information, see smart-cache-policy.
6 nx4500-5CFA2B> nx4500-5CFA2B(config)#show smart-cache statistics content-type ---------------------------------------------------------------------------------------------------------------------------DURATION | VIDEO (KB) | AUDIO (KB) | IMAGE (KB) | TEXT (KB) | OTHERS (KB) | TOTAL CACHE | TOTAL CACHE | TOTAL CACHE | TOTAL CACHE | TOTAL CACHE ---------------|----------|----------|----------|----------|----------|---------|----------|----------|----------|---------Since boot | 0| 0| 0| 0| 0| 0| 0| 0| 0| 0
6 show virtual-machine [configuration|statistics] {|team-urc|team-rls| team-vowlan} {(on )} configuration Displays detailed VM configuration statistics Displays VM statistics [| team-urc|team-rls| team-vowlan] • on The following keywords are common to the ‘configuration’ and ‘statistics’ parameters: – Optional. Displays VM configuration or statistics for the virtual machine identified by the keyword. Specify the VM name.
6 Example nx4500-5CFA2B#show virtual-machine configuration team-urc VM: team-urc autostart : start bootloader : /usr/bin/pygrub cpus : ["3","2"] disk : file:/vms/moto/team-centro/disk,xvda,w maxmem : 3584 MB maxvcpus : 2 memory : 1200 MB name : team-urc on_crash : coredump-restart on_poweroff : destroy on_reboot : restart serial : pty tty : /dev/pts/1 uuid : b80f8e19-a1f6-02c9-cbbc-10c1aeb0a170 vcpus : 1 vif : bridge=vm2br, mac=B4:C7:99:5C:FA:2F, script=vif-bridge, type=bridge : bridge=brpriv, mac=00:16:3e:
Chapter 7 PROFILES Profiles enable administrators to assign a common set of configuration parameters, policies, WLANs, wireless parameters, and security parameters to service platforms, wireless controllers, and access points across a large, multi segment, site. The configuration parameters within a profile are based on the hardware model the profile was created to support. The service platforms, wireless controllers, and access points support both default and user-defined profiles.
7 Although profiles assign a common set of configuration parameters across devices, individual devices can still be assigned unique configuration parameters that follow the flat configuration model. As individual device updates are made, these devices no longer share the profile based configuration they originally supported. Therefore, changes made to a profile are not automatically inherited by devices who have had their configuration customized.
7 controller critical-resource crypto device-upgrade dot1x dscp-mapping email-notification enforce-version environmental-sensor events export floor gre http-analyze interface ip l2tpv3 l3e-lite-table led led-timeout legacy-auto-downgrade legacy-auto-update lldp load-balancing logging mac-address-table mac-auth memory-profile meshpoint-device meshpoint-monitor-interval min-misconfiguration-recovery-time mint misconfiguration-recovery-time neighbor-inactivity-timeout neighbor-info-interval no noc ntp power
7 vlan traffic Configure device-level radius authentication parameters RAID RF Domain Manager Dynamic routing PCI expansion Slot Spanning tree Tunnel Controller group this controller belongs to Set setting to use VRRP configuration Enable support for 802.
7 TABLE 5 Profile-Config Commands Command Description Reference bridge Configures bridge specific parameters page 7-557 captive-portal configures captive portal advanced Web page upload on a device profile page 7-572 cdp Enables Cisco Discovery Protocol (CDP) on a device page 7-573 cluster Configures a cluster name page 7-574 configuration-persist ence Enables persistence of configuration across reloads page 7-576 controller Configures a wireless controller or service platform page 7-5
7 TABLE 5 Profile-Config Commands Command Description Reference meshpoint-device Configures a meshpoint device parameters page 770 meshpoint-monitor-i nterval Configures meshpoint monitoring interval page 770 min-misconfiguratio n-recovery-time Configures the minimum device connectivity verification time page 771 mint Configures MiNT protocol page 7-772 misconfiguration-rec overy-time Verifies device connectivity after a configuration is received page 7-775 neighbor-inactivity-ti meout
7 adopter-auto-provisioning-policy-lookup Profile Config Commands Enables the use of a centralized auto provisioning policy on this profile or device When applied on devices adopted by a controller, this profile allows the devices to use a centralized auto provisioning policy.
7 Related Commands: no Removes the use of centralized auto provisioning policy on this profile or device alias Profile Config Commands Configures network, VLAN, and service aliases. The aliases defined on this profile applies to all devices using this profile. Aliases can be also defined at the device level. NOTE You can apply overrides to aliases at the device level. For more information on aliases, see alias. Overrides applied at the device level take precedence.
7 alias vlan <1-4094> Parameters alias address-range to address-range Creates a new address-range alias for this profile. Or associates an existing address-range alias with this profile. An address-range alias maps a name to a range of IP addresses. • – Specify the address range alias name. Alias name should begin with ‘$’.
7 host {} Associates a single or multiple hosts with this network-group alias • – Specify the hosts’ IP address. • – Optional. Specifies more than one host. A maximum of eight (8) hosts can be configured. network {} Associates a single or multiple networks with this network-group alias • – Specify the network’s address and mask. • – Optional. Specifies more than one network.
7 After specifying the protocol, you may configure a destination port for this service. These keywords are {(<1-65535>|| recursive and you can configure multiple protocols and associate multiple destination and source ports. bgp|dns|ftp|ftp-data| gopher|https|ldap|nntp| • <1-65535> – Optional. Configures a destination port number from 1 - 65535 ntp|pop3|proto|sip|smtp| • – Optional. Identifies the destination port by the service name provided.
7 rfs4000-229D58(config)#show context ! ! Configuration of Brocade Mobility RFS4000 version 5.5.0.0-053B ! ! version 2.3 ! ! alias network-group $TestNetGrpAlias network 192.168.13.0/24 192.168.16.0/24 alias network-group $TestNetGrpAlias address-range 192.168.13.7 to 192.168.13.16 192.168.13.20 to 192.168.13.25 ! alias network $TestNetworkAlias 192.168.13.0/24 ! alias host $TestHostAlias 192.168.13.10 ! alias address-range $TestAddRanAlias 192.168.13.10 to 192.168.13.
7 area Profile Config Commands Sets the system’s area of location (the area name) Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: area Parameters area
7 arp Profile Config Commands Adds a static Address Resolution Protocol (ARP) IP address in the ARP cache The ARP protocol maps an IP address to a hardware MAC address recognized on the network. ARP provides protocol rules for making this correlation and providing address conversion in both directions. When an incoming packet destined for a host arrives, ARP finds a physical host or MAC address that matches the IP address.
7 serial <1-4> <1-1> <1-1> {dhcp-server|router} Configures the static ARP entry for serial interface • <1-4> – Specify the Slot ID • <1-1> – Specify the port ID. • <1-1> – Specify the Channel group ID. The following keywords are common to all off the above interface types: dhcp-server – Optional. Sets ARP entries for a DHCP server router – Optional. Sets ARP entries for a router • • arp timeout <15-86400> arp timeout <15-86400> Sets ARP entry timeout
7 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — , Brocade Mobility RFS9510 Syntax: auto-learn-staging-config Parameters None Example rfs7000-37FABE(config-profile-default-rfs7000)#auto-learn-staging-config rfs7000-37FABE(config-profile-default-rfs7000)# Related Commands: no Disables automatic recognition of devices pending adoption autogen-uniqueid Profile Config Commands Autogenerates a unique ID for devices using this profi
7 • Service Platforms — Brocade Mobility RFS9510 Syntax: autogen-uniqueid Parameters autogen-uniqueid autogen-uniqueid Autogenerates a device’s unique ID (not exceeding 64 characters in length) The ID generated is a combination of the text provided and the substitution token $SN or $MiNT-ID. Where ever the autogen-uniqueid is used the device’s serial number OR MiNT-ID is referenced depending on the substitution token used.
7 Related Commands: no When executed in the device configuration mode, removes the device’s autogen-uniqueid. When executed in the profile configuration mode, removes the autogen-uniqueid on all devices using the profile. autoinstall Profile Config Commands Automatically installs firmware image and configuration parameters on to the selected device.
7 crypto ikev2 remote-vpn crypto auto-ipsec-secure interface me1 interface ge1 ip dhcp trust qos trust dscp qos trust 802.1p interface ge2 ip dhcp trust --More-rfs7000-37FABE(config-profile-default-rfs7000)# Related Commands: no Disables the auto install settings bridge Profile Config Commands The following table summarizes Ethernet bridge configuration commands.
7 the systems that are not using the same VLAN ID. Administrators often need to route traffic between different VLANs. Bridging VLANs are only for non-routable traffic, like tagged VLAN frames destined to some other device, which will untag it. When a data frame is received on a port, the VLAN bridge determines the associated VLAN based on the port of reception. Using forwarding database information, the bridge VLAN forwards the data frame on the appropriate port(s).
7 interface [| pppoe1| vlan <1-4094>| wwan1] Selects one of the following as the primary interface (between the source and destination points): • – A router interface. Specify interface name. • pppoe1 – A PPP over Ethernet interface • vlan <1-4094> – A VLAN interface. Specify the VLAN interface index from 1 - 4094.
7 rfs7000-37FABE(config-profile default-rfs7000-bridge-vlan-1)# bridge-vlan-mode commands bridge The following table summarizes bridge VLAN configuration mode commands.
7 Syntax: bridging-mode [auto|isolated-tunnel|local|tunnel] Parameters bridging-mode [auto|isolated-tunnel|local|tunnel] bridging-mode Configures the VLAN bridging modes auto Automatically selects the bridging mode to match the WLAN, VLAN and bridging mode configurations (default setting) isolated-tunnel Bridges packets between local Ethernet ports and local radios, and passes tunneled packets through without de-tunneling Select this option for a dedicated tunnel for bridging VLAN traffic.
7 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — , Brocade Mobility RFS9510 Syntax: description Parameters description description Configures a description for this VLAN bridge • – Specify VLAN description. The description should be unique to the VLAN’s specific configuration to help differentiate it from other VLANs with similar configurations.
7 Example rfs7000-37FABE(config-profile default-rfs7000-bridge-vlan-1)#edge-vlan rfs7000-37FABE(config-profile default-rfs7000-bridge-vlan-1)# Related Commands: no Disables the edge VLAN mode firewall bridge-vlan-mode commands Enables firewall on this VLAN interface. This feature is enabled by default.
7 ip [arp|dhcp] trust ip igmp snooping {forward-unknown-multicast|mrouter|querier} ip igmp snooping {forward-unknown-multicast} ip igmp snooping {mrouter [interface|learn]} ip igmp snooping {mrouter [interface |learn pim-dvmrp]} ip igmp {querier} {address|max-response-time|timer|version} ip igmp snooping {querier} {address |max-response-time <1-25>| timer expiry <60-300>|version <1-3>} Parameters ip [arp|dhcp] trust ip Configures the VLAN bridge IP parameters arp trust Configures the
7 ip igmp snooping {querier} {address |max-response-time <1-25>| timer expiry <60-300>|version <1-3>} ip Configures the VLAN bridge IP parameters igmp snooping Configures the IGMP snooping parameters querier Optional. Configures the IGMP querier parameters Enables IGMP querier. IGMP snoop querier keeps host memberships alive. It is primarily used in a network where there is a multicast streaming server and hosts subscribed to the server and no IGMP querier present.
7 ip igmp snooping querier max-response-time 24 ip igmp snooping querier timer expiry 100 ip igmp snooping mrouter interface ge2 ge1 rfs7000-37FABE(config-profile default-rfs7000-bridge-vlan-1)# Related Commands: no Disables or reverts the VLAN Ethernet bridge parameters l2-tunnel-broadcast-optimization bridge-vlan-mode commands Enables broadcast optimization on this VLAN interface. Enabling this feature aids in the identification of each incoming packet. This feature is disabled by default.
7 no bridge-vlan-mode commands Negates a command or reverts settings to their default. The no command, when used in the bridge VLAN mode, negates the VLAN bridge settings or reverts them to their default.
7 no tunnel-over-level12 Disables extended VLAN traffic over level 2 MiNT links no stateful-packet-inspection-12 Disables stateful packet inspection in the layer 2 firewall no ip [arp|dhcp] trust no ip Negates or reverts VLAN bridge IP settings arp trust Disables the trust of ARP responses on the VLAN dhcp trust Disables the trust of DHCP responses on the VLAN no ip igmp snooping {forward-unknown-multicast} no ip Negates or reverts the VLAN bridge IP settings igmp snooping Negates or reverts th
7 Example rfs7000-37FABE(config-profile default-rfs7000-bridge-vlan-1)#no rfs7000-37FABE(config-profile default-rfs7000-bridge-vlan-1)#no snooping mrouter interface ge1 rfs7000-37FABE(config-profile default-rfs7000-bridge-vlan-1)#no snooping mrouter learn pim-dvmrp rfs7000-37FABE(config-profile default-rfs7000-bridge-vlan-1)#no snooping querier max-response-time rfs7000-37FABE(config-profile default-rfs7000-bridge-vlan-1)#no snooping querier version description ip igmp ip igmp ip igmp ip igmp rfs7000-37FA
7 Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: stateful-packet-inspection-l2 Parameters None Example rfs7000-37FABE(config-profile default-rfs7000-bridge-vlan-1)#
7 rfs7000-37FABE(config-profile TestAP81xx-bridge-vlan-1)#no tunnel unknown-unicast rfs7000-37FABE(config-profile TestAP81xx-bridge-vlan-1)#show context bridge vlan 1 ip igmp snooping ip igmp snooping querier no tunnel unknown-unicast rfs7000-37FABE(config-profile TestAP81xx-bridge-vlan-1)# Related Commands: no Disables tunneling of unicast messages, to unknown MAC destinations, on the selected VLAN bridge tunnel-over-level2 bridge-vlan-mode commands Enables extended VLAN (tunneled VLAN) traffic over lev
7 Related Commands: no Disables extended VLAN traffic over level 2 MiNT links use bridge-vlan-mode commands Uses pre configured access lists with this bridge policy Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Serv
7 Configures captive portal advanced Web page uploads on this profile. These Web pages are uploaded to access points supporting the captive portal. A captive portal is a means of providing guests temporary and restrictive access to the controller managed wireless network. A captive portal provides secure authenticated controller access by capturing and re-directing a wireless user’s Web browser session to a captive portal login page, where the user must enter valid credentials.
7 cdp [holdtime <10-1800>|run|timer <5-900>] Parameters cdp [holdtime <10-1800>|run|timer <5-900>] holdtime <10-1800> Specifies the holdtime after which transmitted packets are discarded • <10-1800> – Specify a value from 10 - 1800 seconds. The default is 180 seconds. run Enables/disables CDP sniffing and transmit globally. This feature is enabled by default. timer <5-900> Specifies time between advertisements • <5-900> – Specify a value from 5 - 900 seconds. The default is 60 seconds.
7 cluster [force-configured-state|force-configured-state-delay|handle-stp| master-priority|member|mode|name] cluster [force-configured-state|force-configured-state-delay <3-1800>|handle-stp| master-priority <1-255>] cluster member [ip|vlan] cluster member [ip {level [1|2]}|vlan <1-4094>] cluster mode [active|standby] cluster name Parameters cluster [force-configured-state|force-configured-state-delay <3-1800>|handle-stp| master-priority <1-255>] force-configured-state Forces adopted AP
7 cluster mode [active|standby] mode [active|standby] Configures cluster member’s mode as active or standby • active – Configures cluster mode as active. This is the default setting. • standby – Configures cluster mode as standby A member can be in either an Active or Standby mode. All active member controllers can adopt access points. Standby members only adopt access points when an active member has failed or sees an access point not adopted by a controller.
7 configuration-persistence {secure} secure Optional. Ensures parts of a file that contain security information are not written during a reload Example rfs7000-37FABE(config-profile-default-rfs7000)#configuration-persistence secure rfs7000-37FABE(config-profile-default-rfs7000)#show context profile rfs7000 default-rfs7000 bridge vlan 1 no edge-vlan ip igmp snooping no ip igmp snooping unknown-multicast-fwd no ip igmp snooping mrouter learn pim-dvmrp autoinstall configuration autoinstall firmware .........
7 controller [adopted-devices|adoption|group|hello-interval|vlan|host] controller adopted-devices [aps|controllers] controller adopted-devices [aps {controllers}|controllers {aps}] controller adoption controller [group |vlan <1-4094>] controller hello-interval <1-120> adjacency-hold-time <2-600> controller host [|] {ipsec-secure|level|pool|remote-vpn-client} controller host [|] {level [1|2]|pool <1-2> level [1|2]} {(ipsec-secure {gw})} controller host [
7 controller host [|] {level [1|2]|pool <1-2> level [1|2]} {(ipsec-secure {gw})} controller Configures the WLAN’s controller settings host [|] Configures wireless controller or service platform’s IP address or name • – Configures wireless controller or service platform’s IP address • – Configures wireless controller or service platform’s name level [1|2] The following keywords are common to the ‘IP’ and ‘hostname’ parameters: Optional.
7 ip dhcp trust qos trust dscp qos trust 802.1p interface ge4 ip dhcp trust qos trust dscp qos trust 802.1p use firewall-policy default controller host 1.2.3.4 pool 2 controller group test service pm sys-restart rfs4000-229D58(config-profile-testBrocade Mobility RFS4000)#controller adopted-devices aps controllers rfs4000-229D58(config-profile-testBrocade Mobility RFS4000)#show context profile rfs4000 testBrocade Mobility RFS4000 autoinstall configuration .....................................................
7 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: critical-resource [|monitor] critical-resource monitor [direct|via] critical-resource monitor direct [all|any] {| arp-only vlan <1-4094> {|port [|ge <1-4>|port-channel <1-2>]}} critical-resource monitor via [|
7 critical-resource monitor via [|| pppoe1|vlan <1-4094>|wwan1] [all|any] {|arp-only [vlan <1-4094>] {}} Specify the critical resource name monitor Monitors configured critical resource(s) via Specifies the interface or next-hop via which the ICMP pings should be sent. Configures the interface or next-hop via which ICMP pings are sent. This does not apply to IP addresses configured for arp-only.
7 crypto Profile Config Commands Use the crypto command to define a system-level local ID for Internet Security Association and Key Management Protocol (ISAKMP) negotiation and to enter the ISAKMP policy, ISAKMP client, or ISAKMP peer command set. The following table summarizes crypto configuration commands.
7 • Service Platforms — Brocade Mobility RFS9510 Syntax: crypto [auto-ipsec-secure|enable-ike-uniqueids|ike-version|ikev1|ikev2|ipsec| load-management|map|pki|plain-text-deny-acl-scope|remote-vpn-client] crypto [auto-ipsec-secure|enable-ike-uniqueids|load-management] crypto ike-version [ikev1-only|ikev2-only] crypto ikev1 [dpd-keepalive <10-3600>|dpd-retries <1-100>|nat-keepalive <10-3600>| peer |policy |remote-vpn] crypto ikev2 [cookie-challenge-threshold <1-100>|dpd-keepaliv
7 crypto ikev1 [dpd-keepalive <10-3600>|dpd-retries <1-100>|nat-keepalive <10-3600>| peer |policy |remote-vpn] ikev1 Configures the IKEv1 parameters dpd-keepalive <10-3600> Sets the global Dead Peer Detection (DPD) interval from 10 - 3600 seconds dpd-retries <1-1000> Sets the global DPD retries count from 1- 1000 nat-keepalive <10-3600> Sets the global NAT keepalive interval from 10 - 3600 seconds peer Specify the Name/Identifier for the IKEv1 peer.
7 security-association Configures the IPSec SAs parameters lifetime [kilobyte |seconds] Defines the IPSec SAs lifetime (in kilobytes and/or seconds). Values can be entered in both kilobytes and seconds, which ever limit is reached first, ends the SA. When the SA lifetime ends it is renegotiated as a security measure. • kilobytes – Specifies a volume-based key duration (minimum is 500 KB and maximum is 2147483646 KB) • <500-2147483646> – Specify a value from 500 - 2147483646 KB.
7 crl Imports a Certificate Revocation List (CRL). Imports a trustpoint including either a private key and server certificate or a CA certificate or both • – Specify the trustpoint name.
7 rfs7000-37FABE(config-profile-default-rfs7000)#crypto ipsec transform-set tag1 esp-null esp-md5-hmac rfs7000-37FABE(config-profile-default-rfs7000-transform-set-tag1)#? Crypto Ipsec Configuration commands: mode Encapsulation mode (transport/tunnel) no Negate a command or set its defaults clrscr commit end exit help revert service show write Clears the display screen Commit all changes made in this session End current mode and change to EXEC mode End current mode and down to previous mode Description of t
7 clrscr commit do end exit help revert service show write Clears the display screen Commit all changes made in this session Run commands from Exec mode End current mode and change to EXEC mode End current mode and down to previous mode Description of the interactive help system Revert changes Service Commands Show running system information Write running configuration to memory or terminal rfs7000-37FABE(config-profile-default-rfs7000-crypto-auto-ipsec-secure)# The following table summarizes the crypto
7 groupid [psk [0 |2 |]|rsa] Specify a string up to 64 characters. This is the group identity used for IKE exchange for auto IPSec secure peers. After providing a group ID, specify the authentication method used to authenticate peers on the auto IPSec secure tunnel. The options are: psk and rsa.
7 ip nat crypto ip nat crypto Enables unique identification of APs and the hosts present in each AP’s subnet Providing a unique ID enables the access point, wireless controller, or service platform to uniquely identify the destination device. This is essential in networks where there are multiple APs behind a router, or when two (or more) APs behind two (or more) different routers have the same IP address. Further, the same subnet exists behind these APs.
7 Example rfs4000-229D58(config-profile-testBrocade Mobility RFS4000-crypto-auto-ipsec-secure)#ike-lifetime 800 rfs4000-229D58(config-profile-testBrocade Mobility RFS4000-crypto-auto-ipsec-secure)#show context crypto auto-ipsec-secure ike-lifetime 800 rfs4000-229D58(config-profile-testBrocade Mobility RFS4000-crypto-auto-ipsec-secure)# ikev2 crypto-auto-ipsec-tunnel commands Enables/disables the forced IKEv2 peer re-authentication In most IPSec tunnel configurations, the lifetime of IKE SAs between peers i
7 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: remotegw ike-version [ikev1-aggr|ikev1-main|ikev2] {uniqueid} Parameters remotegw ike-version [ikev1-aggr|ikev1-main|ikev2] {uniqueid} remotegw ike-version Configures the IKE version used for initiating auto IPSec tunnel with secure gateways ikev1-aggr Aggregation mode is used by the auto IPSec tunnel initiator to set up the connection ikev1-mai
7 Syntax: no [groupid|ike-lifetime|ikev2|ip] Parameters no [groupid|ike-lifetime|ikev2|ip] groupid Removes local/remote identity for auto IPSec IKE ike-lifetime Removes the ISAKMP associations’ lifetime period ikev2 Removes the need of peer re-authenticate in case of ike rekey ip nat crypto Disables unique identification of APs behind the NAT router Example The following example shows the Auto IPSec VLAN bridge settings before the ‘no’ command is executed: rfs7000-37FABE(config-profile-default-rfs7
7 crypto-ikev1/ikev2-policy commands crypto Defines crypto-IKEv1/IKEv2 commands in detail IKE protocol is a key management protocol standard used in conjunction with IPSec. IKE enhances IPSec by providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE automatically negotiates IPSec SAs, and enables secure communications without time consuming manual pre-configuration. Use the (config) instance to configure IKEv1/IKEv2 policy configuration commands.
7 write Write running configuration to memory or terminal rfs7000-37FABE(config-profile-test-ikev2-policy-ikev2-testpolicy)# NOTE IKEv2 being an improved version of the original IKEv1 design, is recommended in most deployments. IKEv2 provides enhanced cryptographic mechanisms, NAT and firewall traversal, attack resistance etc. The following table summarizes crypto IKEv1/iKEv2 commands.
7 dpd-keepalive 11 isakmp-proposal default encryption aes-256 group 2 hash sha rfs7000-37FABE(config-profile-default-rfs7000-ikev1-policy-testpolicy)# dpd-retries crypto-ikev1/ikev2-policy commands Sets the maximum number of attempts for sending DPD keep alive packets to a peer. Once this value is exceeded, without a response, the VPN tunnel connection is declared dead. This option is available only for the IKEv1 policy.
7 Syntax: isakmp-proposal encryption [3des|aes|aes-192|aes-256] group [14|2|5] hash [md5|sha] Parameters isakmp-proposal encryption [3des|aes|aes-192|aes-256] group [14|2|5] hash [md5|sha] Specify the name of the ISAKMP proposal encryption [3des|aes| aes-192|aes-256] Configures the encryption level transmitted using the crypto isakmp command • 3des – Configures triple data encryption standard • aes – Configures AES (128 bit keys) • aes-192 – Configures AES (192 bit keys) • aes-256 –
7 Parameters lifetime <600-86400> Specifies how many seconds an IKE SA lasts before it expires. Set a time stamp from 600 - 86400 seconds. • <600-86400> – Specify a value from 600 -8 6400 seconds.
7 dpd-keepalive 11 dpd-retries 10 lifetime 655 isakmp-proposal default encryption aes-256 group 2 hash sha isakmp-proposal testpraposal encryption aes group 2 hash sha mode aggressive rfs7000-37FABE(config-profile-default-rfs7000-ikev1-policy-testpolicy)# no crypto-ikev1/ikev2-policy commands Negates a command or set its defaults Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobilit
7 rfs7000-37FABE(config-profile-default-rfs7000-ikev1-policy-testpolicy)#no dpd-retries The following example shows the IKEV1 Policy settings after the ‘no’ commands are executed: rfs7000-37FABEconfig-profile-default-rfs7000-ikev1-policy-testpolicy)#show context crypto ikev1 policy testpolicy lifetime 655 isakmp-proposal default encryption aes-256 group 2 hash sha isakmp-proposal testpraposal encryption aes group 2 hash sha rfs7000-37FABE(config-profile-default-rfs7000-ikev1-policy-testpolicy)# crypto-ikev
7 end exit help revert service show write End current mode and change to EXEC mode End current mode and down to previous mode Description of the interactive help system Revert changes Service Commands Show running system information Write running configuration to memory or terminal rfs7000-37FABE(config-profile-default-rfs7000-ikev2-peer-peer1)# The following table summarizes crypto IPSec IKEv1/IKEv2 peer configuration commands.
7 rfs7000-37FABE(config-profile-default-rfs7000-ikev1-peer-peer1)# rfs7000-37FABE(config-profile-default-rfs7000-ikev2-peer-peer1)#authenticatio n psk 0 moto@123456 rfs7000-37FABE(config-profile-default-rfs7000-ikev2-peer-peer1)#show context crypto ikev2 peer peer1 authentication psk 0 moto@123456 local authentication psk 0 moto@123456 remote rfs7000-37FABE(config-profile-default-rfs7000-ikev2-peer-peer1)# ip crypto-ikev1/ikev2-peer commands Sets the IP address of the peer device.
7 localid crypto-ikev1/ikev2-peer commands Sets a IKEv1/IKEv2 peer’s local identity credentials Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: localid [address|dn|em
7 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: remoteid [address |dn |email |fqdn |string ] Parameters remoteid [address |dn |email |fqdn |string
7 • Service Platforms — Brocade Mobility RFS9510 Syntax: use ikev1-policy use ikev2-policy Parameters use ikev1-policy use ikev1-policy Specify the IKEv1 policy name. The local IKE policy and the peer IKE policy must have matching group settings for successful negotiations. use ikev2-policy use ikev2-policy Specify the IKEv2 policy name.
7 Parameters no [authentication|ip|localid|remoteid|use] no authentication Removes a IKEv1/IKEv2 peer’s authentication credentials no ip Removes a IKEv1/IKEv2 peer’s IP address / FQDN no localid Removes a IKEv1/IKEv2 peer’s local identity details no remoteid Removes a IKEv1/IKEv2 peer’s remote identity details no use Removes the IKEv1/IKEv2 policy associated with IKEv1/IKEv2 peer respectively Example The following example shows the Crypto IKEV1 peer1 settings before the ‘no’ commands are executed:
7 This section explains crypto map commands in detail. A crypto map entry is a single policy that describes how certain traffic is secured. There are two types of crypto map entries: ipsec-manual and ipsec-ike. Each entry is given an index (used to sort the ordered list). IPSec VPN provides a secure tunnel between two networked peers. Administrators can define which packets are sent within the tunnel, and how they're protected.
7 commit do end exit help revert service show write Commit all changes made in this session Run commands from Exec mode End current mode and change to EXEC mode End current mode and down to previous mode Description of the interactive help system Revert changes Service Commands Show running system information Write running configuration to memory or terminal rfs7000-37FABE(config-profile-default-rfs7000-cryptomap-map1#1)# The following table summarizes crypto map configuration mode commands.
7 write Write running configuration to memory or terminal rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)# To navigate to the remote VPN client configuration instance, use the following command: In the device-config mode: (config-device-)#crypto map <1-1000> ipsec-isakmp {dynamic} In the profile-config mode: (config-profile-)#crypto map <1-1000> ipsec-isakmp {dynamic} rfs4000-229D58(config-device-00-23-68-22-9D-5
7 Command Description Reference remote-type Configures the remote VPN client type as either None or XAuth. This command is applicable only to the remote VPN client. page 615 security-association Defines this automatic VPN tunnel’s IPSec SA settings. This command is applicable to the site-to-site VPN tunnel and remote VPN client. page 616 transform-set Applies a transform set (encryption and hash algorithms) to the VPN tunnel.
7 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: local-endpoint-ip Parameters local-endpoint-ip local-endpoint-ip Configures the local VPN tunnel’s (site-to-site VPN tunnel or remote VPN
7 Parameters modeconfig [pull|push] modeconfig [pull|push] Configures the mode config method associated with a remote VPN client. The options are: pull and push. The mode (pull or push) defines the method used to assign a virtual IP. This setting is relevant for IKEv1 only, since IKEv2 always uses the configuration payload in pull mode. The default setting is push.
7 Remote VPN client: rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#peer 1 ikev1 Re moteIKEv1Peer1 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic peer 1 ikev1 RemoteIKEv1Peer1 local-endpoint-ip 157.235.204.
7 Remote VPN client: rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#pfs 14 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic peer 1 ikev1 RemoteIKEv1Peer1 local-endpoint-ip 157.235.204.
7 security-association crypto-map auto-vpn-tunnel/remote-vpn-client instance Defines the IPSec SA’s (created by this auto site-to-site VPN tunnel or remote VPN client) settings Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS70
7 local-endpoint-ip 192.168.13.10 pfs 5 security-association lifetime kilobytes 250000 security-association inactivity-timeout 200 ip nat crypto rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)# Remote VPN client: rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#security-ass ociation lifetime seconds 10000 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic peer 1 ikev1 RemoteIKEv1Peer1 local-endpoint-ip 157.
7 security-association level perhost peer 1 ikev2 ikev2Peer1 local-endpoint-ip 192.168.13.
7 crypto map test 1 ipsec-isakmp use ip-access-list test security-association level perhost peer 1 ikev2 ikev2Peer1 local-endpoint-ip 192.168.13.
