Reference Guide
Table Of Contents
- Dell PowerConnect W-Series ArubaOS 6.1 Command Line Interface
- Introduction
- aaa authentication captive-portal
- aaa authentication dot1x
- aaa authentication mac
- aaa authentication mgmt
- aaa authentication stateful-dot1x
- aaa authentication stateful-dot1x clear
- aaa authentication stateful-ntlm
- aaa authentication via auth-profile
- aaa authentication via connection-profile
- aaa authentication via web-auth
- aaa authentication via global-config
- aaa authentication vpn
- aaa authentication wired
- aaa authentication wispr
- aaa authentication-server internal
- aaa authentication-server ldap
- aaa authentication-server radius
- aaa authentication-server tacacs
- aaa authentication-server windows
- aaa bandwidth-contract
- aaa derivation-rules
- aaa dns-query-interval
- aaa inservice
- aaa ipv6 user add
- aaa ipv6 user clear-sessions
- aaa ipv6 user delete
- aaa ipv6 user logout
- aaa password-policy mgmt
- aaa profile
- aaa query-user
- aaa radius-attributes
- aaa rfc-3576-server
- aaa server-group
- aaa sygate-on-demand (deprecated)
- aaa tacacs-accounting
- aaa test-server
- aaa timers
- aaa trusted-ap
- aaa user add
- aaa user clear-sessions
- aaa user delete
- aaa user fast-age
- aaa user logout
- aaa xml-api
- adp
- am
- ap authorization-profile
- ap enet-link-profile
- ap mesh-cluster-profile
- ap mesh-ht-ssid-profile
- ap mesh-radio-profile
- ap provisioning-profile
- ap provisioning-profile
- ap regulatory-domain-profile
- ap snmp-profile (deprecated)
- ap snmp-user-profile (deprecated)
- ap spectrum clear-webui-view-settings
- ap spectrum local-override
- ap system-profile
- ap wipe out flash
- ap wired-ap-profile
- ap wired-port-profile
- ap-group
- ap-leds
- ap-name
- ap-regroup
- ap-rename
- apboot
- apflash
- apconnect
- apdisconnect
- arp
- audit-trail
- backup
- banner motd
- boot
- cellular profile
- cfgm
- clear
- clear wms wired-mac
- clock set
- clock summer-time recurring
- clock timezone
- cluster-member-custom-cert
- cluster-member-factory-cert
- cluster-member-ip
- cluster-root-ip
- configure terminal
- controller-ip
- controller-ipv6
- control-plane-security
- copy
- cp-bandwidth-contract
- crypto dynamic-map
- crypto ipsec
- crypto isakmp
- crypto isakmp policy
- crypto map global-map
- crypto pki
- crypto pki-import
- crypto-local ipsec sa-cleanup
- crypto-local ipsec-map
- crypto-local isakmp ca-certificate
- crypto-local isakmp certificate-group
- crypto-local isakmp dpd
- crypto-local isakmp key
- crypto-local isakmp permit-invalid-cert
- crypto-local isakmp sa-cleanup
- crypto-local isakmp server-certificate
- crypto-local isakmp xauth
- crypto-local pki
- crypto-local pki rcp
- database synchronize
- delete
- destination
- dir
- dynamic-ip
- enable
- enable secret
- enable bypass
- encrypt
- esi group
- esi parser domain
- esi parser rule
- esi parser rule-test
- esi ping
- esi server
- exit
- export
- firewall
- firewall cp
- firewall cp-bandwidth-contract
- gateway health-check disable
- guest-access-email
- halt
- help
- hostname
- ids ap-classification-rule
- ids ap-rule-matching
- ids dos-profile
- ids general-profile
- ids impersonation-profile
- ids management-profile
- ids profile
- ids rate-thresholds-profile
- ids signature-matching-profile
- ids signature-profile
- ids unauthorized-device-profile
- Interface cellular
- interface fastethernet | gigabitethernet
- interface loopback
- interface port-channel
- interface range
- interface tunnel
- interface vlan
- interface vlan ip igmp proxy
- interface vlan ipv6 address
- ip access-list eth
- ip access-list extended
- ip access-list mac
- ip access-list session
- ip access-list standard
- ip cp-redirect-address
- ip default-gateway
- ip dhcp excluded-address
- ip dhcp pool
- ip domain lookup
- ip domain-name
- ip igmp
- ip local
- ip mobile active-domain
- ip mobile domain
- ip mobile foreign-agent
- ip mobile home-agent
- ip mobile packet-trace
- ip mobile proxy
- ip mobile revocation
- ip mobile trail (deprecated)
- ip name-server
- ip nat
- ip ospf
- ip pppoe-max-segment-size (deprecated)
- ip pppoe-password (deprecated)
- ip pppoe-service-name (deprecated)
- ip pppoe-username (deprecated)
- ip radius
- ip route
- ipv6 cp-redirect-address
- ipv6 default-gateway
- ipv6 enable
- ipv6 firewall
- ipv6 mld
- ipv6 neighbor
- ipv6 route
- lacp group