7 no pfs Removes the PFS configured for this auto site-to-site VPN tunnel no remote-type Resets the remote VPN client type to default (XAUTH) no security-association Removes the VPN tunnel or remote VPN client’s IPSec SA settings no transform-set Removes the transform set applied to the VPN tunnel or remote VPN client no use Removes IP access list applied to the auto site-to-site VPN tunnel or remote VPN client Example The following example shows the IPSec site-to-site VPN tunnel ‘test’ settings b
7 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)# rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#no use ip-access-list rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#no peer 1 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#no transform-set The following example shows the IPSec remote VPN client ‘test’ settings after the ‘no’ commands are executed: rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map t
7 The following table lists the IPSec manual VPN tunnel configuration commands: Command Description Reference local-endpoint-ip Uses the configured IP as local tunnel endpoint address, instead of the interface IP (Advanced Configuration) page 7-622 mode Sets the tunnel mode page 622 peer Sets the peer device’s IP address page 7-623 security-association Defines the lifetime (in kilobytes and/or seconds) of IPSec SAs created by a crypto map page 7-624 session-key Defines encryption and authent
7 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: mode [transport|tunnel] Parameters mode [transport|tunnel] mode [transport|tunnel] Sets the mode of the tunnels for this crypto map transport – Initiates transport mode tunnel – Initiates tunnel mode (default setting) • • Example rfs7000-37FABE(config-profile-default-rfs7000-cryptomap-map1#1)#mode transport rfs7000-37FABE(config-profile-default-r
7 rfs7000-37FABE(config-profile-default-rfs7000-cryptomap-map1#1)# security-association crypto-map-ipsec-manual-instance Defines the lifetime (in kilobytes and/or seconds) of IPSec SAs created by this crypto map Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobi
7 Syntax: session-key [inbound|outbound] [ah|esp] <256-4294967295> session-key [inbound|outbound] ah <256-4294967295> [0|2|authenticator [md5|sha]] session-key [inbound|outbound] esp <256-4294967295> [0|2|cipher [3des|aes|aes-192| aes-256|des|esp-null]] authenticator [md5|sha] Parameters session-key [inbound|outbound] ah <256-4294967295> [0|2|authenticator [md5|sha]] session-key [inbound|outbound] Defines the manual inbound and outbound security association key parameters ah <
7 Example rfs7000-37FABE(config-profile-default-rfs7000-cryptomap-map1#1)#session-key inbound esp 273 cipher esp-null authenticator sha 58768979 rfs7000-37FABE(config-profile-default-rfs7000-cryptomap-map1#1)#show context crypto map map1 1 ipsec-manual peer 172.16.10.
7 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: no [local-endpoint-ip|mode|peer|security-association|session-key|use] Parameters no [local-endpoint-ip|mode|peer|security-association|session-key|use] no
7 NOTE To configure remote VPN client settings on a device, on the device’s configuration mode, use the crypto > remote-vpn-client command.
7 IKEv2 uses an initial handshake in which VPN peers negotiate cryptographic algorithms, mutually authenticate, and establish a session key, creating an IKE-SA. Additionally, a first IPsec SA is established during the initial SA creation. All IKEv2 messages are request/response pairs. It is the responsibility of the side sending the request to retransmit if it does not receive a timely response.
7 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: shutdown Parameters None Example rfs4000-229D58(config-profile-testBrocade Mobility RFS4000-crypto-ikev2-remote-vpn-client)# shutdown rfs4000-229D58(config-profile-testBrocade Mobility RFS4000-crypto-ikev2-remote-vpn-client)# transform-set crypto-remote-vpn-client commands Specifies the IPSec Transform to use with the remote VPN client.
7 rfs4000-229D58(config-profile-testBrocade Mobility RFS4000-crypto-ikev2-remote-vpn-client)# no crypto-remote-vpn-client commands Removes the remote VPN client settings Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 •
7 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: device-upgrade [add-auto|auto|count|persist-images] device-upgrade add-auto [(ap621|ap622|br650|br6511|ap6521|br1220|ap6532|ap6562| br71xx|br81xx|ap82xx|rf
7 device-upgrade auto {(ap621|ap622|br650|br6511|ap6521|br1220|ap6532|ap6562|br71xx| br81xx|ap82xx|rfs4000|rfs6000|rfs7000)} device-upgrade auto Enables automatic firmware upgrade on specified device types. When used along with the add-auto command, the auto command allows access points, wireless controllers, and service platforms to automatically upgrade firmware on adopted devices matching the specified device types.
7 interface up1 ip dhcp trust qos trust dscp qos trust 802.1p interface ge1 ip dhcp trust qos trust dscp qos trust 802.1p --More-rfs4000-229D58(config-profile-default-rfs4000)# Related Commands: no Removes device firmware upgrade settings on this profile Chapter 3, device-upgrade Displays device upgrade details dot1x Profile Config Commands Configures 802.1x standard authentication controls Dot1x (or 802.1x) is an IEEE standard for network authentication.
7 dot1x guest-vlan supplicant guest-vlan Configures guest VLAN and supplicant behavior This feature is disabled by default. supplicant Allows 802.1x capable supplicant to enter guest VLAN. When enabled, this is the VLAN that supplicant’s traffic is bridged on. dot1x use aaa-policy use aaa-policy Associates a specified 802.1x AAA policy with this access point profile – Specify the AAA policy name.
7 Parameters dscp-mapping priority <0-7> Specifies the DSCP value of a received IP packet. This could be a single value or a list. For example, 10-20, 25, 30-35. priority <0-7> Specifies the 802.1p priority to use for a packet if untagged. The priority is set on a scale of 0 - 7.
7 email-notification host sender {username } [password [2 |]] {port <1-65535>} Parameters email-notification recipient recipient Defines the recipient’s e-mail address. A maximum of 6 (six) e-mail addresses can the configured. • – Specify the recipient’s e-mail address (should not exceed 64 characters in length).
7 qos trust dscp qos trust 802.1p use firewall-policy default email-notification recipient test@motorolasolutions.
7 use firewall-policy default enforce-version adoption major enforce-version cluster full service pm sys-restart router ospf rfs7000-37FABE(config-profile-default-rfs7000)# Related Commands: no Disables or reverts settings to their default environmental-sensor Profile Config Commands Configures the environmental sensor settings A Brocade Mobility 1240 Access Point sensor module is a USB environmental sensor extension to a Brocade Mobility 1240 Access Point model access point.
7 environmental-sensor light {holdtime <2-201>|radio-shutdown [all|radio-1|radio-2]} environmental-sensor Configures environmental sensor settings on this profile light Enables (turns on) light sensors and specifies its settings When enabled, the sensor module polls the environment to determine the light intensity. Based on the reading, the system determines whether the Brocade Mobility 1240 Access Point’s deployment location has lights on or off.
7 environmental-sensor light radio-shutdown all no autoinstall configuration no autoinstall firmware device-upgrade persist-images crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn --More-rfs4000-229D58(config-profile-testBrocade Mobility RFS4000)# Related Commands
7 export Profile Config Commands Enables export of startup.
7 Related Commands: no Disables export of startup.
7 gre Profile Config Commands Command Description Reference gre Enables GRE tunneling on a profile/device This command also creates a GRE tunnel and enters its configuration mode. Use this command to modify an existing GRE tunnel’s settings. page 644 gre-config-instance Summarizes GRE tunnel configuration mode commands page 646 gre gre Enables Generic Routing Encapsulation (GRE) tunneling on this profile, and creates a new GRE tunnel or modifies an existing GRE tunnel.
7 gre tunnel gre tunnel Creates a new GRE tunnel or modifies an existing GRE tunnel • – If creating a new tunnel, specify a unique name for it. If modifying an existing tunnel, specify its name.
7 Related Commands: no Disables GRE tunneling on this profile gre-config-instance gre The following table summarizes GRE tunnel configuration mode commands. Command Description Reference dscp Sets the GRE tunnel’s Differentiated Services Code Point (DSCP) / 802.
7 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show co ntext gre tunnel testGRETunnel dscp 20 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)# The following example configures a GRE tunnel on a profile: nx4500-5CFA2B(config-profile testNX45XX-gre-tunnel-testGRETunnel)#dscp 20 nx4500-5CFA2B(config-profile testNX45XX-gre-tunnel-testGRETunnel)#show context gre tunnel testGRETunnel dscp 20 nx4500-5CFA2B(config-profile testNX45XX-gre-tunnel-testGRETunnel)# Re
7 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context gre tunnel testGRETunnel dscp 20 failover interval 200 retry 5 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)# Related Commands: no Removes the GRE tunnel settings based on the parameters passed native gre-config-instance Configures native trunking settings for this GRE tunnel Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Acc
7 vlan 1 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show co ntext gre tunnel testGRETunnel native tagged dscp 20 failover interval 200 retry 5 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)# Related Commands: no Removes the GRE tunnel settings based on the parameters passed no gre-config-instance Removes the GRE tunnel settings based on the parameters passed Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point,
7 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#no native vlan rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#no tunneled-vlan rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#no failover The following example shows the GRE tunnel ‘testGRETunnel’ settings after the no commands are executed: rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context gre tunnel testGRETunnel peer 1 ip 192.168.13.
7 Example rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#peer 1 ip 192.168.13.6 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show co ntext gre tunnel testGRETunnel peer 1 ip 192.168.13.
7 dscp 20 failover interval 200 retry 5 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)# Related Commands: no Removes the GRE tunnel settings based on the parameters passed http-analyze Profile Config Commands Enables HTTP analysis on this profile. Use this command to configure the mode and interval at which data is sent to the controller (running the HTTP analytics engine). In the Mobility 5.
7 ip igmp snooping ip igmp snooping querier autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha ..................................................................... qos trust 802.
7 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: Service Platforms interface [|fe <1-4>|ge <1-24>|me1|port-channel <1-4>|pppoe1| radio [1|2|3]|serial <1-4>|t1e1 <1-4>|up <1-2>|vlan <1-4094>|vmif <1-8>|wwan1| xge <1-4>] Syntax: Access Points and Wireless Controllers interface [|fe <1-4>|ge <1-8>|me1|port-channel <1-4>|pppoe1| radio [1|2|3]|up1|vlan <1-4094>|wwan1|xge
7 Usage Guidelines: The ports available on a device vary depending on the model. The following ports are available on Brocade Mobility RFS4000, Brocade Mobility RFS6000 and Brocade Mobility RFS7000 model wireless controllers: Brocade Mobility RFS4000 - ge1, ge2, ge3, ge4, ge5, up1 Brocade Mobility RFS6000 - ge1, ge2, ge3, ge4, ge5, ge6, ge7, ge8, me1, up1 Brocade Mobility RFS7000 - ge1, ge2, ge3, ge4, me1 The ports available on service platforms also vary depending on the model.
7 ip no qos switchport use Internet Protocol (IP) Negate a command or set its defaults Quality of service Set switching mode characteristics Set setting to use clrscr commit do end exit help revert service show write Clears the display screen Commit all changes made in this session Run commands from Exec mode End current mode and change to EXEC mode End current mode and down to previous mode Description of the interactive help system Revert changes Service Commands Show running system information Write r
7 use Set setting to use clrscr commit do end exit help revert service show write Clears the display screen Commit all changes made in this session Run commands from Exec mode End current mode and change to EXEC mode End current mode and down to previous mode Description of the interactive help system Revert changes Service Commands Show running system information Write running configuration to memory or terminal rfs7000-37FABE(config-profile-default-rfs7000-if-ge1)# The following table summarizes the
7 cdp interface-config-instance Enables CDP on the selected GE port Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: cdp [receive|transmit] Parameters cdp [receive|tr
7 Example rfs7000-37FABE(config-profile-default-rfs7000-if-ge1)#channel-group 1 rfs7000-37FABE(config-profile-default-rfs7000-if-ge1)#show context interface ge1 ip dhcp trust qos trust dscp qos trust 802.
7 Related Commands: no Removes the interface description dot1x (authenticator) interface-config-instance Configures 802.1X authenticator settings Dot1x (or 802.1x) is an IEEE standard for network authentication. It enables media-level (layer 2) access control, providing the capability to permit or deny connectivity based on user or device identity. Dot1x allows port-based access using authentication.
7 host-mode [multi-host|single-host] Configures the host mode for this interface • multi-host – Configures multiple host mode • single-host – Configures single host mode. This is the default setting. max-reauth-req <1-10> Configures maximum number of reauthorization retries for the supplicant. This is the maximum number of reauthentication attempts made before this port is moved to unauthorized. • <1-10> – Specify a value from 1 -10. The default is 2.
7 Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 Syntax: dot1x supplicant username password [0 |2 |] Parameters dot1x supplicant username password [0 |2 |] dot1x
7 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: duplex [auto|half|full] Parameters duplex [auto|half|full] auto Enables automatic duplexity on an interface port. The port automatically detects whether it should run in full or half-duplex mode. (default setting) half Sets the port to half-duplex mode.
7 Parameters ip [arp [header-mismatch-validation|trust]|dhcp trust] arp [header-mismatch-validati on|trust] Sets ARP for packets on this interface • header-mismatch-validation – Verifies mismatch for source MAC address in the ARP header and Ethernet header • trust – Sets the ARP trust state for ARP responses on this interface dhcp trust Uses a DHCP client to obtain an IP address for the interface (this enables DHCP on a layer 3 SVI) • trust – Sets the DHCP trust state for DHXP responses on this interface
7 Example rfs7000-37FABE(config-profile-default-rfs7000-if-ge1)#lldp transmit Related Commands: no Disables or reverts interface settings to their default mac-auth interface-config-instance Enables authentication of MAC addresses on the selected wired port. Devices using this profile will be able be to authenticate the MAC addresses of devices connecting to this GE interface When enabled, this feature authenticates the source MAC address of a device, connecting to this interface, with a RADIUS server.
7 Related Commands: no Disables authentication of MAC addresses on the selected wired port no interface-config-instance Negates a command or sets its defaults Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Pl
7 shutdown Disables the selected interface spanning-tree Configures spanning tree parameters speed Specifies the speed of a FastEthernet or GigabitEthernet port switchport Sets the interface switching mode characteristics use Defines the settings to use with this command write Writes information to the memory or terminal power interface-config-instance Configures PoE settings on this interface Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mob
7 Related Commands: no Removes PoE settings on this interface qos interface-config-instance Defines Quality of Service (QoS) settings on this interface Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms
7 Shuts down (disables) an interface. The interface is administratively enabled unless explicitly disabled using this command.
7 Parameters spanning-tree [edgeport|force-version|guard root|portfast] edgeport Enables an interface as an edge port force-version <0-3> Specifies the spanning tree force version. A version identifier of less than 2 enforces the spanning tree protocol.
7 rfs7000-37FABE(config-profile-default-rfs7000-if-ge1)#spanning-tree force-version 1 rfs7000-37FABE(config-profile-default-rfs7000-if-ge1)#spanning-tree guard root rfs7000-37FABE(config-profile-default-rfs7000-if-ge1)#spanning-tree mst 2 port-priority 10 rfs7000-37FABE(config-profile-default-rfs7000-if-ge1)#show context interface ge1 description This\ is\ GigabitEthernet\ interface\ for\ Royal\ King duplex full spanning-tree bpduguard enable spanning-tree bpdufilter disable spanning-tree force-version 1 sp
7 Set the interface speed to auto detect and use the fastest speed available. Speed detection is based on connected network hardware.
7 switchport mode [access|trunk] mode [access|trunk] Sets the interface mode to access or trunk (can only be used on physical - layer 2 - interfaces) • access – If access mode is selected, the access VLAN is automatically set to VLAN1. In this mode, only untagged packets in the access VLAN (vlan1) are accepted on this port. All tagged packets are discarded. • trunk – If trunk mode is selected, tagged VLAN packets are accepted. The native VLAN is automatically set to VLAN1.
7 spanning-tree force-version 1 spanning-tree guard root spanning-tree mst 2 port-priority 10 dot1x supplicant username Bob password 0 motorolasolutions@123 ip dhcp trust ip arp header-mismatch-validation qos trust dscp qos trust 802.
7 switchport mode access switchport access vlan 1 use ip-access-list in test use mac-access-list in test spanning-tree bpduguard enable spanning-tree bpdufilter disable spanning-tree force-version 1 spanning-tree guard root spanning-tree mst 2 port-priority 10 dot1x supplicant username Bob password 0 motorolasolutions@123 ip dhcp trust ip arp header-mismatch-validation qos trust dscp qos trust 802.
7 write Write running configuration to memory or terminal rfs7000-37FABE(config-profile-default-rfs7000-if-vlan8)# The following table summarizes interface VLAN configuration commands.
7 crypto map map Attaches a crypto map to the selected VLAN interface. The crypto map should be existing and configured. • – Specify the crypto map name.
7 dhcp-relay-incoming interface-config-vlan-instance Allows an onboard DHCP server to respond to relayed DHCP packets Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax:
7 ip address [|dhcp|zerconf] ip address [ {secondary}|zeroconf {secondary}] ip dhcp client request options all ip nat [inside|outside] ip ospf [authentication|authentication-key|bandwidth|cost|message-digest-key|priority ] ip ip ip ip ospf ospf ospf ospf authentication [message-digest|null|simple-password] authentication-key simple-password [0 |2 ] [bandwidth <1-10000000>|cost <1-65535>|priority <0-255>] message-digest-key key-id <1-255> md5 [0 |2 ] Parameters ip helpe
7 ip ospf authentication-key simple-password [0 |2 ] ospf authentication-key Configures an authentication key simple-password [0 |2 ] Configures an authentication key for simple password authentication • 0 – Configures clear text key • 2 – Configures encrypted key ip ospf [bandwidth <1-10000000>|cost <1-65535>|priority <0-255>] bandwidth <1-10000000> Configures bandwidth for the physical port mapped to this layer 3 interface • <1-10000000> – Specify the bandwidth f
7 Negates a command or reverts to defaults. The no command, when used in the Config Interface VLAN mode, negates VLAN interface settings or reverts them to their default.
7 no ip address [helper-address |nat] no ip address Removes or reverts interface IP settings • address – Removes IP addresses configured for this interface, depending on the options used while setting the address helper-address Disables the forwarding of DHCP and BOOTP packets to the configured helper IP address • – Specify the IP address of the DHCP or BOOTP server.
7 rfs7000-37FABE(config-profile-default-rfs7000-if-vlan8)#no dhcp-relay-incoming rfs7000-37FABE(config-profile-default-rfs7000-if-vlan8)#no ip dhcp client request options all The following example shows the VLAN interface settings after the ‘no’ commands are executed: rfs7000-37FABE(config-profile-default-rfs7000-if-vlan8)#show context interface vlan8 ip address 10.0.0.1/8 ip helper-address 172.16.10.
7 Related Commands: no Disables or reverts interface VLAN settings to their default use interface-config-vlan-instance Specifies an IP access list to use with this VLAN interface Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility R
7 The access point radio interface can be radio1, radio2 or radio3. Legacy Brocade Mobility 71XX Access Point models contain either a single or a dual radio configuration. Newer Brocade Mobility 71XX Access PointN model access points support single, dual or triple radio configurations. An Brocade Mobility 650 Access Point model access point is available in either single or dual radio models. The remainder of the access point portfolio are dual-radio models.
7 radio-share-mode rate-selection remove-override rf-mode rifs rts-threshold shutdown sniffer-redirect stbc use wireless-client wlan Configure the radio-share mode of operation for this radio Default or Opportunistic rate selection Negate a command or set its defaults Configure the rf-mode of operation for this radio Configure Reduced Interframe Spacing (RIFS) parameters Configure the RTS threshold Shutdown the selected radio interface Capture packets and redirect to an IP address running a packet capture/
7 Commands Description Reference ldpc Enables support for Low Density Parity Check (LDPC) on the radio interface page 705 lock-rf-mode Retains user configured RF mode settings for the selected radio page 706 max-clients Configures the maximum number of wireless clients allowed to associate with this radio page 707 mesh Configures radio mesh parameters page 708 meshpoint Maps an existing meshpoint to this radio interface page 709 no Negates or resets radio interface settings configures on
7 Parameters aeroscout [forward|mac ] forward Enables Aeroscout multicast packet forwarding mac Configures the multicast MAC address to forward the packets • – Specify the MAC address in the AA-BB-CC-DD-EE-FF format.
7 tx-only Supports the transmission of AMPDU aggregated frames only rx-only Supports the receipt of AMPDU aggregated frames only tx-rx Supports the transmission and receipt of AMPDU aggregated frames (default setting) none Disables support for AMPDU aggregation aggregation ampdu max-aggr-size rx [8191|16383|32767|65535] aggregation Configures 802.
7 aggregation amsdu [rx-only|tx-rx] aggregation Configures 802.11n frame aggregation parameters amsdu Configures Aggregated MAC Service Data Unit (AMSDU) frame aggregation parameters. AMSDU aggregation collects Ethernet frames addressed to a single destination. But, unlike AMPDU, it wraps all frames in a single 802.11n frame.
7 rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)# Related Commands: no Disables fair access for wireless clients (provides access on a round-robin mode) antenna-diversity interface-config-radio-instance Configures transmit antenna diversity for non-11n transmit rates Antenna diversity uses two or more antennas to increase signal quality and strength. This option is disabled by default.
7 Syntax: antenna-downtilt Parameters None Example rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)#antenna-downtilt rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 antenna-gain 12.
7 Example rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)#antenna-gain 12.0 rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 antenna-gain 12.
7 interface radio1 antenna-gain 12.0 aggregation ampdu tx-only aeroscout forward antenna-mode 2x2 antenna-diversity airtime-fairness prefer-ht weight 6 antenna-downtilt rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)# Related Commands: no Resets the radio antenna mode (the number of transmit and receive antennas) to its default beacon interface-config-radio-instance Configures radio beacon parameters A beacon is a packet broadcasted by adopted radios to keep the network synchronized.
7 beacon period [50|100|200] period [50|100|200] Configures the beacon period (the interval between consecutive radio beacons) 50 – Configures 50 K-uSec interval between beacons 100 – Configures 100 K-uSec interval between beacons (default) 200 – Configures 200 K-uSec interval between beacons • • • Example rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)#beacon dtim-period bss 2 20 rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)#beacon period 50 rfs7000-37FABE(config-profile-71xxTestProf
7 channel [smart|acs|1|2|3|4|-------] smart|acs|1|2|3|4|-------] Configures a radio’s channel of operation. The options are: • smart – Uses Smart RF to assign a channel (uses uniform spectrum spreading if Smart RF is not enabled). This is the default setting.
7 NOTE The MCS-1s and MCS-2s options are available for each supported access point. • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point Syntax: data-rates [b-only|g-only|a-only|bg|bgn|gn|an|default|custom|mcs] data-rates [b-only|g-only|a-only|bg|bgn|gn|an|default] data-rates custom [1|2|5.5|6|9|11|12|18|24|36|48|54|mcs-1s|mcs-2s|mcs-3s|basic-1| basic-2|basic-5.
7 data-rates custom [1|2|5.5|6|9|11|12|18|24|36|48|54||mcs-1s|mcs-2s|mcs-3s|basic-1| basic-2|basic-5.5|basic-6|basic-9|basic-11|basic-12|basic-18|basic-24|basic-3 6| basic-48|basic-54|basic-mcs-1s] custom Configures a list of data rates by specifying each rate individually. Use 'basic-' prefix before a rate to indicate it’s used as a basic rate (For example, 'data-rates custom basic-1 basic-2 5.5 11') • 1 – 1-Mbps • 2 – 2-Mbps • 5.5 – 5.
7 MCS-1Stream Index Number of Streams 20 MHz No SGI 20 MHz With SGI 40 MHz No SGI 20 MHz With SGI 6 1 58.5 65 121.5 135 7 1 65 72.2 135 150 The following table defines the 802.11n MCS for MCS 2 streams, both with and without SGI: MCS-2Stream Index Number of Streams 20 MHz No SGI 20 MHz With SGI 40 MHz No SGI 20 MHz With SGI 0 2 13 14.4 27 30 1 2 26 28.9 54 60 2 2 39 43.4 81 90 3 2 52 57.8 108 120 4 2 78 86.7 162 180 5 2 104 115.
7 MCS Index 20 MHz No SGI 20 MHz With SGI 40 MHz No SGI 40 MHz With SGI 80 MHz No SGI 80 MHz No SGI 8 78 86.7 162 180 351 390 9 N/A N/A 180 200 390 433.3 Example rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)#data-rates b-only rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 channel 1 data-rates b-only beacon period 50 beacon dtim-period bss 1 5 beacon dtim-period bss 2 2 beacon dtim-period bss 3 5 .........................................
7 rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 description Primary\ radio\ to\ use channel 1 data-rates b-only beacon period 50 beacon dtim-period bss 1 5 beacon dtim-period bss 2 2 beacon dtim-period bss 3 5 beacon dtim-period bss 4 5 beacon dtim-period bss 5 5 beacon dtim-period bss 6 5 beacon dtim-period bss 7 5 beacon dtim-period bss 8 5 beacon dtim-period bss 9 5 beacon dtim-period bss 10 5 beacon dtim-period bss 11 5 beacon dtim-period bss 12 5 beacon dtim-per
7 dynamic-chain-selection interface-config-radio-instance Enables automatic antenna mode selection (single antenna for non-11n transmit rates). This option is enabled by default.
7 Example rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)#ekahau forward ip 172.16.10.
7 Example rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)#extended-range rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 description Primary\ radio\ to\ use channel 1 data-rates b-only beacon period 50 beacon dtim-period bss 1 5 beacon dtim-period bss 2 2 beacon dtim-period bss 3 5 beacon dtim-period bss 4 5 beacon dtim-period bss 5 5 beacon dtim-period bss 6 5 beacon dtim-period bss 7 5 beacon dtim-period bss 8 5 beacon dtim-period bss 9 5 beacon dtim-period
7 Syntax: guard-interval [any|long] Parameters guard-interval [any|long] any Enables the radio to use any short (400nSec) or long (800nSec) guard interval long Enables the use of long guard interval (800nSec). This is the default setting.
7 Syntax: ldpc Parameters None Example rfs4000-229D58(config-profile-Test81XX-if-radio1)#ldpc rfs4000-229D58(config-profile-Test81XX-if-radio1)# rfs4000-229D58(config-profile-Test81XX-if-radio1)#show context interface radio1 ldpc rfs4000-229D58(config-profile-Test81XX-if-radio1)# Related Commands: no Disables LDPC support lock-rf-mode interface-config-radio-instance Retains user configured RF mode settings for the selected radio Supported in the following platforms: • Access Points — Brocade Mobility 6
7 beacon dtim-period bss 11 5 beacon dtim-period bss 12 5 beacon dtim-period bss 13 5 beacon dtim-period bss 14 5 beacon dtim-period bss 15 5 beacon dtim-period bss 16 5 antenna-gain 12.0 guard-interval long aggregation ampdu tx-only aeroscout forward ekahau forward ip 172.16.10.
7 beacon dtim-period bss 14 5 beacon dtim-period bss 15 5 beacon dtim-period bss 16 5 antenna-gain 12.0 guard-interval long aggregation ampdu tx-only aeroscout forward ekahau forward ip 172.16.10.
7 portal Enables operation as a portal (begins beaconing immediately, accepting connections from other mesh nodes, typically the node with a connection to the wired network) Setting the mesh mode to ‘portal’ turns the radio into a mesh portal. The radio starts beaconing immediately and accepts connections from other mesh nodes.
7 meshpoint {bss <1-16>} meshpoint Maps a meshpoint to this radio. Specify the meshpoint name. bss <1-16> Optional. Specifies the radio’s BSS where this meshpoint is mapped • <1-16> – Specify the BSS number from 1 - 16.
7 data-rates description dfs-rehome dynamic-chain-selection ekahau extended-range guard-interval ldpc lock-rf-mode max-clients mesh meshpoint non-unicast off-channel-scan placement power preamble-short probe-response radio-resource-measurement radio-share-mode rate-selection rf-mode rifs rts-threshold shutdown sniffer-redirect stbc Reset radio data rate configuration to default Reset the description of the radio to its default Stay on dfs elected channel after evacuation period expires Use the configured
7 beacon period 50 beacon dtim-period bss 1 5 beacon dtim-period bss 2 2 beacon dtim-period bss 3 5 beacon dtim-period bss 4 5 beacon dtim-period bss 5 5 beacon dtim-period bss 6 5 beacon dtim-period bss 7 5 beacon dtim-period bss 8 5 beacon dtim-period bss 9 5 beacon dtim-period bss 10 5 beacon dtim-period bss 11 5 beacon dtim-period bss 12 5 beacon dtim-period bss 13 5 beacon dtim-period bss 14 5 beacon dtim-period bss 15 5 beacon dtim-period bss 16 5 antenna-gain 12.
7 non-unicast interface-config-radio-instance Configures the support for non unicast frames on this radio. Enables the forwarding of multicast and broadcast frames by this radio.
7 highest-basic Uses the highest configured basic rate lowest-basic Uses the lowest configured basic rate Example rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)#non-unicast queue bss 2 3 rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)#non-unicast tx-rate bss 1 dynamic-all rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 data-rates b-only mesh client guard-interval long aggregation ampdu tx-only aeroscout forward ekahau forward ip 172.16.10.
7 Related Commands: no Resets the handling of non unicast frames to its default off-channel-scan interface-config-radio-instance Enables selected radio’s off channel scanning parameters. This option is disabled by default.
7 Example rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)#off-channel-scan channel-list 2.4GHz 1 rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 data-rates b-only mesh client off-channel-scan channel-list 2.4GHz 1 guard-interval long aggregation ampdu tx-only aeroscout forward ekahau forward ip 172.16.10.
7 Example rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)#placement outdoor rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 data-rates b-only placement outdoor mesh client off-channel-scan channel-list 2.4GHz 1 guard-interval long aggregation ampdu tx-only aeroscout forward ekahau forward ip 172.16.10.
7 power [<1-30>|smart] power Configures a radio’s transmit power <1-30> Transmits power in dBm (actual power could be lower based on regulatory restrictions) smart Smart RF determines the optimum transmit power needed Example rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)#power 12 rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 power 12 data-rates b-only placement outdoor mesh client off-channel-scan channel-list 2.
7 Parameters None Example rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)#preamble-short rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 power 12 data-rates b-only placement outdoor mesh client off-channel-scan channel-list 2.4GHz 1 preamble-short guard-interval long aggregation ampdu tx-only aeroscout forward ekahau forward ip 172.16.10.
7 probe-response retry probe-response Configures transmission parameters for probe response frames retry Retransmits probe response if no acknowledgement is received from the client. This option is enabled by default.
7 rfs4000-229D58(config-device-00-23-68-22-9D-587-if-radio1)# rfs4000-229D58(config-device-00-23-68-22-9D-587-if-radio1)#radio-resource-mea surement max-entries 10 rfs4000-229D58(config-device-00-23-68-22-9D-587-if-radio1)# rfs4000-229D58(config-device-00-23-68-22-9D-587-if-radio1)#show context interface radio1 radio-resource-measurement max-entries 10 radio-resource-measurement attenuation-threshold 20 rfs4000-229D58(config-device-00-23-68-22-9D-587-if-radio1)# Related Commands: no Disables 802.
7 mesh client off-channel-scan channel-list 2.4GHz 1 preamble-short guard-interval long .........................................................
7 Related Commands: no Resets the rate selection mode to standard (monotonic) remove-override interface-config-radio-instance Removes the radio’s channel of operation Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point Syntax: remove-override channel Parameters remove-override channel remove-override channel Removes the rad
7 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point Syntax: rf-mode [2.4GHz-wlan|4.9GHz-wlan|5GHz-wlan|client-bridge|scan-ahead|sensor] Parameters rf-mode [2.4GHz-wlan|4.9GHz-wlan|5GHz-wlan|client-bridge|scan-ahead|sensor] rf-mode Configures the radio’s RF mode of operation 2.4GHz-wlan Provides WLAN service in the 2.4 GHz bandwidth 4.
7 Related Commands: no Resets the radio’s RF mode of operation data-rates Configures the 802.11 data rates on this radio rifs interface-config-radio-instance Configures Reduced Interframe Spacing (RIFS) parameters on this radio This value determines whether interframe spacing is applied to access point transmitted or received packets, both, or none.
7 non-unicast tx-rate bss 9 highest-basic non-unicast tx-rate bss 10 highest-basic non-unicast tx-rate bss 11 highest-basic non-unicast tx-rate bss 12 highest-basic non-unicast tx-rate bss 13 highest-basic --More-rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)# Related Commands: no Disables radio’s RIFS parameters rts-threshold interface-config-radio-instance Configures the Request to Send (RTS) threshold value on this radio RTS is a transmitting station’s signal that requests a Clear To Send (C
7 rf-mode sensor placement outdoor mesh client rts-threshold 100 off-channel-scan channel-list 2.4GHz 1 guard-interval long aggregation ampdu tx-only rifs tx-only aeroscout forward ekahau forward ip 172.16.10.
7 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point Syntax: sniffer-redirect [omnipeek|tzsp] channel [1|10|100|100w --------] {snap <1-65535> (append descriptor)} Parameters sniffer-redirect [omnipeek|tzsp] channel [1|10|100|100w ---------] {snap <1-65535> (append descriptor)} sniffer-redirect Captures and redirects packets to an IP address running a p
7 rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)# Related Commands: no Disables packet capture and redirection stbc interface-config-radio-instance Configures the radio’s Space Time Block Coding (STBC) mode. STBC is a pre-transmission encoding scheme providing an improved SNR ratio (even at a single RF receiver). STBC transmits multiple data stream copies across multiple antennas. The receiver combines the copies into one to retrieve data from the signal.
7 An association ACL is a policy-based Access Control List (ACL) that either prevents or allows wireless clients from connecting to a controller managed access point radio. An ACL is a sequential collection of permit and deny conditions that apply to controller packets. When a packet is received on an interface, the controller compares the fields in the packet against any applied ACLs to verify the packet has the required permissions to be forwarded, based on the criteria specified in the access lists.
7 Related Commands: no Dissociates the specified association ACL policy and radio QoS policy wireless-client interface-config-radio-instance Configures wireless client parameters on this radio Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point Syntax: wireless-client tx-power [<0-20>|mode] wireless-client tx-power mode [802.
7 --More-rfs7000-37FABE(config-profile-71xxTestProfile-if-radio1)# Related Commands: no Resets the transmit power indicated to wireless clients wlan interface-config-radio-instance Enables a WLAN on this radio Use this command to configure WLAN/BSS mappings for an existing access point deployment. Administrators can assign each WLAN its own BSSID. If using a single-radio access point, there are 8 BSSIDs available. If using a dual-radio access point there are 8 BSSIDs for the 802.
7 sniffer-redirect omnipeek 172.16.10.1 channel 1 aeroscout forward ekahau forward ip 172.16.10.
7 exit help revert service show write End current mode and down to previous mode Description of the interactive help system Revert changes Service Commands Show running system information Write running configuration to memory or terminal rfs4000-229D58(config-profile--if-wwan1)# NOTE The WWAN interface is supported only on the Brocade Mobility 7131 Access Point, Brocade Mobility RFS4000, Brocade Mobility RFS6000 platforms.
7 rfs4000-229D58(config-profile-testBrocade Mobility RFS4000-if-wwan1)#show context interface wwan1 apn TechPubs rfs4000-229D58(config-profile-testBrocade Mobility RFS4000-if-wwan1)# Related Commands: no Removes the configured access point name.
7 Supported in the following platforms: • Access Points — Brocade Mobility 7131 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000 Syntax: crypto map Parameters crypto map crypto map Associates a crypto map with this interface • – Specify the crypto map name (should be existing and configured) Example rfs4000-229D58(config-profile-testBrocade Mobility RFS4000-if-wwan1)#crypto map test rfs4000-22
7 ap7131-11E6C4(config-device-00-23-68-11-E6-C4-if-wwan1)# rfs4000-229D58(config-profile-testRFS4000-if-wwan1)#description "This interface is reserved for the ISP Airtel" % Error: Unknown config-item (id:description) rfs4000-229D58(config-profile-testRFS4000-if-wwan1)# Related Commands: no Removes the description configured for this WWAN interface ip interface-config-wwan-instance Configures IP related settings on this interface Supported in the following platforms: • Access Points — Brocade Mobility 71
7 apn TechPubs auth-type mschap-v2 crypto map test ip nat inside ip default-gateway priority 1 rfs4000-229D58(config-profile-testBrocade Mobility RFS4000-if-wwan1)# Related Commands: no Removes IP related settings on this interface no interface-config-wwan-instance Removes or reverts the WWAN interface settings Supported in the following platforms: • Access Points — Brocade Mobility 7131 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000 Syntax: no [all|apn|auth-typ
7 Configures a password for this WWAN interface. The configured value is used for authentication support by the cellular data carrier. Supported in the following platforms: • Access Points — Brocade Mobility 71XX Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000 Syntax: password [2 |] Parameters password [2 |] 2 Configures an encrypted password. Use this option when copy pasting the password from another device.
7 use ip-access-list in use ip-access-list in Associates an IP ACL with this interface • – Specify the IP ACL name.
7 rfs4000-229D58(config-profile-testBrocade Mobility RFS4000-if-wwan1)# Related Commands: no Removes the configured username interface-config-serial-instance interface This section describes the serial interface configuration commands. Use the (config-profile-) instance to configure the serial interface associated with the service platform.
7 use username Set setting to use Enter username provided by the service provider clrscr commit do end exit help revert service show write Clears the display screen Commit all changes made in this session Run commands from Exec mode End current mode and change to EXEC mode End current mode and down to previous mode Description of the interactive help system Revert changes Service Commands Show running system information Write running configuration to memory or terminal nx4500-5CFA2B(config-profile-defau
7 (config-profile-)#interface ? Tinterface-config-vm-instance interface Mobility provides a dataplane bridge for external network connectivity for Virtual Machines (VMs). VM interfaces are layer 2 interfaces on Mobility bridge that define which IP address is associated with each VLAN ID the service platform is connected to and enables remote service platform administration. Each custom VM can have up to a maximum of two physical VM interfaces.
7 nx9500-6C8809(config-profile-default-nx9000)#interface vmif ? <1-12> Interface index nx9500-6C8809(config-profile-default-nx9000)# nx9500-6C8809(config-profile-default-nx9000)#interface vmif 2 nx9500-6C8809(config-profile-default-nx9000-if-vmif2)#? VM Interface Mode commands: description Port description ip Internet Protocol (IP) no Negate a command or set its defaults qos Quality of service switchport Set switching mode characteristics use Set setting to use commit end exit revert write Commit all chang
7 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: ip [default-gateway|dhcp|dns-server-forward|domain-lookup|domain-name|igmp|nameserver| nat|route|routing] ip default-gateway [|failover|priority [dhcp-client <1-1800>|static-route <1-1800>] ip [dns-server-forward|domain-lookup|domain-name |name-server | routing] ip dhcp client [hostname|persistent-lease] ip igmp snooping {forward
7 ip default-gateway [|failover|priority [dhcp-client <1-1800>| static-route <1-1800>] default-gateway Configures default gateway (next-hop router) parameters Configures default gateway’s IP address • – Specify the default gateway’s IP address.
7 ip nat [crypto source pool|pool ] nat Configures the NAT parameters crypto source pool Configures the NAT source address translation settings for IPSec tunnels • – Specify a NAT pool name. pool Configures a pool of IP addresses for NAT – Specify a name for the NAT pool.
7 source list Configures an access list describing local addresses • – Specify a name for the IP access list. interface [| pppoe1| vlan <1-4094>| wwan1] Selects an interface to configure. Select a layer 3 router interface or a VLAN interface. • – Selects a layer 3 interface. Specify the layer 3 router interface name. • vlan – Selects a VLAN interface • <1-4094> – Set the SVI VLAN ID of the interface.
7 interface ge2 ip dhcp trust qos trust dscp qos trust 802.1p interface ge3 ip dhcp trust qos trust dscp qos trust 802.1p interface ge4 ip dhcp trust qos trust dscp qos trust 802.
7 rfs7000-37FABE(config-profile-default-rfs7000-nat-pool-pool1)#? Nat Policy Mode commands: address Specify addresses for the nat pool no Negate a command or set its defaults clrscr commit do end exit help revert service show write Clears the display screen Commit all changes made in this session Run commands from Exec mode End current mode and change to EXEC mode End current mode and down to previous mode Description of the interactive help system Revert changes Service Commands Show running system inform
7 • Service Platforms — Brocade Mobility RFS9510 Syntax: address [|range] address range Parameters address [|range ] address Adds a single IP address to the NAT pool range Adds a range of IP addresses to the NAT pool • – Specify the starting IP address of the range. • – Specify the ending IP address of the range. Example rfs7000-37FABE(config-profile-default-rfs7000-nat-pool-pool1)#address range 172. 16.10.
7 Example rfs7000-37FABE(config-profile-default-rfs7000-nat-pool-pool1)#show context ip nat pool pool1 address range 172.16.10.2 172.16.10.8 rfs7000-37FABE(config-profile-default-rfs7000-nat-pool-pool1)# rfs7000-37FABE(config-profile-default-rfs7000-nat-pool-pool1)#no address range 1 72.16.10.2 172.16.10.
7 inter-tunnel-bridging Enables inter tunnel bridging of packets. This feature is disabled by default. manual-session Creates/modifies L2TPv3 manual sessions For more information, see l2tpv3-manual-session-commands. router-id [<1-4294967295>| ] Configures the router ID sent in the L2TPv3 signalling messages <1-4294967295> – Configures the router ID in decimal format from 1 - 4294967295 – Configures the router ID in the IP address (A.B.C.
7 Parameters l3e-lite-table aging-time <10-1000000> aging-time <10-1000000> Configures the aging time in seconds. The aging time defines the duration a learned L3e entry (IP, VLAN) remains in the L3e Lite table before deletion due to lack of activity.
7 led {flash-pattern} flash-pattern Optional. Enables LED flashing on the device using this profile Select this option to flash an access point’s LEDs in a distinct manner (different from its operational LED behavior). Enabling this feature allows an administrator to validate an access point has received its configuration (perhaps remotely at the site of deployment) without having to log into the managing controller or service platform. This feature is disabled by default.
7 nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context nx9000 B4-C7-99-6C-88-09 use profile default-nx9000 use rf-domain default hostname nx9500-6C8809 license AAP 66069c24b3bb1259b34ff016c723a9e299dd408f0ff891e7c5f7e279a382648397d6b3e975e35 6a1 license HTANLT 66069c24b3bb1259eb36826cab3cc83999dd408f0ff891e74b62b2d3594f0b3dde7967f30e49e 497 no autogen-uniqueid ip default-gateway 192.168.13.
7 Syntax: legacy-auto-downgrade Parameters None Example rfs7000-37FABE(config-profile-default-rfs7000)#legacy-auto-downgrade Related Commands: no Prevents device firmware from auto downgrading when legacy devices are detected legacy-auto-update Profile Config Commands Auto updates an Brocade Mobility 650 Access Point or Brocade Mobility 71XX Access Point legacy access point firmware Supported in the following platforms: • Access Points —Brocade Mobility 650 Access Point, Brocade Mobility 7131 Access Po
7 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: lldp [holdtime|med-tlv-select|run|timer] lldp [holdtime <10-1800>|run|timer <5-900>] lldp med-tlv-select [inventory-management|power-management] Parameter
7 load-balancing Profile Config Commands Configures load balancing parameters Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: load-balancing [advanced-params|balance-
7 load-balancing advanced-params [2.4GHz-load|5GHz-load|br-load] [client-weightage| throughput-weightage] <0-100> advanced-params Configures advanced load balancing parameters 2.4GHz-load [client-weightage| throughput-weightage] <0-100> Configures 2.4 GHz load calculation weightages • client-weightage – Specifies weightage assigned to the client-count when calculating the 2.4 GHz load • throughput-weightage – Specifies weightage assigned to throughput, when calculating the 2.
7 load-balancing advanced-params max-preferred-band-load [2.4GHGz|5GHzd] <0-100> advanced-params Configures advanced load balancing parameters max-preferred-band-load Configures the maximum load on the preferred band, beyond which the other band is equally preferred [2.4GHz|5GHz] <0-100> Select one of the following options: • 2.4GHz – Configures the maximum load on 2.4 GHz, when it is the preferred band • 5GHz – Configures the maximum load on 5.
7 load-balancing band-ratio [2.4GHz|5GHz] [0|<1-10>] band-ratio Configures the relative loading of 2.4 GHz band and 5.0 GHz band.This allows an administrator to weight client traffic load if wishing to prioritize client traffic load on the 2.4 GHz or the radio band. The higher the value set, the greater the weight assigned to radio traffic load on the 2.4 GHz or 5.0 GHz radio band. 2.4GHz [0|<1-10>] Configures the relative loading of 2.
7 logging Profile Config Commands Enables message logging and configures logging settings Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: logging [aggregation-time|bu
7 [<0-7>|alerts| criticail|debugging| emergencies|errors| informational| notifications| warnings] The following keywords are common to the buffered, console, syslog, and forward parameters. All incoming messages have different severity levels based on their importance. The severity level is fixed on a scale of 0 - 7.
7 Configures the MAC address table. Use this command to assign a static address to the MAC address table.
7 rfs7000-37FABE(config-profile-default-rfs7000)# Related Commands: no Disables or reverts settings to their default mac-auth Profile Config Commands Enables or disables authentication of a client’s MAC address on wired ports. When configured, MAC authentication will be enabled on devices using this profile. To enable MAC address authentication on a device, enter the device’s configuration mode and execute the mac-auth command.
7 (config)#aaa-policy macauth (config-aaa-policy-macauth)#authentication server <1-6> [host |onboard] Attach the AAA policy to the device or profile. When attached to a profile, the AAA policy is applied to all devices using this profile. (config-device-aa-bb-cc-dd-ee)#mac-auth use aaa-policy macauth (config-profile-)#mac-auth use aaa-policy macauth 3. Enable mac-auth on the device’s desired GE port.
7 rfs4000-229D58(config)#radius-user-pool-policy RUG rfs4000-229D58(config-radius-user-pool-RUG)#user 00-16-41-55-F8-5D password 0 0-16-41-55-F8-5D group RG rfs4000-229D58(config-radius-user-pool-RUG)#show context radius-user-pool-policy RUG user 00-16-41-55-F8-5D password 0 00-16-41-55-F8-5D group RG rfs4000-229D58(config-radius-user-pool-RUG)# rfs4000-229D58(config)#radius-server-policy RS rfs4000-229D58(config-radius-server-policy-RS)#use radius-user-pool-policy RUG rfs4000-229D58(config-radius-server-po
7 memory-profile Profile Config Commands Configures memory profile used on the device Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: memory-profile [adopted|standalo
7 Usage Guidelines: For Vehicular Mounted Modem (VMM) access points or other mobile devices, set the path selection method as mobile-snr-leaf in the config-meshpoint-device mode. For more information, see path-method.
7 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: meshpoint-monitor-interval <1-65535> Parameters meshpoint-monitor-interval <1-65535> meshpoint-monitor-interval <1-65535> Configures the meshpoint monito
7 Parameters min-misconfiguration-recovery-time <60-3600> min-misconfiguration-recovery -time <60-3600> Configures the minimum connectivity (with the associated device) verification interval <60-3600> – Specify a value from 1 - 3600 seconds (default is 60 seconds).
7 mint tunnel-controller-load-balancing level1 Parameters mint dis [priority-adjustment <-255-255>|strict-evis-reachability] dis priority-adjustment <-255-255> Sets the relative priority for the router to become DIS (designated router) • priority-adjustment – Sets priority adjustment added to base priority • <-255-255> – Specify a value from -255 - 255. The default is 0.
7 cost <1-100000> This parameter is common to the ‘listen’ and ‘vlan’ parameters: • Optional. Specifies the link cost in arbitrary units • <1-100000> – Specify a value from 1 - 100000. hello-interval <1-120> This parameter is common to the ‘listen’ and ‘vlan’ parameters: • Optional. Specifies the interval between hello packets • <1-120> – Specify a value from 1 - 120. level [1|2] This parameter is common to the ‘listen’ and ‘vlan’ parameters: Optional.
7 profile rfs7000 default-rfs7000 mint link ip 1.2.3.
7 Related Commands: no Reverts to default (180 seconds) neighbor-inactivity-timeout Profile Config Commands Configures neighbor inactivity timeout Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Br
7 --More-rfs7000-37FABE(config-profile-default-rfs7000)# neighbor-info-interval Profile Config Commands Configures the neighbor information exchange interval Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Plat
7 no Profile Config Commands Negates a command or resets values to their default Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: no [adopter-auto-provisioning-policy-
7 arp Configures static address resolution protocol auto-learn-staging-config Enables network configuration device learning autogen-uniqueid Autogenerates a unique local ID for devices using this profile. When executed in the device configuration mode, this command generates a unique ID for the logged device.
7 meshpoint-device Configures the meshpoint device parameters meshpoint-monitor-interval Configures the meshpoint monitoring interval min-misconfiguration-recovery-ti me Configures the minimum connectivity (with connected device) verification time mint Configures the MiNT protocol settings misconfiguration-recovery-time Verifies connectivity after a device configuration file is received neighbor-inactivity-timeout Configures neighbor inactivity timeout neighbor-info-interval Configures the neig
7 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: noc update-interval [<5-3600>|auto] Parameters noc update-interval [<5-3600>|auto] update-interval [<5-3600>|auto] Configures NOC statistics update inter
7 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: ntp server {autokey|key|prefer|version} ntp server {autokey} {prefer version <1-4>|version <1-4>} ntp server {key <1-65534> md5 [0 |2|]} {prefer version <1-4>|version <1-4>} ntp server {prefer version <1-4>|version <1-4> prefer} Parameters ntp server {autokey} {prefer version <1-4>|
7 profile rfs7000 default-rfs7000 mint link ip 1.2.3.4 mint level 1 area-id 88 bridge vlan 1 bridging-mode isolated-tunnel ip igmp snooping ip igmp snooping querier ............................................... ip dhcp trust qos trust dscp qos trust 802.1p interface ge3 ip dhcp trust qos trust dscp qos trust 802.1p interface ge4 ip dhcp trust qos trust dscp qos trust 802.1p interface pppoe1 use firewall-policy default ntp server 172.16.10.
7 Parameters power-config [af-option|at-option] [range|throughput] af-option [range|throughput] Configures the 802.3.af power mode option. The options are: range – Configures the af power range mode. This mode provides higher power but fewer transmission (tx) chains. Select range when range is preferred over performance for broadcast/multicast (group) traffic. The data rates used for range are the lowest defined basic rates. • throughput – Configures the af power throughput mode.
7 Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: preferred-controller-group Parameters preferred-controller-group Specify the name of the cont
7 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: preferred-tunnel-controller Parameters preferred-tunnel-controller preferred-tunnel-controller Configures the preferred tunnel name
7 Example rfs7000-37FABE(config-profile-default-rfs7000)#radius nas-port-id 1 rfs7000-37FABE(config-profile-default-rfs7000)#radius nas-identifier test rfs7000-37FABE(config-profile-default-rfs7000)#show context profile rfs7000 default-rfs7000 mint link ip 1.2.3.
7 mint link ip 1.2.3.4 mint level 1 area-id 88 .............................................. rf-domain-manager priority 9 preferred-controller-group testGroup misconfiguration-recovery-time 65 noc update-interval 25 service pm sys-restart preferred-tunnel-controller testtunnel router ospf rfs7000-37FABE(config-profile-default-rfs7000)# Related Commands: no Disables or reverts settings to their default router Profile Config Commands Configures dynamic router protocol settings.
7 ospf passive redistribute route-limit router-id vrrp-state-check Ospf Make OSPF Interface as passive Route types redistributed by OSPF Limit for number of routes handled OSPF process Router ID Publish interface via OSPF only if the interface VRRP state is not BACKUP clrscr commit do end exit help revert service show write Clears the display screen Commit all changes made in this session Run commands from Exec mode End current mode and change to EXEC mode End current mode and down to previous mode Descr
7 spanning-tree portfast [bpdufilter|bpduguard] default Parameters spanning-tree errdisable recovery [cause bpduguard|interval <10-1000000>] errdisable Disables or shutsdown ports where traffic is looping, or ports with traffic in one direction recovery Enables the timeout mechanism for a port to be recovered cause bpduguard interval <10-1000000> Specifies the reason for errdisable bpduguard – Recovers from errdisable due to bpduguard • Specifies the interval after which a port is enabled • <10-1000
7 spanning-tree portfast [bpdufilter|bpduguard] default portfast [bpdufilter| bpduguard] default Enables PortFast on a bridge bpdufilter default – Sets the BPDU filter for the port. Use the no parameter with this command to revert to default. The spanning tree protocol sends BPDUs from all ports.
7 Configures the tunneled WLAN (extended VLAN) wireless controller or service platform’s name Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: tunnel-controller
7 use [advanced-wips-policy|auto-provisioning-policy|captive-portal| client-identity-group|dhcp-server-policy|event-system-policy|firewall-policy| global-assoc-list|management-policy|profile|radius-server-policy|rf-domain| role-policy|routing-policy|wips-policy|critical-resource-policy|smart-rf-poli cy| trustpoint] NOTE The following tables contain the ‘use’ command parameters for the Profile and Device configuration modes.
7 role-policy Associates a role policy • – Specify the role policy name. routing-policy Associates a routing policy • – Specify the routing policy name.
7 wips-policy • Associates a WIPS policy – Specify the WIPS policy name. critical-resource-policy Associates a critical resource monitoring policy • – Specify the critical resource policy name.
7 • Rejects packets addressed to the IP address associated with the virtual router, if it is not the IP address owner • Accepts packets addressed to the IP address associated with the virtual router, if it is the IP address owner or accept mode is true. The nodes that lose the election process enter a backup state. In the backup state they monitor the master for any failures, and in case of a failure one of the backups, in turn, becomes the master and assumes the management of the designated virtual IPs.
7 description Configures a text description for the virtual router to further distinguish it from other routers with similar configuration • – Provide a description (a string from 1- 64 characters in length) ip Identifies the IP address(es) backed by the virtual router. These are IP addresses of Ethernet switches, routers, and security appliances defined as virtual router resources. • – Specify the IP address(es) in the A.B.C.D format.
7 vlan <1-4094> Optional. Enables VLAN (switched virtual interface) interface monitoring <1-4094> – Specify the VLAN interface ID from 1- 4094. • wwan1 Optional. Enables Wireless WAN interface monitoring vrrp <1-255> timers advertise [<1-255>|centiseconds <25-4095>|msec <250-999>] vrrp <1-255> Configures the virtual router ID from 1- 255. Identifies the virtual router the packet is reporting status for.
7 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: wep-shared-key-auth Parameters None Example rfs7000-37FABE(config-profile-default-rfs7000)#wep-shared-key-auth rfs7000-37FABE(config-profile-default-rfs70
7 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: service [critical-resource|fast-switching|enable|global-association-list|meshpoint| pm|power-config|radius|rss-timeout|watchdog|wireless|show] service crit
7 service enable [l2tpv3|pppoe|radiusd] service enable l2tpv3 Enables/disables L2TPv3 on this profile This feature is not supported on Brocade Mobility 650 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point, Brocade Mobility RFS4000, Brocade Mobility RFS6000, and Brocade Mobility RFS7000. It is supported only on Brocade Mobility 6511 Access Point. service enable pppoe Enables PPPoE features.
7 service watchdog watchdog Enables/disables the watchdog. This feature is enabled by default. Enabling the watchdog option implements heartbeat messages to ensure other associated devices are up and running and capable of effectively inter-operating with the controller.
7 Example rfs7000-37FABE(config-profile-testrfs71xx)#service radius dynamic-authorization additional-port 1700 rfs7000-37FABE(config-profile-testrfs71xx)# rfs7000-37FABE(config-profile-testrfs71xx)#show context profile rfs7000 test service radius dynamic-authorization additional-port 1700 no autoinstall configuration no autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-25
7 controller country-code critical-resource crypto device-upgrade dot1x dscp-mapping email-notification enforce-version environmental-sensor events export floor geo-coordinates gre hostname http-analyze interface ip l2tpv3 l3e-lite-table layout-coordinates led led-timeout legacy-auto-downgrade legacy-auto-update license lldp load-balancing location logging mac-address-table mac-auth mac-name memory-profile meshpoint-device meshpoint-monitor-interval min-misconfiguration-recovery-time mint mirror misconfi
7 no noc ntp override-wlan power-config preferred-controller-group preferred-tunnel-controller radius raid remove-override rf-domain-manager router rsa-key sensor-server slot spanning-tree stats timezone trustpoint tunnel-controller use vrrp wep-shared-key-auth clrscr commit do end exit help revert service show write exchange interval Negate a command or set its defaults Configure the noc related setting Ntp server A.B.C.
7 The following table summarizes device configuration mode commands.
7 Command Description Reference interface Selects an interface to configure page 7-653 ip Configures IP components page 7-744 l2tpv3 Defines the Layer 2 Tunnel Protocol (L2TP) protocol for tunneling Layer 2 payloads using Virtual Private Networks (VPNs) page 752 l3e-lite-table Configures L3e Lite Table with this profile page 753 layout-coordinates Configures layout coordinates page 7-815 led Turns LEDs on or off page 7-754 led-timeout Configures the LED-timeout timer in the device or p
7 Command Description Reference preferred-tunnel-control ler Configures the tunnel wireless controller or service platform preferred by the system for tunneling extended VLAN traffic page 785 radius Configures device-level RADIUS authentication parameters page 7-786 remove-override Removes device overrides page 7-824 rf-domain-manager Enables the RF Domain manager page 7-787 router Configures dynamic router protocol settings.
7 Syntax: adoption-site Parameters adoption-site adoption-site Sets the device’s adoption site name Example rfs4000-229D58(config-device-00-23-68-22-9D-58)#adoption-site MotoEcoSpace3B rfs4000-229D58(config-device-00-23-68-22-9D-58)# Related Commands: no Disables or reverts settings to their default area Device Config Commands Sets the area where the system is deployed Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocad
7 Related Commands: no Disables or reverts settings to their default channel-list Device Config Commands Configures the channel list advertised to wireless clients Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Servi
7 Defines an administrative contact for a deployed device Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: contact Parameters contact contact Sp
7 Parameters country-code country-code Defines the two digit country code for legal device deployment – Specify the two letter ISO-3166 country code. • Example rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#country-code us rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show context br71xx 00-04-96-4A-A7-08 use profile default-br71xx use rf-domain default hostname br7131-4AA708 area RMZEcospace contact motorolasolutions country-code us channel-list 2.
7 hostname br7131-4AA708 area RMZEcospace floor 5thfloor contact motorolasolutions country-code us channel-list 2.4GHz 1,2 rfs7000-37FABE(config-device-00-04-96-4A-A7-08)# Related Commands: no Removes device’s location floor name geo-coordinates Device Config Commands Configures the geographic coordinates for this device. Specifies the exact location of this device in terms of latitude and longitude coordinates.
7 interface vlan1 ip address 192.168.13.9/24 ip address 192.168.0.
7 Related Commands: no Removes device’s hostname layout-coordinates Device Config Commands Configures X and Y layout coordinates for the device Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Broca
7 Adds a license pack on the device for the specified feature (AP/AAP/ADSEC/ADVANCED-WIPS/HTANLT/SMART-CACHE) The Mobility HM network defines a three-tier structure, consisting of multiple wireless sites managed by a single Network Operations Center (NOC) controller, The NOC controller constitutes the first and the site controllers constitute the second tier of the hierarchy. The site controllers may or may not be grouped to form clusters.
7 rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show context br71xx 00-04-96-4A-A7-08 use profile default-br71xx use rf-domain default hostname TechPubAP7131 floor 5thfloor layout-coordinates 1.0 2.0 license AP aplicensekey@1234 aplicensekey@123 location Block3B no contact country-code us channel-list 2.4GHz 1,2 mac-name 00-04-96-4A-A7-08 5.
7 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: location Parameters location Specify the managed device’s location of deployment Example rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#location Block3B rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show context br71xx 00-04-96-4A-A7-08 use profile default-br71xx use rf-domain default hostname TechPubAP7131 area RMZEcospace
7 mac-name Configures a MAC address for the device • – Set the 'friendly' name used for this MAC address Example rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#mac-name 00-04-96-4A-A7-08 5.4TestAP rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show context br71xx 00-04-96-4A-A7-08 use profile default-br71xx use rf-domain default hostname TechPubAP7131 area RMZEcospace floor 5thfloor layout-coordinates 1.0 2.
7 rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show context br71xx 00-04-96-4A-A7-08 use profile default-br71xx use rf-domain default hostname TechPubAP7131 area RMZEcospace floor 5thfloor layout-coordinates 1.0 2.0 location Block3B contact motorolasolutions country-code us channel-list 2.4GHz 1,2 mac-name 00-04-96-4A-A7-08 5.
7 network-alias|noc|ntp|override-wlan|power-config|preferred-controller-group| preferred-tunnel-controller|radius|rf-domain-manager|router|rsa-key|sensor-se rver| slot|spanning-tree|timezone|trustpoint|tunnel-controller|use|vrrp| wep-shared-key-auth|service] Parameters None Usage Guidelines: The no command negates any command associated with it.
7 enforce-version Checks the device firmware version before attempting connection environmental-sensor Configures the environmental sensor device settings. If the device is an environmental sensor, use this command to configures its settings, events Displays system event messages export Enables export of startup.
7 override-wlan Configures WLAN RF Domain level overrides power-config Configures power mode features preferred-controller-gro up Specifies the group the system prefers for adoption preferred-tunnel-control ler Configures the tunnel preferred by the system for tunneling extended VLAN traffic radius Configures device-level RADIUS authentication parameters remove-override Removes device overrides rf-domain-manager Enables the RF Domain manager router Configures dynamic router protocol settings
7 Syntax: override-wlan [ssid|vlan-pool|wpa-wpa2-psk] override-wlan [ssid |vlan-pool <1-4094> {limit <0-8192>}| wpa-wpa2-psk ] Parameters override-wlan WLAN [ssid |vlan-pool <1-4094> {limit <0-8192>}| wpa-wpa2-psk ] Specify the WLAN name. Configure the following WLAN parameters: SSID, VLAN pool, and WPA-WPA2 key. SSID Configures the WLAN Service Set Identifier (SSID) • – Specify an SSID ID.
7 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: remove-override Parameters None Example rfs4000-229D58(config-device-00-23-68-22-9D-58)#remove-override ? adopter-auto-provisioning-policy-lo
7 gre interface ip l2tpv3 l3e-lite-table led lldp location logging mac-address-table mac-auth memory-profile mint noc ntp override-wlan power-config preferred-controller-group preferred-tunnel-controller rf-domain-manager router routing-policy sensor-server spanning-tree timezone tunnel-controller use vrrp GRE protocol Select an interface to configure Internet Protocol (IP) L2tpv3 protocol L3e lite Table LED on the device Link Layer Discovery Protocol The location Modify message logging facilities MAC Add
7 rsa-key ssh ssh Assigns RSA key to SSH • – Specifies the RSA key name. The key should be installed using PKI commands in the enable mode. Example rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#rsa-key ssh rsa-key1 rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show context br71xx 00-04-96-4A-A7-08 use profile default-br71xx use rf-domain default hostname TechPubAP7131 floor 5thfloor layout-coordinates 1.0 2.
7 ip Configures sensor server’s IP address • – Specify the IP address. port [443|8443|<1-65535>] Optional. Configures the port. The options are: • 443 – The default port used by the AirDefense server • 8443 – The default port used by advanced WIPS • <1-65535> – Manually sets the port number of the advanced WIPS/AirDefense server Example rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#sensor-server 1 ip 172.16.10.
7 timezone timezone Configures the device’s timezone Example rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#timezone Etc/UTC rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show context br71xx 00-04-96-4A-A7-08 use profile default-br71xx use rf-domain default hostname TechPubAP7131 floor 5thfloor layout-coordinates 1.0 2.
7 trustpoint [https|radius-ca|radius-server] https Assigns a specified trustpoint to HTTPS – Specify the trustpoint name. • radius-ca Assigns a trustpoint as a certificate authority for validating client certificates in EAP • – Specify the trustpoint name. radius-server Specifies the name of the trustpoint. Install the trustpoint using PKI commands in the enable mode. • – Specify the trustpoint name.
Chapter 8 AAA-POLICY This chapter summarizes the Authentication, Authorization, and Accounting (AAA) policy commands in the CLI command structure. A AAA policy enables administrators to define access control settings governing network permissions. External RADIUS and LDAP servers (AAA servers) also provide user database information and user authentication data. Each WLAN maintains its own unique AAA configuration.
8 authentication health-check mac-address-format use Configure authentication parameters Configure server health-check parameters Configure the format in which the MAC address must be filled in the Radius-Request frames Negate a command or set its defaults Configure radius attribute behavior when proxying through controller or rf-domain-manager Configure the method of selecting a server from the pool of configured AAA servers Set setting to use clrscr commit do end exit help revert service show write Cl
8 TABLE 6 AAA-Policy-Config Commands Command Description Reference show Displays running system information page 6-429 write Writes information to memory or terminal page 5-425 accounting aaa-policy Configures the server type and interval at which interim accounting updates are sent to the server. A maximum of 6 accounting servers can be configured.
8 accounting server preference [auth-server-host|auth-server-number|none] server Configures a RADIUS accounting server’s settings preference Configures the accounting server’s preference mode. Authentication requests are forwarded to a accounting server, from the pool, based on the preference mode selected. auth-server-host Sets the authentication server as the accounting server This parameter indicates the same server is used for authentication and accounting. The server is identified by its hostname.
8 realm-type [prefix|suffix] Selects the match type used on the username Select one of the following options: prefix – Matches the prefix of the username (For example, username is of type DOMAIN/user1, DOMAIN/user2). This is the default setting. • suffix – Matches the suffix of the username (For example, user1@DOMAIN, user2)@DOMAIN) • realm Configures the text matched against the username. Enter the realm name (should not exceed 50 characters).