- lacp port-priority
- lacp system-priority
- lacp timeout
- license
- localip
- local-custom-cert
- local-factory-cert
- local-userdb add
- local-userdb del
- local-userdb export
- local-userdb fix-database
- local-userdb import
- local-userdb maximum-expiration
- local-userdb modify
- local-userdb send-to-guest
- local-userdb send-to-sponsor
- local-userdb-guest add
- local-userdb-guest del
- local-userdb-guest modify
- local-userdb-guest send-email
- local-userdb-remote-node
- location
- logging
- logging facility
- logging level
- loginsession
- logout
- mac-address-table
- masterip
- master-redundancy master-vrrp
- master-redundancy peer-ip
- mgmt-server
- mgmt-user
- netdestination
- netdestination6
- netexthdr
- netservice
- network-printer
- network-storage
- ntp authenticate
- ntp authentication-key
- ntp server
- ntp trusted-key
- packet-capture
- packet-capture-defaults
- page
- paging
- panic
- papi-security
- pcap
- ping
- pkt-trace
- pkt-trace-global
- pptp ip local pool
- priority-map
- process monitor
- prompt
- provision-ap
- rap-wml
- rap-wml table
- reload
- reload-peer-sc (Deprecated)
- remote-node-local-factory-cert
- remote-node-localip
- remote-node-masterip
- remote-node-profile
- rename
- restore
- rf am-scan-profile
- rf arm-profile
- rf dot11a-radio-profile
- rf dot11g-radio-profile
- rf event-thresholds-profile
- rf ht-radio-profile
- rf optimization-profile
- rf spectrum-profile
- rft
- router mobile
- router ospf
- service
- show aaa authentication all
- show aaa authentication captive-portal
- show aaa authentication captive-portal customization
- show aaa authentication dot1x
- show aaa authentication mac
- show aaa authentication mgmt
- show aaa authentication stateful-dot1x
- show aaa authentication stateful-ntlm
- show aaa authentication via auth-profile
- show aaa authentication via connection-profile
- show aaa authentication via web-auth
- show aaa authentication vpn
- show aaa authentication wired
- show aaa authentication wispr
- show aaa authentication-server all
- show aaa authentication-server internal
- show aaa authentication-server ldap
- show aaa authentication-server radius
- show aaa authentication-server tacacs
- show aaa authentication-server windows
- show aaa tacacs-accounting
- show aaa bandwidth-contracts
- show aaa derivation-rules
- show aaa dns-query-interval
- show aaa fqdn-server-names
- show aaa main-profile
- show aaa password-policy mgmt
- show aaa profile
- show aaa radius-attributes
- show aaa rfc-3576-server
- show aaa server-group
- show aaa state ap-group
- show aaa state configuration
- show aaa state debug-statistics
- show aaa state messages
- show aaa state station
- show aaa state user
- show aaa sygate-on-demand (deprecated)
- show aaa tacacs-accounting
- show aaa timers
- show aaa xml-api server
- show aaa web admin-port
- show aaa xml-api statistics
- show acceleration
- show acl ace-table
- show acl acl-table
- show acl hits
- show adp config
- show adp counters
- show ap active
- show ap allowed-channels
- show ap ap-group
- show ap arm history
- show ap arm neighbors
- show ap arm rf-summary
- show ap arm scan-times
- show ap arm state
- show ap association
- show ap association remote
- show ap authorization-profile
- show ap blacklist-clients
- show ap bss-table
- show ap bw-report
- show ap client status
- show ap config
- show ap coverage-holes (deprecated)
- show ap database
- show ap database-summary
- show ap debug association-failure (deprecated)
- show ap debug bss-config
- show ap debug bss-stats
- show ap debug client-mgmt-counters
- show ap debug client-stats
- show ap debug client-table
- show ap debug counters
- show ap debug crash-info
- show ap debug datapath
- show ap debug driver-log
- show ap debug log
- show ap debug mgmt-frames (deprecated)
- show ap debug radio-stats
- show ap debug received-config
- show ap debug remote association
- show ap debug shaping-table
- show ap debug system-status
- show ap debug trace-addr
- show ap details
- show ap enet-link-profile
- show ap essid
- show ap ht-rates
- show ap image version
- show ap license-usage
- show ap load-balancing
- show ap mesh active
- show ap mesh debug counters
- show ap mesh debug current-cluster
- show ap mesh debug forwarding-table
- show ap mesh debug hostapd-log
- show ap mesh debug meshd-log
- show ap mesh debug provisioned-clusters