8 Example rfs7000-37FABE(config-aaa-policy-test)#accounting interim interval 65 rfs7000-37FABE(config-aaa-policy-test)#accounting secret example port 1 rfs7000-37FABE(config-aaa-policy-test)#accounting 2 rfs7000-37FABE(config-aaa-policy-test)#accounting rfs7000-37FABE(config-aaa-policy-test)#accounting auth-server-number server 2 host 172.16.10.10 server 2 timeout 2 attempts type start-stop server preference rfs7000-37FABE(config-aaa-policy-test)#show context aaa-policy test accounting server 2 host 172.
8 attribute attribute attribute attribute attribute attribute attribute chargeable-user-identity cisco-vsa audit-session-id framed-mtu <100-1500> location-information [include-always|none|server-requested] nas-ipv6-address operator-name service-type [framed|login] Parameters attribute acct-delay-time acct-delay-time Enables support for accounting-delay-time attribute in accounting requests.
8 attribute nas-ipv6-address nas-ipv6-address Enables support for NAS IPv6 address When enabled, IPv6 addresses are assigned to hosts. The length of IPv4 and IPv6 addresses is 32-bit and 128-bit respectively. Consequently, an IPv6 address requires a larger address space. attribute operator-name operator-name Enables support for RFC5580 operator name attribute.
8 • Service Platforms — Brocade Mobility RFS9510 Syntax: authentication [eap|protocol|server] authentication eap wireless-client [attempts <1-10>|identity-request-retry-timeout <10-5000>|identity-request-timeout <1-60>|retry-timeout-factor <50-200>| timeout <1-60>] authentication protocol [chap|mschap|mschapv2|pap] authentication server <1-6> [dscp|host|nac|nai-routing|onboard|proxy-mode| retry-timeout-factor|timeout] authentication server <1-6> dscp <0-63> authentication server <1-6> host sec
8 retry-timeout-factor <50-200> timeout <1-60> Configures the spacing between successive EAP retries <50-200> – Specify a value from 50 - 200. The default is 100. A value of 100 indicates the interval between two consecutive retires remains the same irrespective of the number of retries. A value lesser than 100 indicates the interval between two consecutive retries reduces with each successive retry.
8 accounting server <1-6> nai-routing realm-type [prefix|suffix] realm {strip} server <1-6> nai-routing realm-type [prefix|suffix] Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured. <1-6> – Specifies the RADIUS server index from 1 - 6. • Enables NAI routing. When enabled, AAA servers identify clients using NAI.
8 authentication server <1-6> retry-timeout-factor <50-200> server <1-6> retry-timeout-factor <50-200> Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured. <1-6> – Specify the RADIUS server index from 1 - 6. • Configures the scaling of timeouts between two consecutive RADIUS authentication retries • <50-200> – Specify the scaling factor from 50 - 200.
8 An AAA server could go offline. When a server goes offline, it is marked as down. This command configures the interval after which a server marked as down is checked to see if it has come back online and is reachable.
8 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: mac-address-format [middle-hyphen|no-delim|pair-colon|pair-hyphen|quad-dot] mac-address-format [middle-hyphen|no-delim|pair-colon|pair-hyphen|quad-dot] case [lower|upper] attributes [all|username-password] Parameters] mac-address-format [middle-hyphen|no-delim|pair-colon|pair-hyphen|quad-dot] case [lower|upper] attributes [all|username-password] mid
8 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: no [accounting|attribute|authentication|health-check|mac-address-format| proxy-attribute|server-pooling-mode|use] no accounting interim interval no account
8 no accounting server <1-6> {dscp|nai-routing|proxy-mode|retry-timeout-factor| timeout} no accounting server <1-6> Resets the RADIUS accounting server’s (identified by its index number) settings dscp Optional. Resets the DSCP value for RADIUS accounting nai-routing Optional. Disables NAI forwarding requests proxy-mode Optional. Resets proxy mode to the default of “no proxying” retry-timeout-factor Optional. Resets retry timeout to its default of 100 timeout Optional.
8 no authentication server <1-6> {dscp|nac|nai-routing|proxy-mode|retry-timeout-factor|timeout} no authentication server <1-6> Resets the RADIUS authentication server’s (identified by its index number) settings dscp Optional. Resets the DSCP value for RADIUS authentication nac Optional. Disables NAC on the selected RADIUS authentication server nai-routing Optional. Disables NAI forwarding requests proxy-mode Optional.
8 The following example shows the AAA policy ‘test’ settings after the ‘no’ commands are executed: rfs7000-37FABE(config-aaa-policy-test)#show context aaa-policy test authentication server 5 host 172.16.10.10 secret 0 example port 1009 authentication server 5 timeout 10 accounting server 2 host 172.16.10.
8 proxy-attribute [nas-identifier [originator|proxier]|nas-ip-address [none|proxier]] nas-identifier [originator|proxier] nas-ip-address [none|proxier] Uses NAS identifier originator – Configures the NAS identifier as the originator of the RADIUS request. The originator could be an AP, or a wireless controller with radio. • proxier – Configures the proxying device as the NAS identifier. The device could be a controller or a RF Domain manager.
8 server-pooling-mode [failover|load-balance] failover Sets the pooling mode to failover. This is the default setting. When a configured AAA server fails, the server with the next higher index takes over the failed server’s load. load-balance Sets the pooling mode to load balancing When a configured AAA server fails, all servers in the pool share the failed server’s load transmitting requests in a round-robin fashion.
8 Example rfs7000-37FABE(config-aaa-policy-test)#use nac-list test1 rfs7000-37FABE(config-aaa-policy-test)#show context aaa-policy test authentication server 5 host 172.16.10.10 secret 0 example port 1009 authentication server 5 timeout 10 accounting server 2 host 172.16.10.
Chapter 9 AUTO-PROVISIONING-POLICY This chapter summarizes the auto provisioning policy commands in the CLI command structure. Wireless devices can adopt and manage other wireless devices. For example, a wireless controller can adopt multiple access points. When a device is adopted, the device configuration is provisioned by the adopting device.
9 The new Mobility HM network defines a three-tier structure, consisting of multiple wireless sites managed by a single Network Operations Center (NOC) controller, The NOC controller constitutes the first and the site controllers constitute the second tier of the hierarchy. The site controllers in turn adopt and manage access points that form the third tier of the hierarchy. All adopted devices (access points and second-level controllers) are referred to as the ‘adoptee’.
9 service show write Service Commands Show running system information Write running configuration to memory or terminal rfs7000-37FABE(config-auto-provisioning-policy-test)# auto-provisioning-policy Table 7 summarizes auto provisioning policy configuration commands. TABLE 7 Auto-Provisioning-Policy-Config Commands Command Description Reference adopt Adds a permit adoption rule page 855 default-adoption Adopts devices even when no matching rules are found.
9 adopt [ap621|ap622|br650|br6511|ap6521|br1220|ap6532|ap6562|br71xx|br81xx|ap82xx| rfs4000|rfs6000|rfs7000|nx45xx|nx65xx|nx9000] adopt [ap621|ap622|br650|br6511|ap6521|br1220|ap6532|ap6562|br71xx|br81xx|ap82xx| rfs4000|rfs6000|rfs7000|nx45xx|nx65xx|nx9000] precedence <1-10000> [profile|rf-domain] adopt [ap621|ap622|br650|br6511|ap6521|br1220|ap6532|ap6562|br71xx|br81xx|ap82xx| rfs4000|rfs6000|rfs7000|nx45xx|nx65xx|nx9000] precedence <1-10000> [profile |rf-domain ] [any|
9 profile Sets the device profile for this provisioning policy. The selected device profile must be appropriate for the device being provisioned. For example, use an Brocade Mobility 650 Access Point device profile for an Brocade Mobility 650 Access Point. Using an inappropriate device profile can result in unpredictable results. Provide a device profile name. Provide a device profile name.
9 ip [ |]|lldp-match | mac {}|model-number |serial-number | rf-domain |vlan ] adopt Adds an adopt device rule. The rule applies to the selected device types. Specify the device type and assign a precedence to the rule.
9 cdp-match Matches a substring in a list of CDP snoop strings (case insensitive). For example, if an access point snooped 3 devices: controller1.example.com, controller2.example.com, and controller3.example.com, 'controller1', ‘example’, 'example.com', are examples of the substrings that will match. • – Specify the value to match. Devices matching the specified value are adopted.
9 rf-domain serial-number vlan Adopts a device if its RF Domain matches – Specify the RF Domain name. You can use a string alias to specify a RF Domain. Provide the full RF Domain name or an alias.
9 default-adoption auto-provisioning-policy Adopts devices, even when no matching rules are defined. Assigns a default profile and default RF Domain.
9 deny [ap621|ap622|br650|br6511|ap6521|br1220|ap6532|ap6562|br71xx|br81xx|ap82xx| rfs4000|rfs6000|rfs7000|nx45xx|nx65xx|nx9000] deny [ap621|ap622|br650|br6511|ap6521|br1220|ap6532|ap6562|br71xx|br81xx|ap82xx| rfs4000|rfs6000|rfs7000|nx45xx|nx65xx|nx9000] precedence <1-10000> [any|cdp-match|dhcp-option|fqdn|ip|lldp-match|mac|model-number|serial-number| vlan] deny [ap621|ap622|br650|br6511|ap6521|br1220|ap6532|ap6562|br71xx|br81xx|ap82xx| rfs4000|rfs6000|rfs7000|nx45xx|nx65xx|nx9000] precedence <1-10000> any
9 deny [ap621|ap622|br650|br6511|ap6521|br1220|ap6532|ap6562|br71xx|br81xx|ap82xx| rfs4000|rfs6000|rfs7000|nx45xx|nx65xx|nx9000] precedence <1-1000> [cdp-match |dhcp-option |fqdn |ip [ |]| lldp-match |mac {}|model-number |serial-number |vlan ] deny Adds a deny adoption rule. The rule applies to the selected device types.
9 serial-number vlan Denies adoption if a device’s serial number matches • – Specify the serial number. Denies adoption if a device’s VLAN matches – Specify the VLAN ID. • Example rfs4000-229D58(config-auto-provisioning-policy-test)#deny br71xx precedence 2 model-number AP7131N rfs4000-229D58(config-auto-provisioning-policy-test)#deny br71xx precedence 3 ip 192.168.13.23 192.168.13.
9 redirect [ap621|ap622|br650|br6511|ap6521|br1220|ap6532|ap6562|br71xx|br81xx|ap82xx| rfs4000|rfs6000|rfs7000|nx45xx|nx65xx|nx9000] precedence <1-10000> controller [|] any redirect [ap621|ap622|br650|br6511|ap6521|br1220|ap6532|ap6562|br71xx|br81xx|ap82xx| rfs4000|rfs6000|rfs7000|nx45xx|nx65xx|nx9000] precedence <1-10000> controller [|] [cdp-match | dhcp-option |fqdn |ip [ |
9 |]|lldp-match | mac {}|model-number |serial-number | vlan ] redirect Adds a redirect adoption rule. The rule applies to the device type selected. Specify the device type and assign a precedence to the rule.
9 serial-number Configures the device’s serial number • – Specify the serial number. Devices matching the specified serial number are redirected. vlan Configures the VLAN ID • – Specify the VLAN ID. Devices assigned to the specified VLAN are redirected. Example rfs4000-229D58(config-auto-provisioning-policy-test)#redirect br81xx precedence 4 controller 192.168.13.10 ip 192.168.13.25 192.168.13.
9 upgrade [ap621|ap622|br650|br6511|ap6521|br1220|ap6532|ap6562|br71xx|br81xx|ap82xx| rfs4000|rfs6000|rfs7000|nx45xx|nx65xx|nx9000] precedence <1-10000> [any|cdp-match|dhcp-option|fqdn|ip|lldp-match|mac|model-number|serial-number| vlan] upgrade [ap621|ap622|br650|br6511|ap6521|br1220|ap6532|ap6562|br71xx|br81xx|ap82xx| rfs4000|rfs6000|rfs7000|nx45xx|nx65xx|nx9000] precedence <1-10000> any upgrade [ap621|ap622|br650|br6511|ap6521|br1220|ap6532|ap6562|br71xx|br81xx|ap82xx| rfs4000|rfs6000|rfs7000|nx45xx|nx65x
9 precedence <1-10000> Sets the rule precedence. Rules with lower values get precedence over rules with higher values. any Supported in the following platforms:Indicates any device. Any device, of the selected type, is upgraded.
9 fqdn Configures the FQDN to match FQDN is a domain name that specifies its exact location in the DNS hierarchy. It specifies all domain levels, including its top-level domain and the root domain. • – Specify the FQDN. Devices matching the specified value are upgraded. ip [ |] Configures a range of IP addresses and subnet address. Devices having IP addresses within the specified range or are part of the specified subnet are upgraded.
9 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: no [adopt|default-adoption|deny|redirect|upgrade] no no no no no adopt precedence <1-10000> deny precedence <1-10000> default-adoption redirect precedence
9 rfs4000-229D58(config-auto-provisioning-policy-test)#no rfs4000-229D58(config-auto-provisioning-policy-test)#no rfs4000-229D58(config-auto-provisioning-policy-test)#no rfs4000-229D58(config-auto-provisioning-policy-test)#no default-adoption deny precedence 2 deny precedence 3 deny precedence 5 The following example shows the auto-provisioning-policy ‘test’ settings after the ‘no’ commands are executed: rfs4000-229D58(config-auto-provisioning-policy-test)#show context auto-provisioning-policy test adopt
Chapter ADVANCED-WIPS-POLICY 10 This chapter summarizes the advanced Wireless Intrusion Protection Systems (WIPS) policy commands in the CLI command structure. WIPS policy provides continuous protection against wireless threats and acts as an additional layer of security complementing wireless VPNs and encryption and authentication policies. WIPS uses dedicated sensor devices designed to actively detect and locate unauthorized AP devices.
10 no server-listen-port terminate use Negate a command or set its defaults Configure local WIPS server listen port number Add a device to the list of devices to be terminated Set setting to use clrscr commit do end exit help revert service show write Clears the display screen Commit all changes made in this session Run commands from Exec mode End current mode and change to EXEC mode End current mode and down to previous mode Description of the interactive help system Revert changes Service Commands Show
10 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: event [accidental-association|all|crackable-wep-iv-used|dos-cts-flood| dos-deauthentication-detection|dos-disassociation-detection|dos-eap-failure-s poof|
10 null-probe-response-detected|stp-detection|unauthorized-bridge| windows-zero-config-memory-leak|wlan-jack-attack-detected] trigger-against [neighboring|sanctioned|unsanctioned] {(neighboring|sanctioned|unsanctioned)} event dos-cts-flood threshold [cts-frames-ratio <0-65535>|mu-rx-cts-frame <0-65535>] event dos-cts-flood trigger-against [neighboring|sanctioned|unsanctioned] {(neighboring|sanctioned|unsanctioned)} event dos-eapol-logoff-storm threshold [eapol-start-frames-br <0-65535>| eapol-start-frames-
10 multicast-hsrp-agent|multicast-igmp-detection|multicast-igrp-routers-detectio n| multicast-ospf-all-routers-detection|multicast-ospf-designated-routers-detect ion| multicast-rip2-routers-detection|multicast-vrrp-agent|netbios-detection| null-probe-response-detected|stp-detection|unauthorized-bridge| windows-zero-config-memory-leak|wlan-jack-attack-detected] trigger-against [neighboring|sanctioned|unsanctioned] {(neighboring|sanctioned|unsanctioned)} crackable-wep-iv-used This event occurs when a crackab
10 multicast-all-systems-on-su bnet This event occurs when a sanctioned device detects multicast packets to all systems on the subnet multicast-dhcp-server-relay -agent This event occurs when a sanctioned device detects a DHCP server relay agent in the network multicast-hsrp-agent This event occurs when a sanctioned device detects a Hot Standby Router Protocol (HSRP) agent in the network multicast-igmp-detection This event occurs when a sanctioned device detects multicast Internet Group Management Pr
10 event dos-cts-flood trigger-against [neighboring|sanctioned|unsanctioned] {(neighboring|sanctioned|unsanctioned)} dos-cts-flood This event occurs when a large number of CTS frames are detected in the network trigger-against (neighboring, sanctioned, unsanctioned) Sets the event trigger condition • sanctioned – An event is triggered only against sanctioned devices • unsanctioned – An event is triggered only against unsanctioned devices • neighboring – An event is triggered only against neighboring devi
10 event rogue-br-detection trigger-against [neighboring|sanctioned|unsanctioned] {(neighboring|sanctioned|unsanctioned)} rogue-br-detection This event occurs when rogue APs are detected in the network.
10 no server-listen-port no terminate no use device-configuration Parameters no event no event Disables event handling for the event specified as its parameter See event for more information on each of the parameters.
10 event dos-eapol-logoff-storm threshold eapol-start-frames-mu 99 rfs7000-37FABE(config-advanced-wips-policy-test)# Related Commands: event Configures WIPS events server-listen-port Defines the port where WIPS sensors connect to the WIPS server terminate Adds a device to the device terminate list use Configures the device categorization list used with the advanced WIPS policy server-listen-port advanced-wips-policy Defines the local advanced WIPS server’s listening port, where WIPS sensors connect
10 Related Commands: no Resets local WIPS server’s listening port to default terminate advanced-wips-policy Adds a device to a device termination list. Devices on this list cannot access the network.
10 A device categorization list categorizes a device, either an AP or a wireless client, as sanctioned or neighboring based on its MAC address or access point SSID. For more information on creating a device categorization list, see device-categorization.
Chapter ASSOCIATION-ACL-POLICY 11 This chapter summarizes the association ACL policy commands in the CLI command structure. An association ACL is a policy-based Access Control List (ACL) that either prevents or allows wireless clients from connecting to a controller managed WLAN. System administrators can use an association ACL to grant or restrict wireless clients access to the WLAN by specifying client MAC addresses or range of MAC addresses to either include or exclude from controller connectivity.
11 association-acl-policy ASSOCIATION-ACL-POLICY Table 9 summarizes association ACL policy configuration commands.
11 deny precedence <1-1000> Parameters deny precedence <1-1000> deny Adds a single device or a set of devices to the deny list To add a single device, enter its MAC address in the parameter. precedence <1-1000> Sets a precedence rule. Rules are applied in an increasing order of precedence. • <1-1000> – Specify a precedence value from 1 - 1000.
11 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: no [deny|permit] no deny precedence <1-1000> no deny precedence <1-1000> no permit precedence <1-1000> no permit precedence <1-1000> Parameters deny precedence <1-1000> no deny Removes a single device or a set of devices from the deny list
11 deny 11-22-33-44-55-01 11-22-33-44-55-FF precedence 150 deny 11-22-33-44-56-01 11-22-33-44-56-01 precedence 160 rfs7000-37FABE(config-assoc-acl-test)# rfs7000-37FABE(config-assoc-acl-test)#no deny 11-22-33-44-56-01 11-22-33-44-56-FF precedence 160 The following example shows the association ACL policy ‘test’ settings after the ‘no’ commands is executed: rfs7000-37FABE(config-assoc-acl-test)#show context association-acl-policy test deny 11-22-33-44-55-01 11-22-33-44-55-FF precedence 150 rfs7000-37FABE(con
11 precedence <1-1000> To add a single device, enter its MAC address in the parameter. Specifies a rule precedence. Rules are applied in an increasing order of precedence. <1-1000> – Specify a value from 1 - 1000. • permit precedence <1-1000> permit Adds a single device or a set of devices to the permit list To add a set of devices, provide the MAC address range. Specify the first MAC address of the range.
Chapter 12 ACCESS-LIST This chapter summarizes IP and MAC access list commands in the CLI command structure. Access lists control access to the managed network using a set of rules also known as Access Control Entries (ACEs). Each rule specifies an action taken when a packet matches that rule. If the action is deny, the packet is dropped. If the action is permit, the packet is allowed. A set of deny and/or permit rules based on IP addresses constitutes a IP Access Control List (ACL).
12 clrscr commit do end exit help revert service show write Clears the display screen Commit all changes made in this session Run commands from Exec mode End current mode and change to EXEC mode End current mode and down to previous mode Description of the interactive help system Revert changes Service Commands Show running system information Write running configuration to memory or terminal rfs7000-37FABE(config-ip-acl-test)# mac-access-list rfs7000-37FABE(config)#mac access-list test rfs7000-37FABE(con
12 TABLE 10 IP-Access-List-Config Commands Command Description Reference clrscr Clears the display screen page 385 commit Commits (saves) changes made in the current session page 386 end Ends and exits the current mode and moves to the PRIV EXEC mode page 234 exit Ends the current mode and moves to the previous mode page 387 help Displays the interactive help system page 387 revert Reverts changes to their last saved configuration page 394 service Invokes service commands to troubles
12 deny icmp [||any|from-vlan | host ] [||any| host ] ( ,log,rule-precedence <1-5000>) {(rule-description )} deny ip [||any|from-vlan | host ] [||any| host ] (log,rule-precedence <1-5000>) {( rule-description )} deny proto [
12 any Specifies the source as any source IP address. Packets, matching the service protocols and ports specified in the network-service alias, received from any source are dropped. from-vlan Specifies a single VLAN or a range of VLANs as the match criteria. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified VLAN(s) are dropped. • – Specify the VLAN ID.
12 from-vlan Specifies a single VLAN or a range of VLANs as the match criteria. ICMP packets received from the VLANs identified here are dropped. • – Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20). Use this option with WLANs and port ACLs. host Identifies a specific host (as the source to match) by its IP address. ICMP packets received from the specified host are dropped.
12 host Identifies a specific host (as the source to match) by its IP address. IP packets received from the specified host are dropped. • – Specify the source host’s exact IP address in the A.B.C.D format. Specifies the destination IP address and mask (A.B.C.D/M) to match. IP packets addressed to the specified networks are dropped. any Specifies the destination as any IP address. IP packets addressed to any destination are dropped.
12 igp Identifies any private internal gateway (primarily used by CISCO for their IGRP) (number 9) IGP enables exchange of information between hosts and routers within a managed network. The most commonly used interior gateway protocol (IGP) protocols are: Routing Information Protocol (RIP) and Open Shortest Path First (OSPF) ospf Identifies the OSPF protocol (number 89) OSPF is a link-state interior gateway protocol (IGP).
12 log rule-precedence <1-5000> rule-description Logs all deny events matching this entry. If a source and/or destination IP address is matched (i.e. a packet (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) is received from a specified IP address and/or is destined for a specified IP address), an event is logged. The following keywords are recursive and common to all of the above parameters: • rule-precedence – Assigns a precedence for this deny rule • <1-5000> – Specify a value from 1 - 5000.
12 host Identifies a specific host (as the destination to match) by its IP address. TCP/UDP packets addressed to the specified host are dropped. • – Specify the destination host’s exact IP address in the A.B.C.D format. This keyword is common to the ‘tcp’ and ‘udp’ parameters. Applies a network-group alias to identify the destination IP addresses. TCP/UDP packets destined to the addresses identified in the network-group alias are dropped.
12 • TCP • UDP • PROTO (any Internet protocol other than TCP, UDP, and ICMP) The last access control entry (ACE) in the access list is an implicit deny statement. Whenever the interface receives the packet, its content is checked against the ACEs in the ACL. It is allowed or denied based on the ACL configuration. • Filtering TCP/UDP allows you to specify port numbers as filtering criteria • Select ICMP as the protocol to allow or deny ICMP packets.
12 rfs4000-229D58(config-ip-acl-bar)#permit $Tandem 10.60.20.0/24 $Tandem-servers log rule-precedence 50 In examples 4, and 5: • The network-service aliases ($kerberos and $Tandem) define the destination protocol-port combinations • The source network is 10.60.20.
12 disable [deny|permit] [|icmp|ip| proto |tcp|udp] [||any| from-vlan |host ] [|| any|host ] (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence) disable [deny|permit] Disables a deny or permit access rule without removing it from the ACL Provide the exact values used to configure the deny or permit rule.
12 rfs7000-37FABE(config-ip-acl-auto-tunnel-acl)#disable permit ip host 200.200.200.99 any rule-precedence 3 rfs7000-37FABE(config-ip-acl-auto-tunnel-acl)# The following example shows the ‘auto-tunnel-acl’ settings after the disable command is executed: rfs7000-37FABE(config-ip-acl-auto-tunnel-acl)#show context ip access-list auto-tunnel-acl permit ip host 200.200.200.99 30.30.30.1/24 rule-precedence 2 disable permit ip host 200.200.200.
12 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: insert [deny|permit] (log,mark [8021p <0-7>|dscp <0-63>], rule-precedence <1-5000>) {(rule-description )} Parameters insert [deny|perm
12 In the following example a new rule is inserted between the rules having precedences 1 and 2. The precedence of the existing precedence ‘2’ rule changes to precedence 3. rfs4000-229D58(config-ip-acl-test)#insert deny ip any any rule-precedence 2 rfs4000-229D58(config-ip-acl-test)#show context ip access-list test deny tcp from-vlan 1 any any rule-precedence 1 deny ip any any rule-precedence 2 permit icmp any host 192.168.13.
12 Enter the exact parameters used when configuring the rule. rule-precedence <1-5000> rule-description Specify the precedence assigned to this deny/permit rule. rule-description – Optional. Specify the rule description. The system removes the rule from the selected ACL.
12 disable Disables a deny or permit rule within an IP ACL permit Creates a permit access rule permit ip-access-list Creates a permit rule that marks packets (from a specified source IP and/or to a specified destination IP) for forwarding. You can also use this command to modify an existing permit rule. NOTE Use a decimal value representation to implement a permit/deny designation for a packet. The command set for IP ACLs provides the hexadecimal values for each listed EtherType.
12 permit proto [||eigrp|gre|igmp|igp|ospf|vrrp] [||any|from-vlan | host ] [||any| host ] (log,rule-precedence <1-5000>) {(rule-description )} permit [tcp|udp] [||any|from-vlan | host ] [||any| eq |host |range
12 any Specifies the destination as any destination IP address. Packets, matching the service protocols and ports specified in the network-service alias, addressed to any destination are permitted. host Identifies a specific host (as the destination to match) by its IP address. Packets, matching the service protocols and ports specified in the network-service alias, addressed to the specified host are permitted. • – Specify the destination host’s exact IP address in the A.B.
12 Applies a network-group alias to identify the destination IP addresses. ICMP packets destined for addresses identified by the network-group alias are permitted. • – Specify the network-group alias name (should be existing and configured). any Specifies the destination as any destination IP address. ICMP packets addressed to any destination are permitted.
12 any Specifies the destination as any destination IP address. IP packets addressed to any destination are permitted. host Identifies a specific host (as the destination to match) by its IP address. IP packets addressed to the specified host are permitted. • – Specify the destination host’s exact IP address in the A.B.C.D format. Applies a network-group alias to identify the source IP addresses.
12 ospf Identifies the OSPF protocol (number 89) OSPF is a link-state interior gateway protocol (IGP). OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets.
12 permit [tcp|udp] [||any|from-vlan |host ] [||any|eq |host |range ] [eq [<1-65535>|| bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp |www]| range ] (log,rule-precedence <1-5000>) {(rule-description )} tcp Applies this permit rule to TCP packets only udp Applies this deny rule
12 eq [<1-65535>| | |bgp|dns|ftp| ftp-data|gopher| https|ldap|nntp|ntp| pop3|sip|smtp| ssh|telnet| tftp|www] Identifies a specific destination or protocol port to match • <1-65535> – The destination port is designated by its number • – Specifies the service name • bgp – The designated Border Gateway Protocol (BGP) protocol port (179) • dns – The designated Domain Name System (DNS) protocol port (53) • ftp – The designated File Transfer Protocol (FTP) protocol port (21) • ftp-da
12 NOTE The log option is functional only for router ACL’s. The log option displays an informational logging message about the packet matching the entry sent to the console. Example rfs7000-37FABE(config-ip-acl-test)#show context ip access-list test rfs7000-37FABE(config-ip-acl-test)# rfs7000-37FABE(config-ip-acl-test)#permit ip 172.16.10.0/24 any log rule-precedence 750 rfs7000-37FABE(config-ip-acl-test)#permit tcp 172.16.10.
12 Command Description Reference show Displays running system information page 429 write Writes information to memory or terminal page 425 deny mac-access-list Creates a deny rule that marks packets (from a specified source MAC and/or to a specified destination MAC) for rejection. You can also use this command to modify an existing deny rule. NOTE Use a decimal value representation to implement a permit/deny designation for a packet.
12 Configures the destination MAC address and mask to match • – Specify the destination MAC address to match. • – Specify the destination MAC address mask to match. Packets addressed to the specified MAC addresses are dropped. any Identifies all devices as the destination to deny access. Packets addressed to any destination are dropped.
12 The last ACE in the access list is an implicit deny statement. Whenever the interface receives the packet, its content is checked against all the ACEs in the ACL. It is allowed or denied based on the ACL’s configuration.
12 disable [deny|permit] [ |any|host ] [ |any|host ] (dot1p <0-7>,type [8021q| <1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>) log (rule-recedence <1-5000>) {(rule-description )} Parameters disable [deny|permit] [ |any|host ] [ |any|host ] (dot1p <0-7>,type [8021q| <1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mi
12 rfs4000-229D58(config-mac-acl-test)#show context mac access-list test deny 41-85-45-89-66-77 FF-FF-FF-00-00-00 any vlan 1 rule-precedence 1 deny host 00-01-AE-00-22-11 any rule-precedence 2 rfs4000-229D58(config-mac-acl-test)# rfs4000-229D58(config-mac-acl-test)#disable deny host 00-01-AE-00-22-11 any rule-precedence 2 The following example shows the MAC access list ‘test’ settings after the ‘disable’ command is executed: rfs4000-229D58(config-mac-acl-test)#show context mac access-list test deny 41-85-45
12 insert [deny|permit] (dot1p <0-7>,type [8021q|<1-65535>|aarp|appletalk| arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>,log,rule-precedence <1-5000>) {(rule-description )} Parameters insert [deny|permit] (log,mark [8021p <0-7>|dscp <0-63>], rule-precedence <1-5000>) {(rule-description )} insert [deny|permit] Inserts a deny or permit rule within an MAC ACL Provide the match criteria for this deny/permit rule.
12 deny host B4-C7-99-6D-CD-9B any rule-precedence 2 rfs4000-229D58(config-mac-acl-test1)# In the following example a new rule is inserted between the rules having precedences 1 and 2. The precedence of the existing precedence ‘2’ rule changes to precedence 3.
12 host Specify the source host’s exact MAC address. Specify the destination MAC address and mask any Identifies all devices as the destination to deny/permit access host Specify the destination host’s exact MAC address. dotp1p <0-7> Specify the 802.1p priority value from 0 -7. Specify the EtherType value. type [8021q|<1-65535>| aarp|appletalk|arp|ip|ipv6| ipx|mint|rarp|wisp] vlan <1-4095> Specify the VLAN ID.
12 Related Commands: deny Creates a MAC deny ACL permit Creates a MAC permit ACL permit mac-access-list Creates a permit rule that marks packets (from a specified source MAC and/or to a specified destination MAC) for forwarding. You can also use this command to modify an existing permit rule. NOTE Use a decimal value representation to implement a permit/deny designation for a packet. The command set for MAC ACLs provide the hexadecimal values for each listed EtherType.
12 Configures the destination MAC address and mask to match • – Specify the destination MAC address to match. • – Specify the destination MAC address mask to match. Packets addressed to the specified MAC addresses are forwarded. DEST-MAC-MASK Specifies the destination MAC address mask to match any Identifies all devices as the destination to permit access. Packets addressed to any destination are forwarded.
12 Layer 2 traffic is not allowed by default. To adopt an access point through an interface, configure an ACL to allow an Ethernet WISP. Use the mark option to specify the type of service (tos) and priority value. The tos value is marked in the IP header and the 802.1p priority value is marked in the dot1q frame. Whenever the interface receives the packet, its content is checked against all the ACEs in the ACL. It is marked based on the ACL’s configuration.
Chapter DHCP-SERVER-POLICY 13 This chapter summarizes Dynamic Host Control Protocol (DHCP) server policy commands in the CLI command structure. DHCP automatically assigns network IP addresses to requesting clients to enable them access to network resources. DHCP tracks IP address assignments, their lease times and their availability. Each subnet can be configured with its own address pool.
13 help revert service show write Description of the interactive help system Revert changes Service Commands Show running system information Write running configuration to memory or terminal rfs7000-37FABE(config-dhcp-policy-test)# dhcp-server-policy Table 11 summarizes DHCP server policy configuration commands.
13 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: bootp ignore Parameters bootp ignore bootp ignore Enables controllers to ignore BOOTP requests Example rfs7000-37FABE(config-dhcp-policy-test)#bootp ig
13 Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: dhcp-class Parameters dhcp-class Creates a DHCP user class
13 The following table summarizes DHCP user class configuration commands.
13 Related Commands: no Disables the multiple user class option for the selected DHCP user class policy no dhcp-class-mode commands Removes this DHCP user class policy’s settings Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility R
13 Related Commands: multiple-user-class Enables or disables multiple user class option for this DHCP user class policy option Configures DHCP user class options for this DHCP user class policy option dhcp-class-mode commands Configures DHCP user class options for this DHCP user class policy Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobilit
13 The following table summarizes DHCP pool configuration mode commands. Command Description Reference dhcp-pool Creates a DHCP pool and enters its configuration mode page 936 dhcp-pool-mode commands Summarizes DHCP pool configuration mode commands page 937 dhcp-pool dhcp-pool Configures a DHCP server address pool DHCP services are available for specific IP interfaces. A pool (or range) of IP network addresses and DHCP options can be created for each IP interface defined.
13 excluded-address lease netbios-name-server netbios-node-type network next-server no option respond-via-unicast static-binding static-route update Prevent DHCP Server from assigning certain addresses Address lease time NetBIOS (WINS) name servers NetBIOS node type Network on which DHCP server will be deployed Next server in boot process Negate a command or set its defaults Raw DHCP options Send DHCP offer and DHCP Ack as unicast messages Configure static address bindings Add static routes to be installed
13 Command Description Reference next-server Configures the next server in the boot process page 950 no Negates a command or sets its default no option Configures RAW DHCP options page 935 respond-via-unicast Sends a DHCP offer and DHCP Ack as unicast messages page 956 static-route Configures a static route for a DHCP pool page 956 update Controls the usage of the DDNS service page 957 static-binding Configures static address bindings page 958 address dhcp-pool-mode commands Adds IP
13 range [| ] [| Adds a range of IP addresses to the DHCP address pool.
13 Example rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#bootfile test.txt rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool address 192.168.13.4 class dhcpclass1 bootfile test.txt rfs4000-229D58(config-dhcp-policy-test-pool-testPool)# Related Commands: no Resets the boot image path for BOOTP clients bootp Configures BOOTP protocol parameters ddns dhcp-pool-mode commands Configures Dynamic Domain Name Service (DDNS) parameters.
13 ddns multiple-user-class multiple-user-class Enables the multiple user class options with this DDNS domain ddns server [|] {|} server Configures the DDNS server used by this DHCP profile [|] Configures the primary DDNS server. This is the default server.
13 Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: default-router [|] {|} Parameters default-router [|
13 For DHCP clients, the DNS server’s IP address maps the hostname to an IP address. DHCP clients use the DNS server’s IP address based on the order (sequence) configured.
13 Provides the domain name used by the controller with this pool Domain names are not case sensitive and can contain alphabetic or numeric letters or a hyphen. The FQDN consists of the host name and the domain name. For example, computername.domain.com.
13 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: excluded-address [||range] excluded-address excluded-address excluded-address range [|] [| ] Parameters excluded-address Adds a single IP address to the excluded address list excluded-address Add
13 Related Commands: no Removes the exclude IP addresses settings lease dhcp-pool-mode commands A lease is the duration a DHCP issued IP address is valid. Once a lease expires, and if the lease is not renewed, the IP address is revoked and is available for reuse. Generally, before an IP lease expires, the client tries to get the same IP address issued for the next lease period. This feature is enabled by default, with a lease period of 24 hours (1 day).
13 ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 domain-name documentation bootfile test.txt default-router 192.168.13.8 192.168.13.9 dns-server 192.168.13.19 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)# Related Commands: no Resets values or disables the DHCP pool lease settings netbios-name-server dhcp-pool-mode commands Configures the NetBIOS (WINS) name server’s IP address. This server is used to resolve NetBIOS host names.
13 ddns server 192.168.13.9 ddns domainname WID ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 domain-name documentation bootfile test.txt default-router 192.168.13.8 192.168.13.9 dns-server 192.168.13.19 netbios-name-server 192.168.13.25 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)# Related Commands: no Removes the NetBIOS name server settings netbios-node-type dhcp-pool-mode commands Defines the predefined NetBIOS node type.
13 ddns domainname WID ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 domain-name documentation netbios-node-type b-node bootfile test.txt default-router 192.168.13.8 192.168.13.9 dns-server 192.168.13.19 netbios-name-server 192.168.13.
13 netbios-node-type b-node bootfile test.txt default-router 192.168.13.8 192.168.13.9 dns-server 192.168.13.19 netbios-name-server 192.168.13.
13 dns-server 192.168.13.19 netbios-name-server 192.168.13.25 next-server 192.168.13.
13 no [bootfile|default-router|dns-server|domain-name|lease|netbios-name-server| netbios-node-type|next-server|network|respond-via-unicast] no bootfile Removes a BOOTP bootfile configuration no default-router Removes the configured default router for the DHCP pool no dns-server Removes the configured DNS server for the DHCP pool no domain-name Removes the configured DNS domain name no lease Resets the lease to its default (24 hours) no netbios-name-server Removes the configured NetBIOS name serve
13 no excluded-address range [|] [|] no excluded-address Removes a range of excluded IP addresses from the list of addresses that cannot be issued by the DHCP server range [|] [| ] Removes a range of IP addresses and host aliases associated with this DHCP pool’s excluded address list. • – Specify the first IP address in the range.
13 bootfile test.txt default-router 192.168.13.8 192.168.13.9 dns-server 192.168.13.19 netbios-name-server 192.168.13.25 next-server 192.168.13.
13 option dhcp-pool-mode commands Configures raw DHCP options. The DHCP option must be configured under the DHCP server policy. The options configured under the DHCP pool/DHCP server policy can also be used in static-bindings.
13 respond-via-unicast dhcp-pool-mode commands Sends DHCP offer and acknowledgement as unicast messages Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: respond-via-un
13 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: static-route Parameters static-route Specifies the IP destination prefix (for example, 10.0.0.0/8) Specifies the gateway IP address Example rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#static-route 192.168.13.0/ 24 192.168.13.
13 Parameters update dns {override} dns {override} Configures DDNS parameters override – Optional. Enables DDNS updates on an onboard DHCP server • Usage Guidelines: A DHCP client cannot perform updates for RR’s A, TXT and PTR resource records. Use update (dns)(override)to enable the internal DHCP server to send DDNS updates for resource records. The DHCP server can override the client, even if the client is configured to perform the updates.
13 Configures static address bindings A static address binding is a collection of configuration parameters, including an IP address, associated with, or bound to, a DHCP client. Bindings are managed by DHCP servers. DHCP bindings automatically map a device MAC address to an IP address using a pool of DHCP supplied addresses. Static bindings assign IP addresses without creating numerous host pools with manual bindings. Static host bindings use a text file the DHCP server reads.
13 domain-name ip-address netbios-name-server netbios-node-type next-server no option respond-via-unicast static-route Configure domain-name Fixed IP address for host NetBIOS (WINS) name servers NetBIOS node type Next server in boot process Negate a command or set its defaults Raw DHCP options Send DHCP offer and DHCP Ack as unicast messages Add static routes to be installed on dhcp clients clrscr commit do end exit help revert service show write Clears the display screen Commit all changes made in this
13 Related Commands: no Resets values or disables the DHCP policy static binding settings static-binding-mode commands Invokes static binding configuration commands static-binding-mode commands static-binding The following table summarizes static binding configuration mode commands.
13 Parameters bootfile Sets the path to the boot image for BOOTP clients. The file name can contain letters, numbers, dots and hyphens. Consecutive dots and hyphens are not permitted. Example rfs7000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#bootfile test.txt rfs7000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test bootfile test.
13 Related Commands: no Resets values or disables DHCP pool static binding settings default-router static-binding-mode commands Configures a default router or gateway IP address for the static binding configuration Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade
13 dns-server static-binding-mode commands Configures the DNS server for this static binding configuration. This DNS server supports the client for which the static binding has been configured. For this client, the DNS server’s IP address maps the host name to an IP address. DHCP clients use the DNS server’s IP address based on the order (sequence) configured.
13 Related Commands: no Resets values or disables DHCP pool static binding settings domain-name static-binding-mode commands Sets the domain name for the static binding configuration Domain names are not case sensitive and contain alphabetic or numeric letters (or a hyphen). A fully qualified domain name (FQDN) consists of a host name plus a domain name. For example, computername.domain.
13 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: ip-address [|] Parameters ip-address [|] Configures a fixed IP address (in dotted decimal format) of the
13 netbios-name-server [|] {|} Parameters netbios-name-server [|] {|} [|] Configures the primary NetBIOS server, using one of the following options: • – Specifies the primary NetBIOS name server’s IP address • – Specifies a host alias, mapped to the primary NetBIOS name server’s IP address {| } Optional.
13 Parameters netbios-node-type [b-node|h-node|m-node|p-node] [b-node|h-mode| m-node|p-node] Defines the netbios node type • b-node – Sets the node type as broadcast. Uses broadcasts to query nodes on the network for the owner of a NetBIOS name. • h-node – Sets the node type as hybrid. Uses a combination of two or more nodes. • m-node – Sets the node type as mixed. A mixed node uses broadcasted queries to find a node, and failing that, queries a known p-node name server for the address.
13 next-server [||] Configures the next server’s (the first server in the boot process) IP address Configures a host alias, mapped to the next server’s IP address – Specify the host alias name. It should be existing and configured. A network host alias maps a name to a single network host. For example, ‘alias host $HOST 1.1.1.100’. In this example the host alias is ‘$HOST’ and it maps to a single host ‘1.1.1.100’.
13 no [bootfile|client-name|default-router|dns-server|domain-name|ip-address|netbio s-name-server|netbios-node-type|next-server||respond-via-unicast] no bootfile Removes the BOOTP bootfile configuration no client-name Removes the client name from the static binding configuration no default-router Removes the default router from the static binding configuration no dns-server Removes the DNS server from the static binding configuration no domain-name Removes the DNS domain name no ip-address Remove
13 client-name RFID domain-name documentation netbios-node-type b-node netbios-name-server 172.16.10.23 next-server 172.16.10.
13 Defines non standard DHCP option codes (0-254) NOTE An option name in ASCII format accepts a backslash (\) as an input, but is not displayed in the output (Use show runnig config to view the output). Use a double backslash to represent a single backslash. Example rfs7000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#option option1 172.16.10.
13 Related Commands: no Resets values or disables DHCP pool static binding settings static-route static-binding-mode commands Adds static routes to the static binding configuration Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility
13 Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: no [bootp|dhcp-class|dhcp-pool|option|ping] no bootp ignore no dhcp-class no dhcp-pool
13 dhcp-pool pool1 address 1.2.3.
13 hexstring Configures the DHCP option as a hexadecimal string ip Configures the DHCP option as an IP address Usage Guidelines: Defines non standard DHCP option codes (0-254) NOTE An option name in ASCII format accepts a backslash (\) as an input, but is not displayed in the output (Use show runnig config to view the output). Use a double backslash to represent a single backslash.
13 ping timeout 2 option option1 200 ascii rfs7000-37FABE(config-dhcp-policy-test)# Related Commands: no Resets the ping interval to 1 second Brocade Mobility RFS Controller CLI Reference Guide 53-1003098-01 977
Chapter 14 FIREWALL-POLICY This chapter summarizes the firewall policy commands in the CLI command structure. A firewall protects a network from attacks and unauthorized access from outside the network. Simultaneously, it allows authorized users to access required resources. Firewalls work on multiple levels. Some work at layers 1, 2 and 3 to inspect each packet. The packet is either passed, dropped or rejected based on rules configured on the firewall.
14 service show write Service Commands Show running system information Write running configuration to memory or terminal rfs7000-37FABE(config-fw-policy-test)# firewall-policy Table 12 summarizes default firewall policy configuration commands.
14 Enables logging on flow creating traffic Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: acl-logging Parameters None Example rfs4000-229D58(config-fw-policy-test)
14 alg [dns|facetime|ftp|sccp|sip|tftp] Parameters alg [dns|facetime|ftp|sccp|sip|tftp] alg Enables preconfigured algorithms. The default is enabled. dns Enables the Domain Name System (DNS) algorithm. The default is enabled. facetime Enables the FaceTime algorithm. The default is enabled. ftp Enables the File Transfer Protocol (FTP) algorithm. The default is enabled. sccp Enables the Skinny Call Control Protocol (SCCP) algorithm. The default is enabled.
14 Related Commands: no Disables limiting of the TCP MSS dhcp-offer-convert firewall-policy Enables the conversion of broadcast DHCP offers to unicast. Converting DHCP broadcast traffic to unicast traffic can help reduce network traffic loads. This option is disabled by default.
14 Syntax: dns-snoop entry-timeout <30-86400> Parameters dns-snoop entry-timeout <30-86400> entry-timeout <30-86400> Sets the DNS snoop table entry timeout interval from 30 - 86400 seconds. An entry is retained in the DNS snoop table only for the specified time, and is deleted once this time is exceeded. The default is 1,800 seconds.
14 Related Commands: no Disables a device’s firewall flow firewall-policy Defines the session flow timeout interval for different packet types Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocad
14 flow timeout tcp [close-wait|reset|setup|stateless-fin-or-reset|stateless-general] <1-32400> timeout Configures a packet timeout tcp Configures the timeout for TCP packets close-wait Configures the closed TCP flow timeout. The default is 10 seconds. reset Configures the reset TCP flow timeout. The default is 10 seconds. setup Configures the opening TCP flow timeout. The default is 10 seconds. stateless-fin-or-reset Configures stateless TCP flow timeout created with the FIN or RESET packets.
14 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: ip [dos|tcp] ip dos {ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|invalid-protocol| ip-ttl-zero|ipspoof|land|option-route|router-advt|router-solicit|smurf|snork| tcp-bad-sequence|tcp-fin-scan|tcp-intercept|tcp-max-incomplete|tcp-null-scan| tcp-post-syn|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|twinge| udp-short-hdr|winnuke} ip
14 ip dos {ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce| invalid-protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|router-so licit| smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|tcp-null-scan|tcp-pos t-scan| tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|twinge|udp-short-hdr|winnuk e} [log-and-drop|log-only] log-level [<0-7>|alerts|critical|debug|emergencies|errors| informational|notifications|warnings] dos Identifies IP events as DoS events ascend Optional.
14 option-route Optional. Enables an IP Option Record Route DoS check router-advt Optional. Detects router-advertisement attacks This attack uses ICMP to redirect the network router function to some other host. If that host can not provide router services, a DoS of network communications occurs as routing stops. This can also be modified to single out a specific system, so that only that system is subject to attack (because only that system sees the 'false' router).
14 tcp-intercept Optional. Prevents TCP intercept attacks by using TCP SYN cookies A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection. Because these messages have unreachable return addresses, the connections cannot be established.
14 alerts Numerical severity 1. Indicates a condition where immediate action is required critical Numerical severity 2. Indicates a critical condition errors Numerical severity 3. Indicates an error condition warnings Numerical severity 4. Indicates a warning condition notification Numerical severity 5. Indicates a normal but significant condition informational Numerical severity 6. Indicates a informational condition debugging Numerical severity 7.
14 tcp-fin-scan Optional. A FIN scan finds services on ports. A closed port returns a RST. This allows the attacker to identify open ports. tcp-intercept Optional. Prevents TCP intercept attacks by using TCP SYN cookies tcp-null-scan Optional. A TCP null scan finds services on ports. A closed port returns a RST. This allows the attacker to identify open ports tcp-post-syn Optional. Enables a TCP post SYN DoS attack tcp-sequence-past-window Optional.
14 rfs7000-37FABE(config-rw-policy-test)#ip dos tcp-max-incomplete high 600 rfs7000-37FABE(config-rw-policy-test)#ip dos tcp-max-incomplete low 60 rfs7000-37FABE(config-fw-policy-test)#ip dos tcp-sequence-past-window drop-only rfs7000-37FABE(config-fw-policy-test)#show context firewall-policy test ip dos fraggle drop-only ip dos tcp-sequence-past-window drop-only ip dos tcp-max-incomplete high 600 ip dos tcp-max-incomplete low 60 flow timeout icmp 16000 flow timeout udp 10000 flow timeout tcp established 15
14 ip-mac conflict drop-only conflict Action performed when a conflict exists between the IP address and MAC address. This option is enabled by default. drop-only Drops a packet without logging ip-mac conflict [log-and-drop|log-only] log-level [<0-7>|alerts|critical|debug| emergencies|errors|informational|notifications|warnings] conflict Action performed when a conflict exists between the IP address and MAC address. This option is enabled by default. log-and-drop Logs the event and drops the packet.
14 informational Numerical severity 6. Indicates a informational condition notification Numerical severity 5. Indicates a normal but significant condition warnings Numerical severity 4. Indicates a warning condition. This is the default setting.
14 logging verbose logging Configures enhanced firewall logging. This option is disabled by default. verbose Enables verbose logging logging [icmp-packet-drop|malformed-packet-drop] [all|rate-limited] logging Configures enhanced firewall logging icmp-packet-drop Drops ICMP packets that do not pass sanity checks. The default is none. malformed-packet-drop Drops raw IP packets that do not pass sanity checks. The default is none. all Logs all messages rate-limited Enables rate-limited logging.
14 • Service Platforms — Brocade Mobility RFS9510 Syntax: no [acl-logging|alg|clamp|dhcp-offer-convert|dns-snoop|firewall|flow|ip|ip-mac|l ogging| proxy-arp|stateful-packet-inspection-l2|storm-control|virtual-defragmentation ] no [acl-logging|dhcp-offer-convert|proxy-arp|stateful-packet-inspection-l2] no alg [dns|ftp|sip|tftp] no clamp tcp-mss no dns-snoop entry-timeout no firewall enable no flow dhcp stateful no flow timeout [icmp|other|udp] no flow timeout tcp [closed-wait|established|reset|setup|stateles
14 no proxy-arp Disables the generation of ARP responses on behalf of other devices no stateful-packet-inspection-l2 Disables layer 2 stateful packet inspection no alg [dns|ftp|sip|tftp] no alg Disables preconfigured algorithms (dns, ftp, sip, and tftp) dns Disables the DNS algorithm ftp Disables the FTP algorithm sip Disables the SIP algorithm tftp Disables the TFTP algorithm no clamp tcp-mss no clamp tcp-mss Disables TCP MSS size limiting to the size of the MTU in the inner protocol of a tu
14 stateless-fin-or-reset Disables the timeout for TCP flows in stateless FIN or RST status stateless-general Disables the timeout for TCP flows in general stateless states no ip dos {ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce| invalid-protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|router-so licit| smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|tcp-null-scan|tcp-pos t-syn| tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|twinge|udp-short-hdr|winnuk e} no ip Disabl
14 snork Optional. Disables snork attack checks This attack causes a remote Windows™ NT to consume 100% of the CPU’s resources. This attack uses a UDP packtet with a destination port of 135 and a source port of 7, 9, or 135. This attack can also be exploited as a bandwidth consuming attack. tcp-bad-sequence Optional. Disables tcp-bad-sequence checks This DoS attack uses a specially crafted TCP packet to cause the targeted device to drop all subsequent network of a specific TCP connection.
14 no ip-mac conflict no ip-mac Disables IP MAC configuration conflict Disables the action performed when a conflict exists between the IP address and MAC address no ip-mac routing conflict no ip-mac Disables IP MAC configuration routing Configures a routing table based action conflict Disables the action performed when a conflict exists in the routing table no logging [icmp-packet-drop|verbose|malformed-packet-drop] no logging Disables enhanced firewall logging icmp-packet-drop Disables droppi
14 Example rfs7000-37FABE(config-fw-policy-test)#show context firewall-policy test ip dos fraggle drop-only no ip dos tcp-sequence-past-window ip dos tcp-max-incomplete high 600 ip dos tcp-max-incomplete low 60 storm-control broadcast level 20000 ge 4 storm-control arp log warnings ip-mac conflict drop-only ip-mac routing conflict log-and-drop log-level notifications flow timeout icmp 16000 flow timeout udp 10000 flow timeout tcp established 1500 flow timeout other 16000 dhcp-offer-convert logging icmp-pack
14 flow Configures firewall flows ip Configures IP settings ip-mac Defines actions based on the device IP MAC table logging Configures firewall logging proxy-arp Enables the generation of ARP responses on behalf of other devices stateful-packet-inspection-12 Enables layer 2 stateful packet inspection storm-control Configures storm control virtual-defragmentation Configures the virtual defragmentation of packets at the firewall level proxy-arp firewall-policy Enables the generation of ARP res
14 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: stateful-packet-inspection-l2 Parameters None Example rfs7000-37FABE(config-fw-policy-test)#stateful-packet-inspection-l2 rfs7000-37FABE(config-fw-policy-test)# Related Commands: no Disables stateful packet inspection in a layer 2 firewall storm-control firewall-policy Enables storm control on the firewall policy Storms are packet bombardments t
14 storm-control [arp|broadcast|multicast|unicast] level <1-1000000> [fe <1-4>| ge <1-8>|port-channel <1-8>|up1|wlan ] arp Configures storm control for ARP packets broadcast Configures storm control for broadcast packets multicast Configures storm control for multicast packets unicast Configures storm control for unicast packets level <1-1000000> Configures the allowed number of packets received per second before storm control begins <1-1000000> – Sets the number of packets received per
14 ip dos tcp-max-incomplete low 60 storm-control broadcast level 20000 ge 4 storm-control arp log warnings ip-mac conflict drop-only ip-mac routing conflict log-and-drop log-level notifications flow timeout icmp 16000 flow timeout udp 10000 flow timeout tcp established 1500 flow timeout other 16000 dhcp-offer-convert logging icmp-packet-drop rate-limited logging malformed-packet-drop all logging verbose dns-snoop entry-timeout 35 rfs7000-37FABE(config-fw-policy-test)# Related Commands: no Disables storm
14 Example rfs7000-37FABE(config-fw-policy-test)#virtual-defragmentation maximum-fragments-per-datagram 10 rfs7000-37FABE(config-fw-policy-test)#virtual-defragmentation minimum-first-fragment-length 100 rfs7000-37FABE(config-fw-policy-test)# Related Commands: no Resets values or disables virtual defragmentation settings Brocade Mobility RFS Controller CLI Reference Guide 53-1003098-01 1007
Chapter 15 MINT-POLICY This chapter summarizes MiNT policy commands in the CLI command structure. All communication using the MiNT transport layer can be optionally secured. This includes confidentiality, integrity and authentication of all communications. In addition, a device can be configured to communicate over MiNT with other devices authorized by an administrator. Use the (config) instance to configure mint-policy related configuration commands.
15 TABLE 13 MiNT-Policy-Config Commands Command Description Reference end Ends and exits the current mode and moves to the PRIV EXEC mode page 234 exit Ends the current mode and moves to the previous mode page 387 help Displays the interactive help system page 387 revert Reverts changes to their last saved configuration page 394 service Invokes service commands to troubleshoot or debug (config-if) instance configurations page 394 show Displays running system information page 429 write
15 Related Commands: no Disables level 2 MiNT packet routing (inter-site packet routing) mtu mint-policy Configures global MiNT Multiple Transmission Unit (MTU). Use this command to specify the maximum packet size, in bytes, for MiNT routing. Higher the MTU values, greater is the network efficiency. The user data per packet increases, while protocol overheads, such as headers or underlying per-packet delays remain the same.
15 Configures the priority for MiNT router packets (HELLO, LSP, PSNP, and EXTVLAN) Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: router packet priority <0-7> Param
15 udp port <2-65534> port <2-65534> Configures default UDP port used for MiNT control packet encapsulation • <2-65534> – Enter a value from 2 - 65534. This value specifies an alternate UDP port used by MiNT control packets and must be an even number. The specified port number plus 1 is used to carry MiNT data packets. The default value is 24576.
15 no level 2 area-id no level 2 Disables level 2 MiNT routing area identifier Negates the area identifier no mtu no mtu Reverts the configured MiNT MTU value to its default no router packet priority no router packet priority Resets the MiNT router packet priority to default no udp port no udp Resets the UDP/IP encapsulation parameters to its default port Uses the default UDP port for MiNT encapsulation Example The following example shows the global Mint Policy parameters
Chapter MANAGEMENT-POLICY 16 This chapter summarizes management policy commands in the CLI command structure. A management policy contains configuration elements for managing a device, such as access control, SNMP, admin user credentials, and roles. A controller (wireless controller, access point, or service platform) uses mechanisms to allow or deny device access to separate interfaces and protocols (HTTP, HTTPS, Telnet, SSH or SNMP).
16 rfs7000-37FABE(config-management-policy-test)#? Management Mode commands: aaa-login Set authentication for logins banner Define a login banner ftp Enable FTP server http Hyper Text Terminal Protocol (HTTP) https Secure HTTP idle-session-timeout Configure idle timeout for a configuration session (GUI or CLI) no Negate a command or set its defaults privilege-mode-password Set the password for entering CLI privilege mode restrict-access Restrict management access to the device snmp-server SNMP ssh Enable ss
16 TABLE 14 Management-Policy-Config Commands Command Description Reference user Creates a new user account page 1035 service Invokes service commands to troubleshoot or debug (config-if) instance configurations page 1037 clrscr Clears the display screen page 385 commit Commits (saves) changes made in the current session page 386 end Ends and exits the current mode and moves to the PRIV EXEC mode page 234 exit Ends the current mode and moves to the previous mode page 387 help Display
16 aaa-login radius [external|fallback|policy ] radius Configures the RADIUS server parameters If local authentication is disabled, use this command to specify if the RADIUS server used is external, fallback, or specified by a AAA policy. external Configures external RADIUS server as the preferred authentication mode fallback Configures RADIUS server authentication as the primary authentication mode. When RADIUS server authentication fails, the system uses local authentication.
16 Configures the message of the day (motd) text. This text is displayed at login to clients connecting through Telnet or SSH.
16 Syntax: ftp {password|rootdir|username} ftp {password [1 |]} ftp {rootdir } ftp {username password [1 |] rootdir } Parameters ftp {password [1 |]} ftp password Optional. Configures the FTP server password 1 Configures an encrypted password. Use this option when copy pasting the password from another device. • – Specify the password.
16 Related Commands: no Disables FTP and its settings, such as the server password, root directory, and users http management-policy Enables Hyper Text Transport Protocol (HTTP) on this management policy Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RF
16 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: https server Parameters https server https server Enables HTTPS on this management policy.
16 Parameters idle-session-timeout <1-4320> <1-4320> Sets the interval, in minutes, after which an idle session is timed out. Specify a value from 1 - 4320 minutes. The default is 30 minutes.
16 no [idle-session-timeout|privilege-mode-password|restrict-access] no snmp-server [community|display-vlan-info-per-radio|enable|host|manager| max-pending-requests|request-timeout|suppress-security-configuration-level| throttle|user] no snmp-server [community |display-vlan-info-per-radio|enable traps| host {<1-65535>}|manager [all|v1|v2|v3]|max-pending-requests|request-timeout| suppress-security-configuration-level|throttle|user [snmpmanager|snmpoperator| snmptrap]] no ssh {login-grace-time|port
16 no snmp-server [community |display-vlan-info-per-radio|enable traps|host {<1-65535>}|manager [all|v1|v2|v3]|max-pending-requests|request-timeout| suppress-security-configuration-level|throttle|user [snmpmanager|snmpoperator| snmptrap]] no snmp-server Disables the SNMP server parameters community Disables SNMP server access to a community – Specify the community name.
16 ftp username superuser password 1 7ccb4568cb83e54f1e402f785a78ee930a453afda152baaf7c2b79277f225872 rootdir dir no ssh aaa-login radius external aaa-login radius policy test idle-session-timeout 100 banner motd "Have a Good Day" rfs7000-37FABE(config-management-policy-test)# rfs7000-37FABE(config-management-policy-test)#no banner motd rfs7000-37FABE(config-management-policy-test)#no idle-session-timeout rfs7000-37FABE(config-management-policy-test)#no http server The following example shows the management
16 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: privilege-mode-password [1 |] Parameters privilege-mode-password [1 |] 1 Configures an enc
16 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: restrict-access [host|ip-access-list|subnet] restrict-access host {|log|subnet} restrict-access host {|log [all|denied-only]} restrict-a
16 restrict-access subnet {|log [all|denied-only]} subnet Restricts access to a specified subnet. Uses a subnet IP address to filter access requests • – Sets the IP address of the subnet in the A.B.C.D/M format Optional. Use this option to add multiple subnets, if required, to the restrict access list. log [all|denied-only] Optional. Configures a logging policy for access requests.
16 Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: snmp-server [community|enable|display-vlan-info-per-radio|host|manager| max-pending-requests|request-timeout|suppre
16 snmp-server enable traps enable traps Enables trap generation (using the trap receiver configuration defined). This feature is disabled by default. Enabling this feature ensures the dispatch of SNMP notifications to all hosts. In a managed network, the controller uses SNMP trap receivers to notify faults. SNMP traps are unsolicited notifications triggered by thresholds (or actions) on devices and are therefore an important fault management tool.
16 throttle <1-100> Sets CPU usage for SNMP activities. Use this command to set the CPU usage from 1 - 100. suppress-security-configurati on-level [0|1] Sets the level of suppression of SNMP security configuration information • 0 – If this option is selected, an empty string is returned for the SNMP request for security configuration information. Security configuration information consists of: • Passwords • Keys • Shared secrets The default setting is 0.
16 Example rfs7000-37FABE(config-management-policy-test)#snmp-server community snmp1 ro rfs7000-37FABE(config-management-policy-test)#snmp-server host 172.16.10.
16 ssh {login-grace-time <60-300>|port <1-65535>} ssh Enables SSH communication between client and server login-grace-time <60-300> Optional. Configures the login grace time. This is the interval, in seconds, after which an unsuccessful login is disconnected. • <60-300> – Specify a value from 60 - 300 seconds. The default is 60 seconds. port <1-65535> Optional. Configures the SSH port. This is the port used for SSH connections. • <1-65535> – Specify a value from 1 - 165535. The default port is 22.
16 Parameters telnet {port <1-65535>} telnet Enables Telnet port <1-65535> Optional. Configures the Telnet port. This is the port used for Telnet connections. • <1-65535> – Sets a value from 1 - 165535. The default port is 23.
16 user password [0 |1 |] role [helpdesk|monitor|network-admin|security-admin|superuser|system-admin|web-use r-admin] access [all|console|ssh|telnet|web] user password [0 | 1 | ] role access [all|console|ssh| telnet|web] Adds new user account to this management policy • – Sets the username Configures a password 0 – Sets a clear text password 1 – Sets the SHA1 hash of the passwo
16 rfs7000-37FABE(config-management-policy-test)# Related Commands: no Removes a user account service management-policy Invokes service commands Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Bro
16 +-fib [show debugging fib(|(on DEVICE-NAME))] +-on +-DEVICE-NAME [show debugging fib(|(on DEVICE-NAME))] +-wireless [show debugging wireless (|(on DEVICE-OR-DOMAIN-NAME))] +-on --More-- Related Commands: no 1038 Disables the inclusion of an asterix indicator notifying the presence of crash files Brocade Mobility RFS Controller CLI Reference Guide 53-1003098-01
Chapter RADIUS-POLICY 17 This chapter summarizes the RADIUS group, server, and user policy commands in the CLI command structure. Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software that enables remote access servers to authenticate users and authorize their access to the network. RADIUS is a distributed client/server system that secures networks against unauthorized access.
17 • Define the days of the week the user is allowed to login • Rate limit traffic (for non-management users) RADIUS users are categorized into three groups: normal user, management user, and guest user. A RADIUS group not configured as management or guest is a normal user group. User access and role settings depends on the RADIUS group the user belongs. Use the (config) instance to configure RADIUS group commands. This command creates a group within the existing RADIUS group.