- show ap mesh neighbors
- show ap mesh tech-support
- show ap mesh topology
- show ap mesh-cluster-profile
- show ap mesh-ht-ssid-profile
- show ap mesh-radio-profile
- show ap monitor
- show ap monitor association
- show ap monitor debug
- show ap monitor stats
- show ap pcap status
- show ap profile-usage
- show ap provisioning
- show ap radio-database
- show ap regulatory-domain-profile
- show ap remote counters
- show ap remote debug flash-config
- show ap remote debug mgmt-frames
- show ap spectrum ap-list
- show ap spectrum channel-metrics
- show ap spectrum channel-summary
- show ap spectrum client-list
- show ap spectrum debug
- show ap spectrum debug fft
- show ap spectrum debug monitors
- show ap spectrum debug status
- show ap spectrum device-duty-cycle
- show ap spectrum device-history
- show ap spectrum device-list
- show ap spectrum device-log
- show ap spectrum device-summary
- show ap spectrum interference-power
- show ap spectrum local-override
- show ap spectrum monitors
- show ap spectrum technical-support
- show ap spectrum-load-balancing
- show ap system-profile
- show ap tech-support
- show ap vlan-usage
- show ap wired stats
- show ap wired-ap-profile
- show ap wired-port-profile
- show ap wmm-flow
- show ap-group
- show ap-name
- show arp
- show audit-trail
- show auth-tracebuf
- show banner
- show boot
- show cellular profile
- show clock
- show command-mapping
- show configuration
- show controller-ip
- show controller-ipv6
- show country
- show cp-bwcontracts
- show cpuload
- show crypto dp
- show crypto dynamic-map
- show crypto ipsec
- show crypto isakmp
- show crypto map
- show crypto pki
- show crypto-local ipsec-map
- show crypto-local isakmp
- show crypto-local pki
- show database
- show datapath
- show destination
- show dialer group
- show dir
- show dot1x ap-table
- show dot1x ap-table aes
- show dot1x ap-table dynamic-wep
- show dot1x ap-table static-wep
- show dot1x ap-table tkip
- show dot1x counters
- show dot1x supplicant-info
- show dot1x supplicant-info list-all
- show dot1x supplicant-info pmkid
- show dot1x supplicant-info statistics
- show esi groups
- show esi parser
- show esi ping
- show esi servers
- show faults
- show firewall
- show firewall-cp
- show gateway health-check
- show global-user-table count
- show-global-user-table list
- show guest-access-email
- show hostname
- show ids ap-classification-rule
- show ids ap-rule-matching
- show ids dos-profile
- show ids general-profile
- show ids impersonation-profile
- show ids management-profile
- show ids profile
- show ids rate-thresholds-profile
- show ids signature-matching-profile
- show ids signature-profile
- show ids unauthorized-device-profile
- show image version
- show interface cellular access-group
- show interface counters
- show interface gigabitethernet
- show interface fastethernet
- show interface loopback
- show interface port-channel
- show interface tunnel
- show interface vlan
- show inventory
- show ip access-group
- show ip access-list
- show ip cp-redirect-address
- show ip dhcp
- show ip domain-name
- show ip igmp
- show ip interface brief
- show ip mobile
- show ip nat pool
- show ip ospf
- show ip pppoe-info
- show ip radius
- show ip route
- show ipc statistics app-ap
- show ipc statistics app-id
- show ipc statistics app-name
- show ipv6 access-list (deprecated)
- show ipv6 datapath session counters (deprecated)
- show ipv6 datapath session table (deprecated)
- show ipv6 datapath user counters (deprecated)
- show ipv6 datapath user table (deprecated)
- show ipv6 firewall
- show ipv6 interface
- show ipv6 mld config
- show ipv6 mld counters
- show ipv6 mld group
- show ipv6 mld interface
- show ipv6 neighbors
- show ipv6 route
- show ipv6 user-table
- show keys
- show lacp
- show lacp sys-id
- show license
- show license-usage
- show local-cert-mac
- show localip
- show local-userdb
- show local-userdb username
- show local-userdb-remote-node
- show log all
- show log ap-debug
- show log bssid-debug
- show log errorlog
- show log essid-debug
- show log network
- show log security
- show log system
- show log user
- show log user-debug
- show log wireless
- show logging
- show loginsessions
- show mac-address-table
- show master-configpending
- show master-local stats
- show master-redundancy
- show memory
- show mgmt-role
- show mgmt-users