17 TABLE 15 RADIUS-Group-Config Commands Command Description Reference service Invokes service commands to troubleshoot or debug (config-if) instance configurations page 394 show Displays running system information page 429 write Writes information to memory or terminal page 425 guest radius-group Configures this group as a guest (non-management) group. A guest user group has temporary permissions to the controller’s local RADIUS server.
17 NOTE A user-based VLAN is effective only if dynamic VLAN authorization is enabled for the WLAN.
17 policy access [all|console|ssh|telnet|web] {(all|console|ssh|telnet|web)} access Configures access type for a management group. Management groups can be assigned unique access and role permissions. • all – Allows all access.
17 policy time start end time start end Configures the time when this RADIUS group can access the network • start – Sets the start time in the HH:MM format (for example, 13:30 means the user can login only after 1:30 PM). Specifies the time users, within each listed group, can access the local RADIUS resources • end – Sets the end time in the HH:MM format (for example, 17:30 means the user is allowed to remain logged in until 5:30 PM).
17 Related Commands: no Removes or modifies a RADIUS group’s access settings rate-limit radius-group Sets the rate limit for the guest RADIUS server group Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platfo
17 Related Commands: no Removes the RADIUS guest group’s rate limits no radius-group Negates a command or sets its default. Removes or modifies the RADIUS group policy settings. When used in the config RADIUS group mode, the no command removes or modifies the following settings: access type, access days, role type, VLAN ID, and SSID.
17 no policy day [all|fr|mo|sa|su|th|tu|we|weekdays] no policy days Removes or modifies the days on which access is provided to a RADIUS guest group all – Removes access on all days (Monday to Sunday) fr – Removes access on Fridays only mo – Removes access on Mondays only sa – Removes access on Saturdays only su – Removes access on Sundays only th – Removes access on Thursdays only tu – Removes access on Tuesdays only Contd..
17 rfs7000-37FABE(config-radius-group-test)#no policy day all The following example shows the RADIUS guest group ‘test’ settings after the ‘no’ commands are executed: rfs7000-37FABE(config-radius-group-test)#show context radius-group test policy vlan 1 policy ssid motorolasol policy time start 13:30 end 17:30 rfs7000-37FABE(config-radius-group-test)# Related Commands: guest Manages a guest user linked with a captive portal policy Sets a RADIUS group’s authorization policies rate-limit Sets a RADIUS gr
17 clrscr commit do end exit help revert service show write Clears the display screen Commit all changes made in this session Run commands from Exec mode End current mode and change to EXEC mode End current mode and down to previous mode Description of the interactive help system Revert changes Service Commands Show running system information Write running configuration to memory or terminal rfs7000-37FABE(config-radius-server-policy-test)# The following table summarizes RADIUS server policy configuratio
17 Specifies the RADIUS datasource used for user authentication. Options include local for the local user database or LDAP for a remote LDAP resource.
17 peap-gtc Enables PEAP with default authentication using GTC peap-mschapv2 Enables PEAP with default authentication using MSCHAPv2 tls Enables TLS as the EAP type ttls-md5 Enables TTLS with default authentication using md5 ttls-mschapv2 Enables TTLS with default authentication using MSCHAPv2 ttls-pap Enables TTLS with default authentication using PAP Example rfs7000-37FABE(config-radius-server-policy-test)#authentication eap-auth-type tls rfs7000-37FABE(config-radius-server-policy-test)#show c
17 Example rfs7000-37FABE(config-radius-server-policy-test)#chase-referral Related Commands: no Disables LDAP server referral chasing crl-check radius-server-policy Enables a certificate revocation list (CRL) check on this RADIUS server policy A CRL is a list of revoked certificates issued and subsequently revoked by a Certification Authority (CA).
17 When a user's credentials are stored on an external LDAP server, the local RADIUS server cannot successfully conduct PEAP-MSCHAPv2 authentication, since it is not aware of the user's credentials maintained on the external LDAP server resource. Therefore, up to two LDAP agents can be provided locally so remote LDAP authentication can be successfully accomplished on the remote LDAP resource (using credentials maintained locally).
17 domain-name This keyword is common to both the ‘primary’ and ‘secondary’ parameters. • domain-name – Configures the primary or secondary LDAP server’s domain name • – Specify the domain name. domain-admin-user This keyword is common to both the ‘primary’ and ‘secondary’ parameters. • domain-admin-user – Configures the primary or secondary LDAP server’s admin user name • – Specify the admin user’s name.
17 ldap-group-verification radius-server-policy Enables LDAP group verification settings on this RADIUS server policy Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax:
17 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: ldap-server [dead-period|primary|secondary] ldap-server dead-period <0-600> ldap-server [primary|secondary] host port <1-65535> login bind-dn base-dn passwd [0 |2 | ] passwd-attr group-attr group-filter group-membership {net-timeout <1-10>} P
17 passwd-attr Specify the LDAP server password attribute (should not exceed 63 characters). group-attr Specify a name to configure group attributes (should not exceed 31 characters). LDAP systems have the facility to poll dynamic groups. In an LDAP dynamic group an administrator can specify search criteria. All users matching the search criteria are considered a member of this dynamic group. Specify a group attribute used by the LDAP server.
17 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: local realm Parameters local realm realm Configures a local RADIUS realm • – Sets a local RADIUS realm name (a string not exceeding 50 characters) Example rfs7000-37FABE(config-radius-server-policy-test)#local realm realm1 rfs7000-37FABE(config-radius-server-policy-test)#show context rad
17 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: nas secret [0|2|] nas secret [0 |2 |] Parameters nas secret [0 |2|] Sets the RADIUS clie
17 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: no [authentication|chase-referral|clr-check|ldap-agent|ldap-group-verification| ldap-server|local|nas|proxy|session-resumption|use] no authentication [dat
17 no nas Removes a RADIUS server’s client – Sets the IP address of the RADIUS client in the A.B.C.
17 crl-check nas 172.16.10.10/24 secret 0 wirelesswell local realm realm1 ldap-server primary host 172.16.10.
17 A user’s access request is sent to a proxy RADIUS server if it cannot be authenticated by the local RADIUS resources. The proxy server checks the information in the user access request and either accepts or rejects the request. If the proxy server accepts the request, it returns configuration information specifying the type of connection service required to authenticate the user.
17 proxy retry-delay <5-10> retry-delay <5-10> Sets the proxy server’s retry delay count. This is the interval the controller’s RADIUS server waits before making an additional connection attempt. • <5-10> – Sets a value from 5 - 10 seconds (default is 5 seconds) Usage Guidelines: A maximum of five RADIUS proxy servers can be configured. The proxy server attempts six retries before it times out. The retry count defines the number of times RADIUS requests are transmitted before giving up.
17 Syntax: session-resumption {lifetime|max-entries} session-assumption {lifetime <1-24> {max-entries <10-1024>}|max-entries <10-1024>} Parameters session-assumption {lifetime <1-24> {max-entries <10-1024>}| max-entries <10-1024>} Optional. Sets the lifetime of cached entries lifetime <1-24> {max-entries <10-1024>} • <1-24> – Specify the lifetime period from 1 - 24 hours (default is 1 hour) • max-entries – Optional.
17 Syntax: use [radius-group {RAD-GROUP-NAME2}|radius-user-pool-policy ] Parameters use [radius-group {RAD-GROUP-NAME2}|radius-user-pool-policy ] radius-group {RAD-GROUP-NAME2} Associates a specified RADIUS group (for LDAP users) with this RADIUS server policy You can optionally associate two RADIUS groups with one RADIUS server policy.
17 The following table summarizes RADIUS user pool policy configuration commands.
17 user password [0 |2 |] {group {guest expiry-time expiry-date {(email-id |start-time start-date | telephone )}}} user Adds a new RADIUS user to the RADIUS user pool – Specify the name of the user. The username should not exceed 64 characters.
17 no radius-user-pool-policy Negates a command or sets its default.
Chapter RADIO-QOS-POLICY 18 This chapter summarizes the radio QoS policy in the CLI command structure. Configuring and implementing a radio QoS policy is essential for WLANs with heavy traffic and less bandwidth. The policy enables you to provide preferential service to selected network traffic by controlling bandwidth allocation. The radio QoS policy can be applied to VLANs configured on an access point.
18 Enabling WMM support on a WLAN just advertises the WLAN’s WMM capability and radio configuration to wireless clients. The wireless clients must also support WMM and use the values correctly while accessing the WLAN to benefit. WMM includes advanced parameters (CWMin, CWMax, AIFSN and TXOP) specifying back-off duration and inter-frame spacing when accessing the network. These parameters are relevant to both connected access point radios and their wireless clients.
18 write Write running configuration to memory or terminal rfs7000-37FABE(config-radio-qos-test)# radio-qos-policy Table 16 summarizes radio QoS policy configuration commands.
18 accelerated-multicast [client-timeout|max-client-streams|max-streams|overflow-policy| stream-threshold] accelerated-multicast [client-timeout <5-6000>|max-client-streams <1-4>| max-streams <0-256>|overflow-policy [reject|revert]|stream-threshold <1-500>] Parameters accelerated-multicast [client-timeout <5-6000>|max-client-streams <1-4>| max-streams <0-256>|overflow-policy [reject|revert]|stream-threshold <1-500>] client-timeout <5-6000> • Configures a timeout period in seconds for wireless clients <5-
18 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: admission-control [background|best-effort|firewall-detected-traffic|implicit-tspec| video|voice] admission-control [firewall-detected-traffic|implicit-tsp
18 max-airtime-percent <0-150> Optional. Specifies the maximum percentage of airtime, including oversubscription, for the following access category: • background – Sets the maximum airtime (in the form of a percentage of the radio’s bandwidth) allotted to admission control for low (background) client traffic. Background traffic only needs a short radio airtime to process, so set an intermediate airtime value if this radio QoS policy is reserved to support background data.
18 max-roamed-clients <0-256> Optional.
18 Negates a command or resets configured settings to their default. When used in the radio QOS policy mode, the no command enables the resetting of accelerated multicast parameters, admission control parameters, and MultiMedia parameters.
18 no admission-control [background|best-effort|video|voice] {max-airtime-percent| max-clients|max-roamed-clients|reserved-for-roam-percent} no admission-control Reverts or resets admission control settings to their default. These controls are configured on a radio for one or more access categories.
18 rfs7000-37FABE(config-radio-qos-test)#show context radio-qos-policy test admission-control voice max-airtime-percent 9 admission-control voice reserved-for-roam-percent 8 admission-control best-effort max-clients 200 accelerated-multicast stream-threshold 15 accelerated-multicast client-timeout 500 rfs7000-37FABE(config-radio-qos-test)# rfs7000-37FABE(config-radio-qos-test)#no admission-control best-effort max-clients rfs7000-37FABE(config-radio-qos-test)#no accelerated-multicast client-timeout The follo
18 • An administrator-defined interval has elapsed since the first frame (of a set of frames to be aggregated) was received • An administrator-defined interval has elapsed since the last frame (not necessarily the final frame) of a set of frames to be aggregated was received With this enhancement, an aggregation delay is set uniquely for each traffic class. For example, voice traffic might not be aggregated, but sent immediately.
18 smart-aggregation {min-aggregation-limit <0-64>} min-aggregation-limit <0-64> Optional. Sets the minimum number of aggregates buffered before an aggregate is sent • <0-64> – Specify a value from 0 - 64. The default is 8 frames.
18 Example rfs4000-229D58(config-radio-qos-test)#service admission-control across-reassoc rfs4000-229D58(config-radio-qos-test)# rfs4000-229D58(config-radio-qos-test)#show context radio-qos-policy test service admission-control across-reassoc rfs4000-229D58(config-radio-qos-test)# rfs4000-229D58(config-radio-qos-test)#service show cli Radio QoS Mode mode: +-help [help] +-search +-WORD [help search WORD (|detailed|only-show|skip-show|skip-no)] +-detailed [help search WORD (|detailed|only-show|skip-show|skip-
18 wmm [background|best-effort|video|voice] wmm [background|best-effort|video|voice] [aifsn <1-15>|cw-max <0-15>|cw-min <0-15>| txop-limit <0-65535>] Parameters wmm [background|best-effort|video|voice] [aifsn <1-15>|cw-max <0-15>|cw-min <0-15>| txop-limit <0-65535>] wmm background Configures background access category wireless multimedia settings wmm best-effort Configures best effort access category wireless multimedia settings wmm video Configures video access category wireless multimedia settings
18 cw-min <0-15> Clients select a number between 0 and the min contention window to wait before retransmission. Clients then double their wait time on a collision, until it reaches the maximum contention window. • background – Sets CW Min for low (background) traffic. The default is 4. • best-effort – Sets CW Min for normal (best effort) traffic. The default is 4. • voice – Sets CW Min for voice traffic. The default is 2. • video – Sets CW Min for video traffic. The default is 3.
18 Related Commands: no 1086 Reverts or resets 802.
Chapter 19 ROLE-POLICY This chapter summarizes the role policy commands in the CLI command structure. A well defined role policy simplifies user management, and is a significant aspect of WLAN management. It acts as a role based firewall (much like ACLs) consisting of user-defined roles. Each role has a set of match criteria (filters) used to filter wireless clients. The action taken when a client matches the defined filters, is determined by the IP or MAC ACL associated with the user-defined role.
19 Table 17 summarizes role policy configuration commands.
19 default-role use [ip-access-list|mac-access-list] [in|out] precedence <1-100> Parameters default-role use [ip-access-list|mac-access-list] [in|out] precedence <1-100> default-role use Enables default role configuration. This role is applied to a wireless client not matching any of the user-define roles.
19 • Service Platforms — Brocade Mobility RFS9510 Syntax: ldap-deadperiod <60-300> Parameters ldap-deadperiod <60-300> ldap-deadperiod <60-300> Configures a LDAP dead period. When enabled, LDAP service allows the AP or controller to bind with the LDAP server and retrieve user details to match with user-defined role filters. The LDAP deadperiod is the interval between two consecutive attempts to bind with the LDAP server. To enable LDAP service, use the ldap-query command.
19 ldap-query [self|through-controller] self Configures LDAP query mode as self. The AP directly queries the LDAP server for user information. Select ‘self’ to use local LDAP server resources configured using the ldap-server command. through-controller Configures LDAP query mode as through-controller. The AP queries the LDAP server, for user information, through the controller. Use this option when the AP is layer 2 adopted to the controller.
19 ldap-server <1-2> host [|] bind-dn base-dn bind-password {port <1-65535>} {(server-type [active-directory|openldap])} ldap-server <1-2> Specify the LDAP server ID from 1 - 2. The primary LDAP server (ID 1) is used to bind and query. The secondary LDAP server (ID 2) is for failover. host [|] Specify the LDAP server’s IP address or Fully Qualified Domain Name (FQDN).
19 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: ldap-timeout <1-5> Parameters ldap-timeout <1-5> ldap-timeout <1-5> Configures the LDAP query timeout interval from 1 - 5 seconds (default is 2 seconds) When enabled, LDAP service allows the AP or controller to bind with the LDAP server and query it for user details.
19 no default-role use [ip-access-list|mac-access-list] no default-role use [ip-access-list|mac-access-list] [in|out] precedence <1-100> no user-role Parameters no [ldap-deadperiod|ldap-query|ldap-server <1-2>|ldap-timeout] no ldap-deadperiod Resets the LDAP dead period interval to default (120 seconds) no ldap-query Disables LDAP service on a role policy no ldap-server <1-2> Removes the selected LDAP server settings. Specify the LDAP server ID.
19 The following example shows the role policy ‘test’ setting after the ‘no’ commands are executed: rfs7000-37FABE(config-role-policy-test)#show context role-policy test default-role use ip-access-list in test precedence 1 ldap-query self rfs7000-37FABE(config-role-policy-test)# Related Commands: default-role Assigns a default role to a wireless client ldap-deadperiod Configures the LDAP deadperiod interval ldap-query Enables LDAP service on a role policy ldap-server Configures the LDAP server setti
19 Parameters user-role precedence <1-10000> user-role Configures the user role name Specify a name for this user role. • precedence <1-10000> Sets the precedence for this role Lower the precedence, higher is the role priority. Precedence determines the order in which a role is applied. If a wireless client matches multiple roles, the role with the lower precedence is applied before those with higher precedence.
19 Related Commands: no Removes an existing user role user-role commands user-role The following table summarizes user role configuration mode commands.
19 Commands Description Reference service Invokes service commands to troubleshoot or debug (config-if) instance configurations page 394 show Displays running system information page 429 write Writes information to memory or terminal page 425 br-location user-role commands Configures an AP’s deployment location based filter for this user-defined role Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 12
19 Related Commands: no Removes an AP’s deployment location string from this user-defined role assign user-role commands Configures upstream/downstream rate limits and VLAN ID. Clients matching this user-defined role filters are associated with the specified VLAN, and assigned the specified data rates.
19 Example rfs4000-229D58(config-role-policy-test-user-role-test)#assign rate-limit to-client 200 rfs4000-229D58(config-role-policy-test-user-role-test)# rfs4000-229D58(config-role-policy-test-user-role-test)#commit rfs4000-229D58(config-role-policy-test-user-role-test)# rfs4000-229D58(config-role-policy-test-user-role-test)#show context user-role test precedence 1 assign vlan 1 assign rate-limit to-client 200 rfs4000-229D58(config-role-policy-test-user-role-test)# The following examples define a role used
19 authentication-type user-role commands Configures the authentication type based filter for this user-defined role Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: a
19 Related Commands: no Removes the authentication type filter configured for this user-defined role captive-portal user-role commands Configures a captive portal based filter for this user-defined role. A captive portal is a guest access policy that provides temporary and restrictive access to the wireless network. When applied to a WLAN, a captive portal policy ensures secure guest access. This command defines user-defined role filters based on a wireless client’s state of authentication.
19 city user-role commands Configures a wireless client filter based on the city name Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: city [any|contains|exact|not-con
19 client-identity user-role commands Associates a client-identity (device fingerprinting) based filter. The role is assigned to a wireless client matching any of the defined client identities. For more information on configuring client identity fingerprints, see client-identity.
19 Related Commands: no Removes the client identities associated with this role policy company user-role commands Configures a wireless client filter based on the company name Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7
19 rfs7000-37FABE(config-role-policy-test-user-role-testing)# Related Commands: no Removes the company name configured with this user-defined role country user-role commands Configures a wireless client filter based on the country name Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobi
19 city exact SanJose company exact MotorolaSolutions country exact America rfs7000-37FABE(config-role-policy-test-user-role-testing)# Related Commands: no Removes the country name configured with this user-defined role department user-role commands Configures a wireless client filter based on the department name Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access P
19 authentication-type eq kerberos br-location contains office captive-portal authentication-state pre-login city exact SanJose company exact MotorolaSolutions country exact America department exact TnV rfs7000-37FABE(config-role-policy-test-user-role-testing)# Related Commands: no Removes the department name configured with this user-defined role emailid user-role commands Configures a wireless client filter based on the e-mail ID Supported in the following platforms: • Access Points — Brocade Mobility
19 Example rfs7000-37FABE(config-role-policy-test-user-role-testing)#emailid exact testing@ motorolasolutions.com rfs7000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 authentication-type eq kerberos br-location contains office captive-portal authentication-state pre-login city exact SanJose company exact MotorolaSolutions country exact America department exact TnV emailid exact testing@motorolasolutions.
19 exact The role is applied only when the employee type, returned by the RADIUS server, exactly matches the string specified in the role. • – Specify the exact string to match (this is case sensitive, and is compared against the employee type returned by the RADIUS server). It should be an exact match. not-contains The role is applied only when the employee type, returned by the RADIUS server, does not contain the string specified in the role.
19 exact The role is applied only when the employee ID, returned by the RADIUS server, exactly matches the string specified in the role. • – Specify the exact string to match (this is case sensitive, and is compared against the employee ID returned by the RADIUS server). It should be an exact match. not-contains The role is applied only when the employee ID, returned by the RADIUS server, does not contain the string specified in the role.
19 Parameters encryption-type any any The encryption type can be any one of the listed options (ccmp|keyguard|tkip|wep128|wep64). This is the default setting. encryption-type [eq|neq] [ccmp|keyguard|none|tkip|wep128|wep64] {(ccmp|keyguard|none|tkip|tkip-ccmp|wep128|wep64)} eq [ccmp|keyguard|none| tkip|wep128|wep64] The role is applied only if the encryption type equals to one of the following options: • ccmp: Encryption mode is CCMP • keyguard: Encryption mode is keyguard.
19 Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: group [any|contains|exact|not-contains] group [any|contains |exact |not-contains ] Parameters gr
19 memberOf user-role commands Applies an Active Directory (AD) group filter to this user-defined role. A wireless client can be a member of more than one group within the AD database. This command applies a AD group based firewall, which applies a role to a wireless client only if it belongs to the specified AD group.
19 Syntax: mu-mac [|any] mu-mac any mu-mac {mask } Parameters mu-mac any any Applies role to any wireless client (no MAC address to match). This is the default setting. mu-mac {mask } Applies role to the wireless client having specified MAC address • – Sets the MAC address in the AA-BB-CC-DD-EE-FF format mask Optional. After specifying the client’s MAC address, specify the mask in the AA-BB-CC-DD-EE-FF format.
19 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: no [br-location|assign|authentication-type|captive-portal|city|client-identity| company|country|department|emailid|employee-type|employeeid|encryption-type| group|memberOf|mu-mac|ssid|state|title|use|user-defined] no [br-location|assign|authentication-type|city|client-identity|company|country| department|emailid|employee-type|employeeid|encryption-t
19 no title Removes the title filter no user-defined Removes the user-defined filter (an attribute defined in the AD or OpenLDAP server) no captive-portal authentication-state no captive-portal Removes the captive portal based filter authentication-state Removes the authentication state filter no use [ip-access-list|mac-access-list] [in|out] precedence <1-100> no use Removes an IP or MAC access list from this user-defined role [ip-access-list| mac-access-list] [in|out] R
19 user-role testing precedence 10 captive-portal authentication-state pre-login city exact SanJose company exact MotorolaSolutions country exact America department exact TnV emailid exact testing@motorolasolutions.
19 • Service Platforms — Brocade Mobility RFS9510 Syntax: ssid [any|exact|contains|not-contains] ssid any ssid [exact|contains|not-contains] Parameters ssid any ssid any Specifies a wireless client filter based on how the SSID is specified in a WLAN. • any – The role is applied to any SSID location. This is the default setting. ssid [exact|contains|not-contains] ssid Specifies a wireless client filter based on how the SSID is specified in a WLAN.
19 Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: state [any|contains|exact|not-contains] state [any|contains |exact |not-contains ] Parameters st
19 Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: title [any|contains|exact|not-contains] title [any|contains |exact |not-contains ] Parameters ti
19 A MAC firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny or mark designation to packet traffic.
19 state exact active use ip-access-list in test precedence 9 rfs7000-37FABE(config-role-policy-test-user-role-testing)# Related Commands: no Removes an IP or MAC access list from use with a user role user-defined user-role commands Enables you to define a filter based on an attribute defined in the Active Directory or the OpenLDAP server Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Broc
19 rfs4000-229D58(config-role-policy-test-user-role-user1)#show context user-role user1 precedence 1 employee-type exact consultant user-defined office-location exact EcoSpace rfs4000-229D58(config-role-policy-test-user-role-user1)# Related Commands: no 1124 Removes the user-defined filter configured with this user role Brocade Mobility RFS Controller CLI Reference Guide 53-1003098-01
Chapter SMART-RF-POLICY 20 This chapter summarizes Self Monitoring at Run Time RF (Smart RF) management policy commands in the CLI command structure. A Smart RF management policy defines operating and recovery parameters that can be assigned to groups of access points. A Smart RF policy is designed to scan the network to identify the best channel and transmit power for each access point radio.
20 • If no SMART RF policy is mapped, the radio selects a random channel If the radio is a dedicated sensor, it stops termination on that channel if a neighboring access point detect radar. The access point attempts to come back to its original channel (statically configured or selected by Smart RF) after the channel evacuation period has expired. Change this behavior using the dfs-rehome command from the controller or service platform CLI.
20 Table 18 summarizes Smart RF policy configuration commands.
20 Syntax: area channel-list [2.4GHz|5GHz] Parameters area channel-list [2.4GHz|5GHz] area Specify the area name. channel-list [2.4GHz|5GHZ] Selects the channels for the specified area in the 2.4 GHz or 5.0 GHz band • 2.4GHz – Selects the channels for the specified area in the 2.4 GHz band • 5GHz – Selects the channels for the specified area in the 5.0 GHz band The following keyword is common to the 2.4 GHz and 5.
20 assignable-power [2.4GHz|5GHz] [max|min] <1-20> 2.4GHz [max|min] <1-20> 5GHz [max|min] <1-20> Assigns a power range on the 2.4 GHz band • max <1-20> – Sets the upper limit in the range from 1 dBm - 20 dBm (default is 17 dBm) • min <1-20> – Sets the lower limit in the range from 1 dBm - 20 dBm (default is 4 dBm) Assigns a power range on the 5.
20 rfs7000-37FABE(config-smart-rf-policy-test)#show context smart-rf-policy test area test channel-list 2.4GHz 1,2,3 assignable-power 5GHz min 8 assignable-power 5GHz max 20 channel-list 2.4GHz 1,12 rfs7000-37FABE(config-smart-rf-policy-test)# Related Commands: no Removes the channel list for the selected frequency channel-width smart-rf-policy Selects the channel width for Smart RF configuration NOTE In addition to 20 MHz and 40 MHz, AP82XX also provides support for 80 MHz channels.
20 The 20/40 MHz operation allows the access point to receive packets from clients using 20 MHz, and transmit using 40 MHz. This mode is supported for 11n users on both the 2.4 GHz and 5.0 GHz radios. If an 11n user selects two channels (a primary and secondary channel), the system is configured for dynamic 20/40 operation. When 20/40 is selected, clients can take advantage of wider channels. 802.11n clients experience improved throughput using 40 MHz while legacy clients (either 802.11a or 802.
20 Parameters coverage-hole-recovery {client-threshold [2.4GHz|5GHz] <1-255>} client-threshold Optional. Specifies the minimum number of clients associated to a radio in order to trigger coverage hole recovery. 2.4GHz <1-255> Specifies the minimum number of clients on the 2.4 GHz band • <1-255> – Sets a value from 1 - 255. The default is 1. 5GHz <1-255> Specifies the minimum number of clients on the 5.0 GHz band <1-255> – Sets a value from 1 - 255. The default is 1.
20 Related Commands: no Disables recovery from coverage hole errors enable smart-rf-policy Enables a Smart RF policy Use this command to enable this Smart RF policy. Once enabled, the policy can be assigned to a RF Domain supporting a network.
20 Syntax: group-by [area|floor] Parameters group-by [area|floor] area Groups radios based on their area of location floor Groups radios based on their floor location Both options are disabled by default. Example rfs7000-37FABE(config-smart-rf-policy-test)#group-by floor rfs7000-37FABE(config-smart-rf-policy-test)#show context smart-rf-policy test area test channel-list 2.4GHz 1,2,3 group-by floor sensitivity custom assignable-power 5GHz min 8 assignable-power 5GHz max 20 channel-list 2.
20 interference-recovery {channel-hold-time|channel-switch-delta|client-threshold| interference|neighbor-offset|noise|noise-factor} interference-recovery {channel-switch-delta [2.4GHz|5GHZ] <5-35>} interference-recovery {channel-hold-time <0-86400>|client-threshold <1-255>| interference|neighbor-offset <3-10>|noise|noise-factor <1.0-3.0>} Parameters interference-recovery {channel-switch-delta [2.4GHz|5GHZ] <5-35>} channel-switch-delta Optional.
20 smart-rf-policy test area test channel-list 2.4GHz 1,2,3 group-by floor sensitivity custom assignable-power 5GHz min 8 assignable-power 5GHz max 20 channel-list 2.
20 neighbor-recovery {power-hold-time <0-3600>} power-hold-time Optional. Specifies the minimum time, in seconds, between two power changes on a radio during neighbor-recovery <0-3600> Sets the time from 0 - 3600 sec. The default is 3600 seconds. neighbor-recovery {power-threshold [2.4Ghz|5Ghz] <-85--55>} power-threshold Optional. Specifies the power threshold based on the recovery performed The 2.4 GHz/5.
20 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: no [area|assignable-power|channel-list|channel-width|coverage-hole-recovery|enab le| group-by|interference-recovery|neighbor-recovery|smart-ocs-monitoring] Parameters no [area|assignable-power|channel-list|channel-width|coverage-hole-recovery|enab le| group-by|interference-recovery|neighbor-recovery|smart-ocs-monitoring] no area Removes channel li
20 rfs7000-37FABE(config-smart-rf-policy-test)#no neighbor-recovery power-threshold 5GHz rfs7000-37FABE(config-smart-rf-policy-test)#no assignable-power 5GHz min rfs7000-37FABE(config-smart-rf-policy-test)#no assignable-power 5GHz max The following example shows the Smart RF policy ‘test’ settings after the ‘no’ commands are executed: rfs7000-37FABE(config-smart-rf-policy-test)#show context smart-rf-policy test area test channel-list 2.4GHz 1,2,3 group-by floor sensitivity custom channel-list 2.
20 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: sensitivity [custom|high|low|medium] Parameters sensitivity [custom|high|low|medium] sensitivity Configures Smart RF sensitivity levels. The options available are: custom, high, low, and medium.
20 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: smart-ocs-monitoring {awareness-override|client-aware|extended-scan-frequency| frequency|off-channel-duration|power-save-aware|sample-count|voice-aware} smart-ocs-monitoring {awareness-override [schedule|threshold]} smart-ocs-monitoring {awareness-override schedule <1-3> } smart-ocs-monitoring {awareness-override thresho
20 smart-ocs-monitoring {awareness-override threshold <10-10000>} awareness-override threshold <10-10000> Optional. Use this parameter to configure client awareness settings overrides threshold – Specifies the threshold after which client awareness settings are overridden. When the specified threshold is reached, awareness settings are overridden. • <10-10000> – Specify a threshold value from 10 -10000. The default is 10. • smart-ocs-monitoring {client-aware [2.4GHz|5GHz] <1-255>} client-aware Optional.
20 smart-ocs-monitoring {power-save-aware [2.4GHz|5GHz] [disable|dynamic|strict]} power-save-aware Optional. Enables power save awareness scanning mode on this Smart RF policy. The options are: disable, dynamic, and strict. This setting allows Smart RF to detect power save clients and take them into consideration when performing off channel scans. Strict disables smart monitoring as long as a power save capable client is associated to a radio.
20 sensitivity custom channel-list 2.4GHz 1,12 channel-width 5GHz auto smart-ocs-monitoring off-channel-duration 2.4GHz 25 smart-ocs-monitoring frequency 5GHz 3 smart-ocs-monitoring frequency 2.4GHz 3 smart-ocs-monitoring sample-count 5GHz 3 smart-ocs-monitoring sample-count 2.4GHz 3 smart-ocs-monitoring extended-scan-frequency 5GHz 0 smart-ocs-monitoring extended-scan-frequency 2.
Chapter 21 WIPS-POLICY This chapter summarizes the Wireless Intrusion Protection Systems (WIPS) policy commands in the CLI command structure. WIPS is an additional measure of security designed to continuously monitor the network for threats and intrusions. Along with wireless VPNs, encryptions, and authentication policies WIPS enhances the security of a WLAN. The WIPS policy enables detection of intrusions and threats that a managed network is likely to encounter.
21 • address-match rule: This signature matches one or more address fields. The address fields supported are BSSID, source-MAC, and destination-MAC. You can also specify frame types to match. The frame types supported are assoc, auth, beacon, data, deauth, disassoc, mgmt, probe-request, and probe-response. A WIPS policy, once configured, has to be attached to a RF Domain to take effect.
21 TABLE 19 WIPS-Policy-Config Commands Command Description Reference event Configures events page 1149 history-throttle-duratio n Configures the duration event duplicates are omitted from the event history page 1152 interference-event Specifies events contributing to the Smart RF WiFi interference calculations page 1153 no Negates a command or sets its default page 1154 signature Configures a WIPS policy signature and enters its configuration mode page 1158 use Defines a WIPS policy se
21 br-detection {age-out <30-86400>|wait-time <10-600>} age-out <30-86400> Optional. Configures the unauthorized AP ageout interval. The WIPS policy uses this value to ageout unauthorized APs. • <30-86400> – Sets an ageout interval from 30 - 86400 seconds. The default is 5 minutes (300 seconds). wait-time <10-600> Optional. Configures the wait time before a detected AP is declared as unauthorized and potentially removed • <10-600> – Sets a wait time from 10 - 600 seconds.
21 event wips-policy Configures events, filters and threshold values for this WIPS policy. Events are grouped into three categories, AP anomaly, client anomaly, and excessive. WLANs are baselined for matching criteria. Any deviation from this baseline is considered an anomaly and logged as an event.
21 event br-anomaly [ad-hoc-violation|airjack|br-ssid-broadcast-in-beacon|asleap| impersonation-attack|null-probe-response|transmitting-device-using-invalid-ma c| unencrypted-wired-leakage|wireless-bridge] br-anomaly Enables AP anomaly event tracking An AP anomaly event refers to suspicious frames sent by neighboring APs. An administrator enables or disables the filtering of each listed event and sets the thresholds for the generation of event notification and filtering.
21 wellenreiter Tracks Wellenreiter events filter-ageout <0-86400> The following keywords are common to all of the above client anomaly events: • filter-ageout <0-86400> – Optional. Configures the filter expiration interval in seconds • <0-86400> – Sets the filter ageout interval from 0 - 86400 seconds. The default is 0 seconds.
21 threshold-client <0-65535> The following keywords are common to all excessive events: • threshold-client <0-65535> – Optional. Configures a client threshold value after which the filter is triggered and an event is recorded • <0-65535> – Sets a wireless client threshold value from 0 - 65535 seconds threshold-radio <0-65535> The following keywords are common to all excessive events: • threshold-radio <0-65535> – Optional.
21 history-throttle-duration <30-86400> history-throttle-duration <30-86400> Configures the duration event duplicates are omitted from the event history • <30-86400> – Sets a value from 30 - 86400 seconds. The default is 120 seconds.
21 event excessive 80211-replay-check-failure threshold-client 10 threshold-radio 99 filter-ageout 9 event client-anomaly wellenreiter filter-ageout 99 interference-event non-conforming-data br-detection-ageout 50 br-detection-wait-time 15 rfs7000-37FABE(config-wips-policy-test)# Related Commands: no Disables this WIPS policy signature as a Smart RF interference source no wips-policy Negates a command or resets configured settings to their default.
21 no event excessive [80211-replay-check-failure|aggressive-scanning| auth-server-failures|decryption-failures|dos-assoc-or-auth-flood| dos-eapol-start-storm|dos-unicast-deauth-or-disassoc|eap-flood|eap-nak-flood| frames-from-unassoc-station] {filter-ageout <0-86400>|threshold-client <0-65535>| threshold-radio <0-65535>} no interference-event [non-conforming-data|wireless-bridge] no signature no use device-categorization Parameters no [enable|history-throttle-duration] no enable Disables
21 no event client-anomaly [dos-broadcast-deauth|fuzzing-all-zero-macs|fuzzing-invalid-frame-type|fuzzin g-invalid-mgmt-frames|fuzzing-invalid-seq-num|identical-src-and-dest-addr|inv alid-8021x-frames|netstumbler-generic|non-conforming-data|wellenreiter] {filter-ageout <0-86400>} no event Disables WIPS policy event tracking client-anomaly Disables client anomaly event tracking dos-broadcast-deauth Disables DoS broadcast deauthentication event tracking fuzzing-all-zero-macs Disables Fuzzing tracking:
21 threshold-client <0-65535> Optional. Resets a client threshold limit after which the filter is triggered and an event is recorded • <0-65535> – Resets a wireless client threshold limit from 0 - 65535 seconds threshold-radio <0-65535> Optional.
21 rfs7000-37FABE(config-wips-policy-test)# Related Commands: br-detection Enables the detection of unauthorized or unsactioned access points enable Enables a WIPS policy for use with a profile event Configures events, filters, and threshold values for a WIPS policy history-throttle-duration Configures the duration event duplicates are omitted from the event history interference-event Specifies events contributing to the Smart RF WiFi interference calculations signature Configures a WIPS policy
21 Example rfs7000-37FABE(config-wips-policy-test)#signature test rfs7000-37FABE(config-test-signature-test) rfs7000-37FABE(config-test-signature-test)#? Wips Signature Mode commands: bssid Bssid mac address dst-mac Destination mac address filter-ageout Configure filter ageout frame-type Configure frame-type to match interference-event Signature is a smart-rf interference source mode Enable/Disable signature no Negate a command or set its defaults payload Configure a payload src-mac Source mac address ssid-
21 The following table summarizes WIPS policy signature configuration mode commands.
21 bssid bssid Configures a BSSID MAC address to match • – Specify the MAC address.
21 filter-ageout signature mode commands Configures the filter ageout interval in seconds. This is the duration a client, triggering a WIPS event, is excluded from RF Domain manager radio association.
21 frame-type [all|assoc|auth|beacon|data|deauth|disassoc|mgmt|probe-req|probe-resp| reassoc] Parameters frame-type [all|assoc|auth|beacon|data|deauth|disassoc|mgmt|probe-req|probe-resp| reassoc] frame-type Configures the frame type used for matching all Configures all frame type matching assoc Configures association frame matching auth Configures authentication frame matching beacon Configures beacon frame matching data Configures data frame matching deauth Configures deauthentication frame m
21 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: interference-event Parameters None Example rfs7000-37FABE(config-test-signature-test)#interference-event rfs7000-37FABE(config-test-signature-test)#show context signature test interference-event bssid 11-22-33-44-55-66 dst-mac 55-66-77-88-99-00 frame-type reassoc filter-ageout 8 rfs7000-37FABE(config-test-signature-test)# Related Commands: no Dis
21 Related Commands: no Disables a WIPS signature payload signature mode commands Configures payload settings. The payload command sets a numerical index pattern and offset for this WIPS signature.
21 Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: src-mac Parameters src-mac src-mac Configures the source MAC address to match • – Specify
21 Parameters ssid-match [ssid |ssid-len <0-32>] ssid Specifies the SSID match string • – Specify the SSID string. NOTE: Specify the correct SSID to ensure proper filtering. ssid-len <0-32> Specifies the length of the SSID • <0-32> – Specify the SSID length from 0 - 32 characters.
21 rfs7000-37FABE(config-test-signature-test)#show context signature test bssid 11-22-33-44-55-66 src-mac 00-1E-E5-EA-1D-60 dst-mac 55-66-77-88-99-00 frame-type beacon ssid-match ssid PrinterLan filter-ageout 8 threshold-client 88 payload 1 pattern brocade offset 1 rfs7000-37FABE(config-test-signature-test)# Related Commands: no Removes the wireless client threshold limit configured with a WIPS policy signature threshold-radio signature mode commands Configures the radio’s threshold limit.
21 rfs7000-37FABE(config-test-signature-test)# Related Commands: no Removes the radio’s threshold limit configured with a WIPS policy signature no signature mode commands Negates a command or resets settings to their default. When used in the config WIPS policy signature mode, the no command resets or removes WIPS signature settings.
21 no threshold-client Removes the wireless client threshold limit configured with a WIPS policy. When the wireless client exceeds the specified limit, an event is triggered. no threshold-radio Removes a radio threshold limit configured with a WIPS policy. When the radio exceeds the specified threshold limit, an event is triggered. Usage Guidelines: The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated.
21 payload Configures payload settings. The payload command sets a numerical index pattern and offset for this WIPS signature. src-mac Configures a source MAC address for the packet examined for matching ssid-match Configures a SSID for matching threshold-client Configures a wireless client threshold limit threshold-radio Configures a radio threshold limit use wips-policy Enables device categorization on this WIPS policy. This command uses an existing device categorization list.
21 Related Commands: no 1172 Disables the use of a device categorization policy with a WIPS policy Brocade Mobility RFS Controller CLI Reference Guide 53-1003098-01
Chapter WLAN-QOS-POLICY 22 This chapter summarizes the WLAN QoS policy in the CLI command structure. A WLAN QoS policy increases network efficiency by prioritizing data traffic. Prioritization reduces congestion. This is essential because of the lack of bandwidth for all users and applications. QoS helps ensure each WLAN on the wireless controller receives a fair share of the overall bandwidth, either equally or as per the proportion configured.
22 wlan-qos-policy WLAN-QOS-POLICY WLAN QoS configurations differ significantly from QoS policies configured for radios. WLAN QoS configurations are designed to support the data requirements of wireless clients, including the data types they support and their network permissions. Radio QoS policies are specific to the transmit and receive characteristics of the connected radio’s themselves, independent from the wireless clients these access point radios support.
22 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: accelerated-multicast [|autodetect] accelerated-multicast [|autodetect] {classification [background|best-effort|trust| video|voice]} Parameters a
22 Specifies how traffic on this WLAN is classified. This classification is based on relative prioritization on the radio.
22 classification non-wmm [voice|video|normal|low] non-wmm Specifies how traffic from non-WMM clients is classified voice Optimized for non-WMM voice traffic. Implies all WLAN non-WMM client traffic is classified and treated as voice packets video Optimized for non-WMM video traffic. Implies all WLAN non-WMM client traffic is classified and treated as video packets normal Optimized for non-WMM best effort traffic.
22 multicast-mask [primary|secondary] primary Configures the primary egress prioritization multicast mask • – Sets the MAC address and the mask in the AA-BB-CC-DD-EE-FF/XX-XX-XX-XX-XX-XX-XX format NOTE: Setting masks is optional and only needed if there are traffic types requiring special handling.
22 no wmm [backgorund|best-effort|video|voice] [aifsn|cw-max|cw-min|txop-limit] Parameters no [accelerated-multicast [|autodetect]|classification {non-unicast|non-wmm}| multicast-mask [primary|secondary]|qos trust [dscp|wmm]|svp-prioritization| voice-prioritization] no accelerated-multicast [|autodetect] Disables accelerated multicast streams and forwarding QoS classification • – Removes specified IP address.
22 no wmm [backgorund|best-effort|video|voice] [aifsn|cw-max|cw-min|txop-limit] no wmm Disables 802.
22 Enables QoS on this WLAN Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: qos trust [dscp|wmm] Parameters qos trust [dscp|wmm] trust [dscp|wmm] Trusts the QoS val
22 Before defining rate limit thresholds for WLAN upstream and downstream traffic, Brocade recommends you define the normal number of ARP, broadcast, multicast and unknown unicast packets that typically transmit and receive from each supported WMM access category. If thresholds are defined too low, normal network traffic (required by end-user devices) are dropped resulting in intermittent outages and performance problems.
22 rate-limit [client|wlan] [from-air|to-air] {red-threshold [background <0-100>| best-effort <0-100>|video <0-100>|voice <0-100>]} rate-limit Configures traffic rate limit parameters client Configures traffic rate limiting parameters on a per-client basis wlan Configures traffic rate limiting parameters on a per-WLAN basis from-air Configures traffic rate limiting from a wireless client to the network to-air Configures the traffic rate limit from the network to a wireless client red-threshold Co
22 wlan-qos-policy test classification non-wmm video multicast-mask primary 11-22-33-44-55-66/22-33-44-55-66-77 classification non-unicast normal rate-limit wlan from-air rate 55 rate-limit wlan from-air max-burst-size 6 rate-limit wlan from-air red-threshold best-effort 10 rate-limit client from-air red-threshold background 3 qos trust dscp qos trust wmm accelerated-multicast autodetect classification voice rfs7000-37FABE(config-wlan-qos-test)# svp-prioritization wlan-qos-policy Enables WLAN SVP support o
22 accelerated-multicast autodetect classification voice rfs7000-37FABE(config-wlan-qos-test)# voice-prioritization wlan-qos-policy Prioritizes voice clients over other clients (for non-WMM clients). This gives priority to voice and voice management packets and is supported only on certain legacy Brocade VOIP phones. This feature is enabled by default.
22 WMM’s prioritization capabilities are based on the four access categories (background, best-effort, video, and voice). Higher the Access Category (AC) higher is the transmission probability over the controller managed WLAN. ACs correspond to the 802.1d priorities, facilitating interoperability with QoS policy management mechanisms. WMM enabled controllers coexist with legacy devices (not WMM-enabled). Packets not assigned to a specific access category are categorized as best effort by default.
22 wmm [background|best-effort|video|voice] [aifsn <2-15>|cw-max <0-15>| cw-min <0-15>|txop-limit <0-65535>] wmm Configures 802.11e/wireless multimedia parameters. This parameter enables the configuration of four access categories. Applications assign each data packet to one of these four access categories and queues them for transmission. background Configures background access category parameters best-effort Configures best effort access category parameters.
22 classification non-wmm video svp-prioritization voice-prioritization wmm video txop-limit 9 wmm voice cw-min 6 multicast-mask primary 11-22-33-44-55-66/22-33-44-55-66-77 classification non-unicast normal rate-limit wlan from-air rate 55 rate-limit wlan from-air max-burst-size 6 rate-limit wlan from-air red-threshold best-effort 10 rate-limit client from-air red-threshold background 3 qos trust dscp qos trust wmm accelerated-multicast autodetect classification voice rfs7000-37FABE(config-wlan-qos-test)#
Chapter L2TPV3-POLICY 23 This chapter summarizes Layer 2 Tunnel Protocol Version 3 (L2TPv3) policy commands in the CLI command structure. The L2TPv3 policy defines control and encapsulation protocols for tunneling different types of layer 2 frames between two IP nodes. The L2TPv3 control protocol controls dynamic creation, maintenance, and tear down of L2TP sessions. The L2TPV3 encapsulation protocol is used to multiplex and de-multiplex L2 data streams between two L2TP nodes across an IP network.
23 NOTE If connecting an Ethernet port to another Ethernet port, the pseudowire type must be Ethernet port, if connecting an Ethernet VLAN to another Ethernet VLAN, the pseudowire type must be Ethernet VLAN. This chapter is organized into the following sections: • l2tpv3-policy-commands • l2tpv3-tunnel-commands • l2tpv3-manual-session-commands l2tpv3-policy-commands L2TPV3-POLICY Use the (config) instance to configure L2TPv3 policy parameters.
23 service show write Service Commands Show running system information Write running configuration to memory or terminal rfs7000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)# Table 21 summarizes L2TPv3 policy configuration commands.
23 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: cookie-size [0|4|8] Parameters cookie-size [0|4|8] cookie-size [0|4|8] Configures the cookie-field size for each data packet.
23 fail-over <5-60> fail-over <5-60> Sets the delay interval to re-establish a failed L2TPv3 tunnel (RF-Domain manager/ VRRP-master/Cluster-master failover) • <5-60> – Specify a failover delay from 5 - 60 seconds. The default is 5 seconds.
23 retry-attempts 10 retry-interval 30 cookie-size 8 rx-window-size 9 tx-window-size 9 reconnect-interval 100 reconnect-attempts 8 force-l2-path-recovery rfs7000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)# Related Commands: no Disables the forced detection of servers and gateways behind the L2TPv3 tunnel hello-interval l2tpv3-policy-commands Configures the interval, in seconds, between L2TPv3 “Hello” keep-alive messages exchanged in a L2TPv3 control connection.
23 no l2tpv3-policy-commands Negates or reverts L2TPv3 policy settings to default Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: no [cookie-size|failover-delay|force
23 reconnect-interval 100 reconnect-attempts 50 rfs7000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)# r(config-l2tpv3-policy-L2TPV3Policy1)#no hello-interval rfs7000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#no reconnect-attempts rfs7000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#no reconnect-interval rfs7000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#no retry-attempts rfs7000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#no retry-interval rfs7000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#no cookie-size The fo
23 reconnect-attempts <0-8> reconnect-attempts <0-8> Configures the maximum number of attempts made to re-establish a tunnel connection from 0 - 8 (default is 0: configures infinite reconnect attempts) Example rfs7000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#reconnect-attempts 8 rfs7000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show context l2tpv3 policy L2TPV3Policy1 hello-interval 200 cookie-size 8 reconnect-attempts 8 rfs7000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)# Related Commands: no Resets
23 Related Commands: no Resets the interval between successive attempts to re-establish a failed tunnel connection to default (120 seconds) retry-attempts l2tpv3-policy-commands Configures the maximum number of attempts made to retransmit signalling messages. Use this command to specify how many retransmission cycles occur before determining the target tunnel peer is not reachable.
23 Configures the interval, in seconds, between two successive attempts at retransmitting a L2TPv3 signalling message Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax:
23 rx-window-size <1-15> Parameters rx-window-size <1-15> rx-window-size <1-15> Configures the number of packets received without sending an acknowledgment. Specify a value from 1 - 15 (default is 10 packets).
23 l2tpv3 policy L2TPV3Policy1 hello-interval 200 retry-attempts 10 retry-interval 30 cookie-size 8 rx-window-size 9 tx-window-size 9 reconnect-interval 100 reconnect-attempts 8 rfs7000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)# Related Commands: no Resets the number of packets transmitted without receiving an acknowledgment to default (10 packets) l2tpv3-tunnel-commands L2TPV3-POLICY Use the (profile or device context) instance to configure a L2TPv3 tunnel.
23 The following table summarizes L2TPv3 tunnel configuration commands.
23 Parameters establishment-criteria [always|cluster-master|rf-domain-manager|vrrp-master <1-255>] always Always establishes a L2TPv3 tunnel from the current device to the NOC controller. This is the default setting. cluster-master Establishes a L2TPv3 tunnel from the current device to the NOC controller, only when the current device becomes the cluster master NOTE: The L2TPv3 tunnel is closed when the current device switches back the standby or backup mode.
23 hostname hostname Configures the tunnel’s local hostname • – Specify the tunnel’s local hostname.
23 Related Commands: no Resets the tunnel’s local IP address and re-establishes the tunnel mtu l2tpv3-tunnel-commands Configures the Maximum Transmission Unit (MTU) size for this tunnel. This value determines the packet size transmitted over this tunnel.
23 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: no [establishment-criteria|hostname|local-ip-address|mtu|peer|router-id|session| use] Parameters no [establishment-criteria|hostname|local-ip-address|mtu|peer|router-id|session| use] establishment-criteria Resets the tunnel’s establishment criteria to default no hostname Removes the tunnel’s local hostname no local-ip-address Resets the tunnel
23 Related Commands: establishment-criteria Configures a L2TPv3 tunnel’s establishment criteria hostname Configures the tunnel’s local hostname local-ip-address Configures the tunnel’s source IP address mtu Configures the MTU size for this tunnel peer Configures the tunnel’s peers router-id Configures the tunnel’s local router ID session Creates/modifies specified L2TPv3 session use Associates a specified L2TPv3 tunnel policy with a L2TPv3 tunnel peer l2tpv3-tunnel-commands Configures the L2
23 router-id [||any] After specifying the peer hostname, optionally specify router ID settings: • router-id – Optional. Configures the peer’s router ID in one of the following formats: • – Peer router ID in the IP address (A.B.C.D) format • – Peer router ID range (for example, 100-120) • any – Peer router ID is not specified. This allows incoming connection from any router ID.
23 peer <1-2> {router-id [||any]} {ipsec-secure|udp} peer <1-2> Configures the tunnel peer ID from 1 - 2. At any time the tunnel is established with only one peer. router-id [||any] Optional. Configures the peer’s router-id in one of the following formats: – Peer router ID in the IP address (A.B.C.D) format – Peer router ID range (for example, 100-120) any – Peer router ID is not specified. This allows incoming connection from any router ID.
23 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: router-id [<1-4294967295>|] Parameters router-id [<1-4294967295>|] router-id [<1-4294967295>|] Configures the tunnel’s local router ID in one of the following formats: • <1-4294967295> – Router ID in the number format (from1- 4294967295) • – Router ID in IP address format (A.B.C.
23 session pseudowire-id <1-4294967295> traffic-source vlan {native-vlan <1-4094>} session Configures this session’s name pseudowire-id <1-4294967295> Configures the pseudowire ID for this session from 1- 4204067295 traffic-source vlan Configures VLAN as the traffic source for this tunnel • – Configures VLAN range list of traffic source. Specify the VLAN IDs as a range (for example, 10-20, 25, 30-35).
23 use critical-resource {} } } use l2tpv3-policy Parameters use critical-resource {} {} {} Specifies the critical resource(s) to use with this tunnel • – Specify the first critical resource name • – Optional. Specify the second/third/fourth critical resource names. Maximum of four critical resources can be monitored.
23 rfs7000-37FABE(config-profile-default-rfs7000)#l2tpv3 manual-session test rfs7000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)# rfs7000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#? L2tpv3 Manual Session Mode commands: local-cookie The local cookie for the session local-ip-address Configure the IP address for tunnel.
23 Command Description Reference show Displays running system information page 429 write Writes information to memory or terminal page 425 local-cookie l2tpv3-manual-session-commands Configures the local cookie field size for the manual session Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers
23 Configures the manual session’s source IP address. If no IP address is specified, the tunnel’s source IP address is automatically configured based on the tunnel peer IP address. This parameter is applicable when establishing the session and responding to incoming requests.
23 Parameters local-session-id <1-63> local-session-id <1-63> Configures this manual session’s local session ID from 1 - 63. This is the pseudowire ID for the session. This pseudowire ID is sent in a session establishment message to the L2TP peer. Example rfs7000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#local-session-id 1 rfs7000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#show context l2tpv3 manual-session test local-cookie size 8 200 300 local-ip-address 1.
23 l2tpv3 manual-session test local-cookie size 8 200 300 local-ip-address 1.2.3.
23 peer ip-address 5.6.7.
23 peer ip-address {udp {port <1-65535>}} Parameters peer ip-address {udp {port <1-65535>}} peer ip-address Configures the tunnel’s peer IP address in the A.B.C.D format udp {port <1-65335>} Optional. Configures the UDP encapsulation mode for this tunnel (default encapsulation is IP) port <1-65535> – Optional. Configures the peer’s UDP port running the L2TPv3 service. Specify a value from 1 - 65535.
23 remote-cookie size [4|8] <1-4294967295> {<1-4294967295>} remote-cookie size [4|8] Configures the remote cookie field size for this manual session. The options are: 4 – 4 byte remote cookie field 8 – 8 byte remote cookie field • • <1-4294967295> Configures the remote cookie value first word. Applies to both the 4 byte and 8 byte local cookies <1-4294967295> Optional – Configures the remote cookie value second word. Applicable to only 8 byte cookies. This parameter is ignored for 4 byte cookies.
23 Example rfs7000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#remote-session-id 200 rfs7000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#show context l2tpv3 manual-session test local-ip-address 1.2.3.4 peer ip-address 5.6.7.
23 peer ip-address 5.6.7.
Chapter ROUTER-MODE COMMANDS 24 This chapter summarizes Open Shortest Path First (OSPF) router mode commands in the CLI command structure. All router-mode commands are available on both device and profile modes. OSPF is an interior gateway protocol (IGP) used within large autonomous systems to distribute routing information. OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN.
24 service show write Service Commands Show running system information Write running configuration to memory or terminal rfs7000-37FABE(config-profile default-rfs7000-router-ospf)# router-mode ROUTER-MODE COMMANDS Table 22 summarizes router configuration commands.
24 An OSPF network can be subdivided into routing areas to simplify administration and optimize traffic utilization. Areas are logical groupings of hosts and networks, including routers having interfaces connected to an included network. Each area maintains a separate link state database whose information may be summarized towards the rest of the network by the connecting router. Areas are identified by 32-bit IDs, expressed either in decimal, or octet-based dot-decimal notation.
24 rfs7000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.4)# rfs7000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.4)#show context area 0.0.0.4 rfs7000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.4)# Related Commands: no Removes area configuration settings OSPF-area-mode area The following table summarizes OSPF area mode configuration commands.
24 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 Syntax: area-type [nssa|stub] area-type nssa {default-cost|no-summary|translate-always|translate-candidate| translate-never} area-type nssa {default-cost <0-16777215> {no-summary}|no-summary {default-cost <0-16777215>}} area-type nssa {translate-always|translate-candidate|translate-never} {(default-cost <0-16777215>|no-summary)} area-type stub {default-cost <0-16777215> {no-summary}|no-summary {default-c
24 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 Syntax: authentication [message-digest|simple-password] Parameters authentication [message-digest|simple-password] message-digest Configures the message-digest (MD-5) authentication scheme simple-password C
24 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 Syntax: range Parameters range Specifies the routes matching address/mask for summarization. NOTE: This command is applicable for a Area Border Router (ABR) only. Example rfs7000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#range 172.16.10.0/24 rfs7000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#show con text area 0.0.0.
24 Example The following example shows the OSPF router settings before the ‘no’ commands are executed: rfs7000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#show context area 0.0.0.1 authentication simple-password range 172.16.10.0/24 area-type stub default-cost 1 rfs7000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)# rfs7000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#no authentication rfs7000-37FABE(config-profile default-rfs7000-router-ospf-area-0.
24 Parameters auto-cost reference-bandwidth <1-4294967> reference-bandwidth <1-4294967> Defines the reference bandwidth in Mbps <1-4294967> – Specify the reference bandwidth value from1 - 4294967.
24 default-information originate {always|metric <0-16777214>|metric-type [1|2]} {(metric <0-16777214>|metric-type [1|2])} originate Originates default route information. Enabling this feature makes the default route a distributed route. This option is disabled by default. always Optional. Always distributes default route information (will continue to advertise default route information even if that information has been removed from the routing table for some reason). This option is disabled by default.
24 ip default-gateway priority <1-8000> default-gateway Configures the default gateway priority <1-8000> Sets the priority for the default gateway acquired via OSPF. Specify an integer from 1 - 8000. The default is 7000. NOTE: Lower the value, higher is the priority. Example rfs7000-37FABE(config-profile default-rfs7000-router-ospf)#ip default-gateway priority 1 rfs7000-37FABE(config-profile default-rfs7000-router-ospf)#show context router ospf area 0.0.0.
24 router ospf network 1.2.3.0/24 area 4.5.6.7 area 0.0.0.
24 Configures specified OSPF interface as passive. This option is disabled by default. A passive interface receives routing updates, but does not transmit them.
24 Syntax: redistribute [connected|kernel|static] {metric <0-16777214>|metric-type [1|2]} Parameters redistribute [connected|kernel|static] {metric <0-16777214>|metric-type [1|2]} connected Redistributes all connected interface routes by OSPF kernel Redistributes all routes that are neither connected, nor static, nor dynamic static Redistributes static routes by OSPF metric <0-16777214> The following keywords are common to the ‘connected’, ‘kernel’, and ‘static’ parameters: • metric <0-16777214> – O
24 route-limit [num-routes|reset-time|retry-count|retry-timeout] route-limit [num-routes |reset-time <1-86400>| retry-count <1-32>|retry-timeout <1-3600>] {(num-routes|reset-time|retry-count| retry-timeout)} Parameters route-limit [num-routes |reset-time <1-86400>|retry-count <1-32>| retry-timeout <1-3600>] {(num-routes|reset-time|retry-count|retry-timeout)} num-routes Specifies the maximum number of non self-generated Link State Advertisemen
24 Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 Syntax: router-id Parameters router-id Identifies the OSPF router by its IP address – Specify the router ID in the IP
24 vrrp-state-check vrrp-state-check Publishes an interface via OSPF based on VRRP status Example rfs7000-37FABE(config-profile default-rfs7000-router-ospf)#vrrp-state-check Disable and enable OSPF feature for this command to take effect rfs7000-37FABE(config-profile default-rfs7000-router-ospf)# rfs7000-37FABE(config-profile default-rfs7000-router-ospf)#show context include-factory router ospf ospf enable no router-id no auto-cost reference-bandwidth no default-information originate no passive all vrrp-s
24 Example The following example shows the OSPF router interface settings before the ‘no’ commands are executed: rfs7000-37FABE(config-profile default-rfs7000-router-ospf)#show context router ospf network 1.2.3.0/24 area 4.5.6.7 area 0.0.0.
Chapter 25 ROUTING-POLICY This chapter summarizes routing-policy commands in the CLI command structure. Routing policies enable network administrators to control data packet routing and forwarding. Policy-based routing (PBR) always overrides protocol-based routing. Network administrators can define routing policies based on parameters, such as access lists, packet size etc. For example, a routing policy can be configured to route packets along user-defined routes.
25 Table 23 summarizes routing policy configuration commands.
25 Related Commands: no Disables PBR for locally generated packets logging routing-policy-commands Enables/disables logging for a specified route map. When enabled, this option logs events generated by the enforcement of route-maps. This option is disabled by default.
25 match, action is taken based on the mark clause specified in the route-map. In case of no match, the route-map entry with the next highest precedence is applied. If the incoming packet does not match any of the route-map entries, it is subjected to typical destination-based routing. Each route-map entry can optionally enable/disable logging. The following criteria can optionally be used as traffic selection segregation criteria: • IP Access List - A typical IP ACL can be used for routing traffic.
25 .b Perform normal destination-based route lookup. If a next hop is found, it is used, if not refer to (c). .c If default next hop is configured and reachable, it is used, if not, packet is dropped. • Fallback - Enables fallback to destination-based routing if none of the configured next hops are reachable (or not configured). This is enabled by default. • Mark IP DSCP - Configures IP DSCP bits for QoS using an ACL. The mark action of the route maps takes precedence over the mark action of an ACL.
25 help revert service show write Description of the interactive help system Revert changes Service Commands Show running system information Write running configuration to memory or terminal rfs7000-37FABE(config-routing-policy-testpolicy-route-map-1)# Related Commands: no Removes a route map route-map-mode routing-policy-commands The following table summarizes route-map configuration commands.
25 Parameters default-next-hop [||pppoe1|vlan <1-4094>|wwan1] default-next-hop Sets the next hop router to which packets are sent in case the next hop is not the adjacent router Specifies next hop router’s IP address Specifies the outgoing interface name (router interface name) pppoe1 Specifies the PPPoE interface vlan <1-4094> Specifies a VLAN interface ID from 1 - 4094 wwan1 Specifies the WAN interface Example rfs7000-37FABE(config-routing-policy-testp
25 Example rfs7000-37FABE(config-routing-policy-testpolicy-route-map-1)#fallback rfs7000-37FABE(config-routing-policy-testpolicy-route-map-1)# Related Commands: no Disables fallback to destination-based routing, if no next hop is configured or are unreachable mark route-map-mode Enables the marking of the DSCP field in the IP header Use this command to set the IP DSCP bits for QoS using an ACL. The mark action of the route maps takes precedence over the mark action of an ACL.
25 Sets the match clauses Each route map entry has a set of match clauses used to segregate and filter packets. Packets can be segregated using any one of the following criteria: • IP Access List - A typical IP ACL can be used for routing traffic. The mark and log actions in ACL rules however are neglected. Route-map entries have separate logging. Only one ACL can be configured per route map entry. ACL rules configured under route map entries merge to create a single ACL.
25 Parameters match incoming-interface [|pppoe1|vlan <1-4094>|wwan1] incoming-interface Sets the incoming SVI match clause. Specify an interface name. Specifies the layer 3 interface name (route interface) pppoe1 Specifies the PPP over Ethernet interface vlan <1-4094> Specifies the VLAN interface. Specify a VLAN ID from 1 - 4094. wwan1 Specifies the WAN interface name match ip dscp <0-63> ip dscp <0-63> Sets the DSCP match clause. Specify a value from 0 - 63.
25 • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: next-hop [||pppoe1|vlan <1-4094>|wwlan1] {||pppoe1|vlan <1-4094>|wwlan1} Parameters next-hop [|
25 • Service Platforms — Brocade Mobility RFS9510 Syntax: no [default-next-hop|fallback|mark|match|next-hop] Parameters no [default-next-hop|fallback|mark|match|next-hop] no Negates a command or set its defaults Usage Guidelines: The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated.
25 Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: use critical-resource-monitoring Parameters use critical-resource-monitoring use critical-resource-monitoring Use
25 The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated.
Chapter 26 AAA-TACACS-POLICY This chapter summarizes the accounting, authentication, and authorization (AAA) Terminal Access Control Access-Control System (TACACS) policy commands in the CLI command structure. TACACS is a network security application that provides additional network security by providing a centralized authentication, authorization, and accounting platform. TACACS implementation requires configuration of the TACACS authentication server and database.
26 TABLE 24 AAA-TACACS-Policy-Config Commands Command Description Reference commit Commits (saves) changes made in the current session page 386 end Ends and exits the current mode and moves to the PRIV EXEC mode page 234 exit Ends the current mode and moves to the previous mode page 387 help Displays the interactive help system page 387 revert Reverts changes to their last saved configuration page 394 service Invokes service commands to troubleshoot or debug (config-if) instance configu
26 Parameters accounting access-method [all|console|ssh|telnet] {(console|ssh|telnet)} access-method Configures TACACS accounting access mode.
26 accounting server <1-2> host {secret [0 |2 |]} {port <1-65535>} server <1-2> Configures an accounting server. Up to 2 accounting servers can be configured host Configures the accounting server’s IP address or hostname secret [0 | 2 |] Optional.
26 • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: authentication [access-method|directed-request|server|service] authentication access-method [all|console|ssh|telnet|web] {(console|ssh|telnet|web)} authentication directed-request authentication server <1-2> authentication server <1-2> |]} {port <1-65535>} authentication server <1-2> authentication server <1-2> [host|retry-timeout-f
26 authentication server <1-2> retry-timeout-factor <50-200> server <1-2> Configures a TACACS authentication server. Up to 2 TACACS servers can be configured • <1-2> – Specify the TACACS server index from 1 - 2. retry-timeout-factor <50-200> Configures timeout scaling between two consecutive TACACS authentication retries • <50-200> – Specify the scaling factor from 50 - 200. The default is 100.
26 Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: authorization [access-method|allow-privileged-commands|server] authorization access-method [all|console|telnet|ssh]
26 secret [0 | 2 |] Optional. Configures the secret used to authorize with the TACACS server • 0 – Configures a clear text secret • 2 – Configures an encrypted secret • – Specify the secret key. The shared key should not exceed 127 characters. port <1-65535> Optional. Specifies the port used to connect to the TACACS server • <1-65535> – Specify a value for the TCP authorization port from 1 - 65535. The default port is 49.
26 rfs7000-37FABE(config-aaa-tacacs-policy-test)# Related Commands: no Resets values or disables commands no aaa-tacacs-policy Negates a AAA TACACS policy command or sets its default Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobil
26 accounting commands rfs7000-37FABE(config-aaa-tacacs-policy-test)# Related Commands: accounting Configures TACACS accounting parameters authentication Configures TACACS authentication parameters authorization Configures TACACS authorization parameters 1264 Brocade Mobility RFS Controller CLI Reference Guide 53-1003098-01
Chapter 27 MESHPOINT This chapter summarizes the Meshpoint commands in the CLI command structure. Meshpoints are detector radios that monitor their coverage areas for potential failed peers or coverage area holes requiring transmission adjustments for coverage compensation.
27 rfs7000-37FABE(config-meshpoint-test)#? Mesh Point Mode commands: allowed-vlans Set the allowed VLANs beacon-format The beacon format of this meshpoint control-vlan VLAN for meshpoint control traffic data-rates Specify the 802.
27 TABLE 25 Meshpoint-Config commands Command Description Reference exit Ends the current mode and moves to the previous mode page 387 help Displays the interactive help system page 387 revert Reverts changes to their last saved configuration page 394 service Invokes service commands to troubleshoot or debug (config-if) instance configurations page 394 show Displays running system information page 429 write Writes information to memory or terminal page 425 allowed-vlans meshpoint-conf
27 rfs7000-37FABE(config-meshpoint-test)#show context meshpoint test meshid test beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 security-mode none no root rfs7000-37FABE(config-meshpoint-test)# Related Commands: no Clears the list of VLANs allowed access to the mesh network beacon-format meshpoint-config-instance Configures the beacon transmission format for this meshpoint. Beacons are transmitted periodically to advertise that a wireless network is available.
27 no root rfs7000-37FABE(config-meshpoint-test)# Related Commands: no Resets the beacon format for this meshpoint to its default (mesh-point) control-vlan meshpoint-config-instance Mesh management traffic can be sent over a dedicated VLAN. This dedicated VLAN is known as a control VLAN. This command configures a VLAN as the dedicated control VLAN.
27 Supported in the following platforms: • Access Points — Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Access Points (as root APs only) — Brocade Mobility 650 Access Point • Wireless Controllers — Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: data-rates [2.4GHz|5GHz] data-rates 2.4GHz [b-only|bg|bgn|default|g-only|gn] data-rates 2.4GHz custom (1|11|12|18|2|24|36|48|5.
27 data-rates 2.4GHz custom [1|11|12|18|2|24|36|48|5.5|54|6|9|basic-1|basic-11| basic-12|basic-18|basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54 | basic-6|basic-9|mcs0-15|mcs0-7|mcs8-15|basic-mcs0-7] data-rates 2.4GHz Configures the preset data rates for the 2.4 GHz frequency Define both minimum Basic and optimal Supported rates as required for the 802.11b rates, 802.11g rates and 802.11n rates supported by the 2.4 GHz band.
27 data-rates 5GHz custom (12|18|24|36|48|54|6|9|basic-1|basic-11|basic-12|basic-18| basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54|basic-6|basic-9|mcs0-15 |mcs0-7| mcs8-15|basic-mcs0-7) data-rates 5GHz Configures the preset data rates for the 5.0 GHz frequency Define both minimum Basic and optimal Supported rates as required for 802.11a and 802.11n rates supported by the 5.0 GHz radio band. These are the rates wireless client traffic is supported within this mesh point. If supporting 802.
27 no root rfs7000-37FABE(config-meshpoint-test)# Related Commands: no Resets data rates for each frequency band for this meshpoint description meshpoint-config-instance Configures a brief description for this meshpoint. Use this command to describe this meshpoint and its features.
27 meshid meshpoint-config-instance Configures a unique Service Set Identifier (SSID) for this meshpoint. This ID is used to uniquely identify this meshpoint.
27 • Access Points — Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Access Points (as root APs only) — Brocade Mobility 650 Access Point • Wireless Controllers — Brocade Mobility RFS6000, Brocade Mobility RFS7000 • Service Platforms — Brocade Mobility RFS9510 Syntax: neighbor inactivity-timeout <60-86400> Parameters neighbor inactivity-timeout <60-86400> neighbor inactivity-timeout <60-86400> Configures the neighbor inactivity timeout in secon
27 no [allowed-vlans|beacon-format|control-vlan|description|meshid|root|security-mo de| shutdown] no data-rates [2.
27 Example rfs7000-37FABE(config-meshpoint-test)#show context meshpoint test description "This is an example of a meshpoint description" meshid TestingMeshPoint shutdown beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 neighbor inactivity-timeout 300 data-rates 2.
27 Related Commands: allowed-vlans Configures the VLANs allowed on the meshpoint beacon-format Configures the beacon format for the meshpoint AP control-vlan Configures the VLAN on which meshpoint control traffic traverses data-rates Configures the data rates supported per frequency band description Configures a human friendly description for this meshpoint meshid Configures a unique ID for this meshpoint neighbor Configures the neighbor inactivity time out for this meshpoint root Configures
27 allowed-vlans 1,10-16,18-23 neighbor inactivity-timeout 300 data-rates 2.
27 Related Commands: no Resets the security configuration for this meshpoint to “none”. This indicates that no security is configured for this meshpoint. service meshpoint-config-instance Use this command to allow only those neighbors who are capable of 802.11n data rates to associate with this meshpoint.
27 Related Commands: no Resets the restriction that only 802.11n capable neighbor devices can associate with this meshpoint service Invokes service commands to troubleshoot or debug shutdown meshpoint-config-instance Shuts down this meshpoint. Use this command to prevent an AP from participating in a mesh network.
27 Parameters use meshpoint-qos-policy use meshpoint-qos-poicy Configures this meshpoint to use a predefined meshpoint QoS policy Defines the meshpoint QoS policy to use with this meshpoint Example rfs7000-37FABE(config-meshpoint-test)#use meshpoint-qos-policy test rfs7000-37FABE(config-meshpoint-test)#show context meshpoint test description "This is an example of a meshpoint description" meshid TestingMeshPoint shutdown beacon-format mesh-point co
27 wpa2 key-rotation [broadcast|unicast] <30-86400> wpa2 key-rotation Configures WPA2 key rotation settings broadcast Configures key rotation interval for broadcast packets When enabled, the key indices used for encrypting/decrypting broadcast traffic is alternatively rotated based on the defined interval. Key rotation enhances the broadcast traffic security on the WLAN.
27 Mesh QoS helps ensure each mesh point on the mesh network receives a fair share of the overall bandwidth, either equally or as per the proportion configured. Packets directed towards clients are classified into categories such as video, voice and data.packets within each category are processed based on the weights defined for each mesh point. To create a meshpoint, see meshpoint-config-instance. A meshpoint QoS policy is created from the (config) instance.
27 accelerated-multicast meshpoint-qos-policy-config-instance Configures the accelerated multicast stream’s address and forwarding QoS classification NOTE For accelerated multicast feature to work, IGMP querier must be enabled. When a user joins a multicast stream, an entry is created in the device’s (AP or wireless controller) snoop table and the entry is set to expire after a set time period.
27 Example rfs7000-37FABE(config-meshpoint-qos-test)#accelerated-multicast 224.0.0.1 classification video rfs7000-37FABE(config-meshpoint-qos-test)#show context meshpoint-qos-policy test accelerated-multicast 224.0.0.
27 no rate-limit [meshpoint|neighbor] [from-air|to-air] {red-threshold [background| best-effort|video|voice]} meshpoint Resets rate limit parameters for a meshpoint neighbor Resets rate limit parameters for neighboring meshpoint devices from-air Resets the rate limit value for traffic from the wireless neighbor to the network to-air Resets the rate limit value for traffic from the network to the wireless neighbor red-threshold Optional.
27 A connected neighbor can also have QoS rate limit settings defined in both the transmit and receive direction.
27 rate-limit [meshpoint|neighbor] [from-air|to-air] {red-threshold [background <0-100>|best-effort <0-100>|video <0-100>|voice <0-100>]} meshpoint Configures rate limit parameters for a meshpoint neighbor Configures rate limit parameters for neighboring meshpoint devices from-air Configures rate limits for traffic from the wireless neighbor to the network to-air Configures rate limit value for traffic from the network to the wireless neighbor red-threshold Optional.
27 accelerated-multicast 224.0.0.
27 Syntax: meshpoint-device Parameters meshpoint-device meshpoint-device Configures the AP as a meshpoint device and sets its parameters The meshpoint to configure the AP with Example rfs7000-37FABE(config)#profile br71xx AP71XXTestProfile rfs7000-37FABE(config-profile-AP71XXTestProfile)#meshpoint-device test rfs7000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)# rfs7000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#? Mesh Point Dev
27 revert service show write Revert changes Service Commands Show running system information Write running configuration to memory or terminal br7131-139B34(config-device-00-23-68-13-9B-34-meshpoint-test)#? meshpoint-device-commands meshpoint-device-config-instance The following table lists the meshpoint-device configuration mode commands Command Description Reference acs Enables Automatic Channel Selection (ACS) on this meshpoint device (access point) page 1292 exclude Excludes neighboring mesh d
27 acs [channel-hold-time|channel-switch-delta|channel-width|ocs-duration|ocs-freque ncy| path-min|path-threshold|priority-meshpoint|sample-count|snr-delta|signal-thre shold| tolerance-period] acs channel-hold-time [2.4GHz|5GHz] <0-86400> acs channel-switch-delta [2.4GHz|5GHz] <5-35> acs channel-width [2.4GHz|5GHz] [20MHz|40MHz|auto] acs ocs-duration [2.4GHz|5GHz] <20-250> acs ocs-frequency [2.4GHz|5GHz] <1-60> acs path-min [2.4GHz|5GHz] <100-20000> acs path-threshold [2.
27 acs channel-width [2.4GHz|5GHz] [20MHz|40MHz|auto] acs Configures ACS settings and overrides on the selected meshpoint-device channel-width [2.4GHz|5GHz] [20MHz|40MHz|auto] Configures the channel width that meshpoint auto channel selection assigns to the radio • 2.4 GHz – Configures the operating channel width for the 2.4 GHz radio band • 5.0 GHz – Configures the operating channel width for the 5.0 GHz radio band The following keywords are common to the ‘2.4 GHz’ and ‘5.
27 acs priority-meshpoint [2.4GHz|5GHz] acs Configures ACS settings and overrides on the selected meshpoint-device priority-meshpoint [2.4GHz|5GHz] Configures the priority meshpoint. Configuring a priority meshpoint overrides automatic meshpoint configuration. • 2.4 GHz – Configures the priority meshpoint for the 2.4 GHz radio band • 5.0 GHz – Configures the priority meshpoint for the 5.0 GHz radio band The following keyword is common to the ‘2.4 GHz’ and ‘5.
27 rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)# rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#acs ocs-frequency 2.4GHz 1 rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)# rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#show context meshpoint-device test acs ocs-frequency 2.4GHz 1 acs osc-duration 2.4GHz 30 acs channel-hold-time 2.
27 hysteresis meshpoint-device-commands Configures path selection SNR hysteresis values on this meshpoint-device (access point). These are settings that facilitate dynamic path selection. Configuring hysteresis prevents frequent re-ranking of the shortest path cost.
27 hysteresis min-threshold -65 hysteresis root-sel-snr-delta 12 rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)# Related Commands: no Removes the configured path selection SNR hysteresis values monitor meshpoint-device-commands Enables monitoring of critical resource and primary port links. It also configures the action taken in case a critical resource goes down or a primary port link is lost.
27 Configures the path selection method used on a meshpoint device. This is the method used to select the route to the root node within a mesh network.
27 Syntax: preferred [neighbor |root |interface [2.4GHz|4.9GHz|5GHz]] Parameters preferred [neighbor |root |interface [2.4GHz|4.9GHz|5GHz]] preferred Configures the preferred path parameters neighbor Adds the MAC address of a neighbor meshpoint as a preferred neighbor root Adds the MAC address of a root meshpoint as a preferred root interface [2.4GHz|4.
27 Parameters root {select-method auto-mint} root Configures this meshpoint device as the root meshpoint select-method auto-mint Optional. Enables or disables dynamic mesh selection. When enabled, this option overrides root or no-root configuration and chooses the selection method.
27 • Access Points — Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Access Points (as root APs only) — Brocade Mobility 650 Access Point Syntax: root-select cost-root Parameters root-select cost-root root-select cost-root Configures this meshpoint device as the cost root. This is necessary for dynamic root selection process.
27 no root-select cost-root no preferred [interface|root|neighbor] Parameters no acs [channel-hold-time|channel-switch-delta|channel-width|ocs-duration| ocs-frequency|path-min|path-threshold|priority-meshpoint|sample-count|snr-del ta| signal-threshold|tolerance-period] [2.
27 no preferred [interface|root|neighbor] no preferred Resets the preferred path configuration interface Resets the preferred interface root Resets the preferred root to none neighbor Resets the preferred neighbor to none Example rfs7000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#show context meshpoint-device test name test root preferred root 22-33-44-55-66-77 preferred neighbor 11-22-33-44-55-66 preferred interface 5GHz monitor critical-resource action no-root rfs7000-37FABE(config-pr
Chapter PASSPOINT POLICY 28 There has been an exponential increase in the number and types of Wi-Fi mobile devices being used globally, resulting in a phenomenal growth in the data traffic volume. Consequently, the demand for secure, quick, and unlicensed access to public Wi-Fi hotspots, capable of handling this sudden influx of mobile data traffic, has been increasing.
28 no operator roam-consortium venue wan-metrics Negate a command or set its defaults Add configuration related to the operator of the hotspot Add a roam consortium for the hotspot Set the venue parameters of the hotspot Set the wan-metrics of the hotspot clrscr commit do end exit help revert service show write Clears the display screen Commit all changes made in this session Run commands from Exec mode End current mode and change to EXEC mode End current mode and down to previous mode Description of the
28 TABLE 26 Hotspot-Policy-Config Commands Command Description Reference end Ends and exits the current mode and moves to the PRIV EXEC mode page 234 exit Ends the current mode and moves to the previous mode page 387 help Displays the interactive help system page 387 revert Reverts changes to their last saved configuration page 394 service Invokes service commands to troubleshoot or debug (config-if) instance configurations page 394 show Displays running system information page 429 wr
28 rfs4000-229D58(config-passpoint-policy-test)#3gpp mcc 310 mnc 970 rfs4000-229D58(config-passpoint-policy-test)# rfs4000-229D58(config-passpoint-policy-test)#show context hotspot2-policy test 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14 rfs4000-229D58(config-passpoint-policy-test)# Related Commands: no Removes the specified 3gpp PLMN information and its corresponding MCC/MNC settings access-network-type passpoint-policy Configures the access network type for this hotspot.
28 rfs4000-229D58(config-passpoint-policy-test)# rfs4000-229D58(config-passpoint-policy-test)#show context hotspot2-policy test access-network-type chargeable-public 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14 rfs4000-229D58(config-passpoint-policy-test)# Related Commands: no Reverts to the default access network type setting (private) connection-capability passpoint-policy Configures the connection capability element in this passpoint policy.
28 tls-vpn Specifies the protocol type as TLS VPN. Configures TCP port 443. port <0-65535> [closed|open|unknown] After specifying the protocol type, specify the port (associated with the selected protocol) and its status.
28 domain-name Parameters domain-name domain-name Specify the RF Domain name An hotspot can be applied across multiple RF Domains.
28 Example rfs4000-229D58(config-passpoint-policy-test)#hessid 00-23-68-88-0D-A7 rfs4000-229D58(config-passpoint-policy-test)# rfs4000-229D58(config-passpoint-policy-test)#show context hotspot2-policy test access-network-type chargeable-public connection-capability ip-protocol 2 port 10 closed domain-name TechPubs hessid 00-23-68-88-0D-A7 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14 rfs4000-229D58(config-passpoint-policy-test)# Related Commands: no Removes the HESSID configured with this passpoint policy and
28 Advertises the IP address type used in this hotspot. This information is returned in response to ANQP queries.
28 domain-name TechPubs hessid 00-23-68-88-0D-A7 ip-address-type ipv6 available 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14 rfs4000-229D58(config-passpoint-policy-test)# Related Commands: no Removes the IP address type configured for this passpoint policy nai-realm passpoint-policy A Network Access Identifier (NAI) realm element in the passpoint policy identifies a hotspot service provider by the unique NAI realm name. The following table lists NAI realm configuration mode commands.
28 Example rfs4000-229D58(config-passpoint-policy-test)#nai-realm mail.example.com rfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)# rfs4000-229D58(config-passpoint-policy-test)#nai-realm mail.testrealm.com rfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.testrealm.com)# rfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.
28 Specifies the EAP authentication mechanisms supported by each of the service providers associated with this passpoint policy Supported in the following platforms: • Access Points — Brocade Mobility 650 Access Point, Brocade Mobility 6511 Access Point, Brocade Mobility 1220 Access Point, Brocade Mobility 71XX Access Point, Brocade Mobility 1240 Access Point • Wireless Controllers — Brocade Mobility RFS4000, Brocade Mobility RFS6000, Brocade Mobility RFS7000 Syntax: eap-method <1-10> [<1-255>|fast|gtc|id
28 Example The following examples show four EAP authentication methods associated with the NAI realm ‘mail.example.com’. Each method supports a different EAP authentication mechanism: rfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)#eap-m ethod 1 ttls auth-param vendor hex 00001E rfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)# rfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.
28 dns-redirect Enables DNS redirection of user http-redirect Enables HTTP redirection of user online-enroll Enables online user enrolment url Optional. Specify the location for each of above network authentication types. Example rfs4000-229D58(config-passpoint-policy-test)#net-auth-type accept-terms url "www.motorolasolutions.
28 no [3gpp|access-network-type|connection-capability|domain-name|hessid|internet| ip-address-type|nai-realm|net-auth-type|operator|roam-consortium|venue|wan-me trics] no 3gpp Removes the specified 3GPP PLMN ID and its corresponding MCC/MNC settings no access-network-type Reverts to the default access network type setting (private) no connection-capability Removes the configured connection capability element on the hotspot no domain-name Removes the RF Domain mapped to the hotspot no hessid Removes
28 nai-realm mai.testrealm.com net-auth-type accept-terms url www.motorolasolutions.com 3gpp mcc 505 mnc 14 rfs4000-229D58(config-passpoint-policy-test)# operator passpoint-policy Configures the operator friendly name for this hotspot. The name can be configured in English or in any language other than English. When the name is specified in English, the system allows an ASCII input.
28 3gpp mcc 505 mnc 14 rfs4000-229D58(config-passpoint-policy-test)# Related Commands: no Removes the operator friendly name configured for this passpoint policy roam-consortium passpoint-policy Configures a list of Roaming Consortium (RC) Organization Identifiers (OIs) supported on this hotspot. The beacons and probe responses communicate this Roaming Consortium list to devices. This information enables a device to identify the networks available through this AP.
28 Related Commands: no Removes the Roaming Consortium OIs supported on this passpoint policy venue passpoint-policy Configures the venue where this hotspot is located. The hotspot venue configuration informs prospective clients about the hotspot’s nature of activity, such as educational, institutional, residential etc.
28 venue group [assembly|business|educational|industrial|institutional|mercantile| outdoor|residential|storageunspecified|utility-and-misc|vehicular] type venue group assembly type Configures the venue group associated with this hotspot Configures the venue group as assembly (1). This hotspot type is applicable to public assembly venues. • type – Specifies the venue type for this group.
28 institutional Configures the venue group as institutional (4). This hotspot type is applicable to public health and other institutions. • type – Specifies the venue type for this group.
28 utility-and-misc vehicular Configures the venue group as utility and miscellaneous (8) • type – Specifies the venue type for this group. The options are: • <0-255> – Specifies an unlisted venue type number from 0 -255 • unspecified – Specifies the venue type as not specified (0) Configures the venue group as vehicular (7). This hotspot type is applicable to mobile venues. • type – Specifies the venue type for this group.
28 wan-metrics passpoint-policy Configures the WAN performance metrics for this hotspot. This command configures the upstream and downstream speeds associated with this hotspot. The upstream and downstream speed values (in Kbps) are estimates of the bandwidth available on the WAN. This information is returned in response to client ANQP query, and is useful for clients having a minimum and/or large bandwidth requirement.
Chapter 29 FIREWALL LOGGING This chapter summarizes firewall logging commands in the CLI command structure. The firewall uses logging to send system messages to one or more logging destinations, where they can be collected, archived and reviewed. Set the logging level to define which messages are sent to each of the target destinations.
29 error 3 Error condition warning 4 Warning condition notification 5 Normal but significant condition informational 6 Informational message debugging 7 Debugging message Date format in Syslog messages The following output displays the wireless controller date in proper format: rfs7000-37FABE(config)#Feb 07 11:09:00 2013: USER: cfgd: deleting session 4 rfs7000-37FABE rfs7000-37FABE(config)# rfs7000-37FABE(config)#Feb 07 11:09:17 2013: USER: cfgd: deleting session 5 The date format is Month <
29 NOTE The same terminology is used across all logs. The Data Connection in Active Mode Feb 07 11:10:19 2013: %DATAPLANE-5-LOGRULEHIT: Matched Temporary Rule of FTP ALG. Disposition:Allow Packet Src MAC:<00-11-25-14-D9-E2> Dst MAC:<00-15-70-81-91-6A> Ethertype:0x0800 Src IP:192.168.2.102 Dst IP:192.168.1.99 Proto:6 Src Port:20 Dst Port:3017. The Data Connection in Passive Mode Feb 07 11:14:31 2013: %DATAPLANE-5-LOGRULEHIT: Matched Temporary Rule of FTP ALG.
29 Feb 07 12:00:07 2013: %DATAPLANE-5-LOGRULEHIT: Matched ACL:ftpuser:ip Rule:0 Disposition:Allow Packet Src MAC:<00-60-80-B0-C3-B3> Dst MAC:<00-15-70-81-91-6A> Ethertype:0x0800 Src IP:192.168.1.104 Dst IP:192.168.2.102 Proto:1 ICMP Type:15 ICMP Code:0. The below example displays an ICMP Type as 17 and an ICMP Code as 0: Feb 07 12:00:25 2013: %DATAPLANE-5-LOGRULEHIT: Matched ACL:ftpuser:ip Rule:0 Disposition:Allow Packet Src MAC:<00-11-25-14-D9-E2> Dst MAC:<00-15-70-81-91-6A> Ethertype:0x0800 Src IP:192.
29 Feb 07 12:06:00 2013: %DATAPLANE-5-ICMPPKTDROP: Dropping ICMP Packet from 192.168.2.102 to 192.168.1.103, with ProtocolNumber:1 ICMP code 0 and ICMP type 11. Reason: ICMP dest IP does not match inner source IP. The following example displays an ICMP type as 14 and a Code as 0: Feb 07 12:07:00 2013: %DATAPLANE-5-ICMPPKTDROP: Dropping ICMP Packet from 192.168.1.104 to 192.168.2.102, with ProtocolNumber:1 ICMP code 0 and ICMP type 14. Reason: no flow matching payload of ICMP Reply.
29 Module name is DATAPLANE Syslog Severity level is 5 Log ID is MALFORMEDIP Log Message is Dropping IPv4Packet Raw IP Protocol logs The following example displays TCP without data: Feb 07 12:16:50 2013: %DATAPLANE-4-DOSATTACK: INVALID PACKET: TCP header length less than 20 bytes : Src IP : 192.168.2.102, Dst IP: 192.168.1.104, Src Mac: 00-11-25-14-D9-E2, Dst Mac: 00-15-70-81-91-6A, Proto = 6. Feb 07 12:16:55 2013: %DATAPLANE-5-MALFORMEDIP: Dropping IPv4 Packet from 192.168.2.102 to 192.168.1.
29 Feb 07 12:25:09 2013: %FILEMGMT-5-HTTPSTART: lighttpd started in external mode with pid 0 Feb 07 12:25:09 2013: %DAEMON-3-ERR: dhcrelay: interface allocate : vlan1 Feb 07 12:25:09 2013: %USER-5-NOTICE: FILEMGMT[1086]: FTP: ftp server stopped Feb 07 12:25:09 2013: %DAEMON-3-ERR: dhcrelay: interface allocate : vlan1 Feb 07 12:25:09 2013: %DAEMON-3-ERR: dhcrelay: interface allocate : vlan1 Feb 07 12:25:09 2013: %DAEMON-3-ERR: dhcrelay: interface allocate : vlan2 Feb 07 12:25:09 2013: %DOT11-5-COUNTRY_CODE:
29 Firewall ruleset log The following example displays the log changes as ‘ACL_ATTACHED_ALTERED’ when an ACL Rule is applied/removed on WLAN, VLAN, GE, and PORT-CHANNEL: IP ACL IN on WLAN Attach Feb 07 12:48:40 2013: %CFGD-6-ACL_ATTACHED_ALTERED: USER: root session 3: ACL attached to wlan ICSA-testing is getting altered USER: The user who is doing the change session: means the session id of the user - one user can have multiple sessions running, so this explains from which session this change was done ACL:
29 IP ACL on VLAN Attach Feb 07 12:49:10 201: %CFGD-6-ACL_ATTACHED_ALTERED: USER: root session 3: ACL attached to interface vlan1 is getting altered. IP ACL on VLAN Remove Feb 07 12:49:12 2013: %CFGD-6-ACL_ATTACHED_ALTERED: USER: root session 3: ACL attached to interface vlan1 is getting altered. IP ACL on GE Port Attach Feb 07 12:49:15 2013: %CFGD-6-ACL_ATTACHED_ALTERED: USER: root session 3: ACL attached to interface ge1 is getting altered.
29 TCP Reset Packets log For any change in the TCP configuration, a TCP reset log is generated. The following example displays the initial TCP packets permitted before the session timedout: Feb 07 20:31:26 2013: %DATAPLANE-5-LOGRULEHIT: Matched ACL:ftpuser:ip Rule:1 Disposition:Allow Packet Src MAC:<00-19-B9-6B-DA-77> Dst MAC:<00-15-70-81-91-6A> Ethertype:0x0800 Src IP:192.168.1.99 Dst IP:192.168.2.102 Proto:6 Src Port:3318 Dst Port:21.
29 Software fallback feature is enabled System bootup time (via /proc/uptime) was 126.10 92.38 Please press Enter to activate this console. Feb 07 20:47:33 2013: %DOT11-5-COUNTRY_CODE: Country of operation configured to in [India] Feb 07 20:47:34 2013: %DIAG-6-NEW_LED_STATE: LED state message AP_LEDS_ON from module DOT11 Feb 07 20:47:34 2013: KERN: vlan1: add 01:00:5e:00:00:01 mcast address to master interface.
29 Drop/Deny Packets CCB:0:Matched ACL:ftpuser:ip Rule:0 Disposition:Drop Packet Src MAC:<00-11-25-14-D9-E2> Dst MAC:<00-15-70-81-91-6A> Ethertype:0x0800 Src IP:192.168.2.102 Dst IP:192.168.2.1 Proto:17 Src Port:137 Dst Port:137 Feb 07 20:41:28 2013: %DATAPLANE-5-LOGRULEHIT: Matched ACL:ftpuser:ip Rule:0 Disposition:Drop Packet Src MAC:<00-11-25-14-D9-E2> Dst MAC:<00-15-70-81-91-6A> Ethertype:0x0800 Src IP:192.168.2.102 Dst IP:192.168.2.
Appendix CONTROLLER MANAGED WLAN USE CASE A This section describes the activities required to configure a WLAN. Instructions are provided using the wireless controller CLI. Creating a First Controller Managed WLAN CONTROLLER MANAGED WLAN USE CASE It is assumed you have a Brocade Mobility RFS4000 wireless controller with the latest build available from Brocade.
A External Network BR650 (DHCP Client) RFS4000 (DHCP Server) 172.16.11.x BR7131 (DHCP Client) FIGURE 1 Network Design This is a simple deployment scenario, with the access points connected directly to the wireless controller. One wireless controller port is connected to an external network. On the Brocade Mobility RFS4000 wireless controller, the GE1 interface is connected to an external network. Interfaces GE3 and GE4 are used by the access points.
A Creating an AP Profile Creating a DHCP Server Policy Completing and Testing the Configuration Logging Into the Controller for the First Time Using the Command Line Interface to Configure the WLAN When powering on the wireless controller for the first time, you are prompted to replace the existing administrative password.
A Commit the changes and write to the running configuration. Exit this context. rfs4000(config-device-03-14-28-57-14-28)#commit write rfs4000(config-device-03-14-28-57-14-28)#exit rfs4000(config)# Creating a Wireless Controller Profile Using the Command Line Interface to Configure the WLAN The first step in creating a WLAN is to configure a profile defining the parameters applied to a wireless controller.
A Configure the Wireless Controller to use the Profile Before the wireless controller can be further configured, the profile must be applied to the wireless controller.
A rfs4000(config-profile-AP650_UseCase1)#interface vlan 2 rfs4000(config-profile-AP650_UseCase1-if-vlan2)# Configure this VLAN to use DHCP, so any device that is associated using this access point is automatically assigned a unique IP address. Once completed, exit this context.
A rfs4000(config-device-00-A0-F8-00-00-01)#use rf-domain RFDOMAIN_UseCase1 rfs4000(config-device-00-A0-F8-00-00-01)#commit write rfs4000(config-device-00-A0-F8-00-00-01)#exit rfs4000(config)# Creating a Brocade Mobility 71XX Access Point Profile Creating an AP Profile To create a profile for use with an Brocade Mobility 71XX Access Point: rfs4000(config)#profile br7131 Brocade Mobility 7131 Access Point_UseCase1 rfs4000(config-profile-Brocade Mobility 7131 Access Point_UseCase1)# Set the access point to b
A rfs4000(config-profile-Brocade Point_UseCase1-if-radio2)#wlan rfs4000(config-profile-Brocade Point_UseCase1-if-radio2)#exit rfs4000(config-profile-Brocade Mobility 7131 Access 1 Mobility 7131 Access Mobility 7131 Access Point_UseCase1)# Commit the changes made to the profile and exit this context.
A In the table, the IP address range of 172.16.11.11 to 172.16.11.200 is available using the DHCP server. To configure the DHCP server: rfs4000-37FABE(config-dhcp-policy-DHCP_POLICY_UseCase1)#dhcp-pool DHCP_POOL_USECASE1_01 rfs4000-37FABE(config-dhcp-policy-DHCP_POLICY_UseCase1-pool-DHCP_POOL_USECASE 1_01)# Configure the address range as follows: rfs4000-37FABE(config-dhcp-policy-DHCP_POLICY_UseCase1-pool-DHCP_POOL_USECASE 1_01)#address range 172.16.11.11 172.16.11.