- show netdestination
- show netexthdr
- show netservice
- show netstat
- show network-printer
- show network-storage
- show ntp peer
- show ntp servers
- show ntp status
- show packet-capture
- show packet-capture-defaults
- show papi-security
- show poe
- show port link-event
- show port monitor
- show port stats
- show port status
- show port trusted
- show port xsec
- show priority-map
- show processes
- show profile-errors
- show profile-hierarchy
- show provisioning-params
- show profile-list aaa
- show profile-list ap
- show profile-list ap-group
- show profile-list ap-name
- show profile-list ids
- show profile-list rf
- show profile-list wlan
- show provisioning-ap-list
- show rap-wml
- show references aaa authentication
- show references aaa authentication-server
- show references aaa profile
- show references aaa server-group
- show references ap
- show references guest-access-email
- show references ids
- show references papi-security
- show references rf
- show references user-role
- show references web-server
- show references wlan
- show remote-node
- show remote-node-dhcp-pool
- show remote-node-profile
- show rf am-scan-profile
- show rf arm-profile
- show rf dot11a-radio-profile
- show rf dot11g-radio-profile
- show rf event-thresholds-profile
- show rf ht-radio-profile
- show rf optimization-profile
- show rf spectrum-profile
- show rft profile
- show rft result
- show rft transactions
- show rights
- show roleinfo
- show rrm dot11k admission-capacity
- show rrm dot11k ap-channel-report
- show rrm dot11k beacon-report
- show rrm dot11k neighbor-report
- show rrm dot11k transmit-stream-report station-mac
- show running-config
- show session-acl-list
- show slots
- show snmp community
- show snmp inform
- show snmp trap-host
- show snmp trap-list
- show snmp trap-queue
- show snmp user-table
- show spanning-tree
- show spantree
- show ssh
- show startup-config
- show station-table
- show storage
- show switch ip
- show switch software
- show switches
- show switchinfo
- show syscontact
- show syslocation
- show tech-support
- show telnet
- show time-range
- show tpm cert-info
- show trunk
- show tunneled-node config
- show tunneled-node
- show uplink
- show usb
- show user
- show user_session_count (deprecated)
- show util_proc
- show valid-network-oui-profile
- show version
- show vlan
- show vlan mapping
- show vlan status
- show vlan summary
- show vlan-bwcontract-explist
- show voice call-cdrs
- show voice call-counters
- show voice call-density
- show voice call-perf
- show voice call-quality
- show voice call-stats
- show voice client-status
- show voice configurations
- show voice dialplan-profile
- show voice logging
- show voice msg-stats
- show voice real-time-analysis
- show voice real-time-analysis-config
- show voice rtcp-inactivity
- show voice sip
- show voice sip-midcall-req-timeout
- show voice statistics
- show voice trace
- show vpdn l2tp configuration
- show vpdn pptp configuration
- show vpdn pptp local pool
- show via
- show vpn-dialer
- show vrrp
- show web-server
- show wlan dot11k-profile
- show wlan edca-parameters-profile
- show wlan ht-ssid-profile
- show wlan ssid-profile
- show wlan traffic-management-profile
- show wlan virtual-ap
- show wlan voip-cac-profile
- show wms ap
- show wms channel
- show wms client
- show wms counters
- show wms general
- show wms monitor-summary
- show wms probe
- show wms rogue-ap
- show wms routers
- show wms rules
- show wms system
- show wms wired-mac
- shutdown
- snmp-server
- spanning-tree (Global Configuration)
- spanning-tree (Configuration Interface)
- spanning-tree mode
- spanning-tree vlan (PVST+)
- spanning-tree vlan range (PVST+)
- ssh
- stm
- support
- syscontact
- syslocation
- tar
- telnet
- time-range
- traceroute
- tracepath
- trusted
- tunneled-node-address
- tunnel-loop-prevention
- uplink
- usb reclassify
- usb-printer
- user-role
- valid-network-oui-profile
- vlan
- vlan-bwcontract-explist
- vlan-name
- voice dialplan-profile
- voice logging
- voice rtcp-inactivity
- voice real-time-config
- voice sip
- voice sip-midcall-req-timeout
- voice test
- vpdn group l2tp
- vpdn group pptp
- vpn-dialer
- vrrp
- web-server
- whitelist-db cpsec add
- whitelist-db cpsec delete
- whitelist-db cpsec modify
- whitelist-db cpsec revoke
- whitelist-db cpsec purge
- whitelist-db cpsec-local-switch-list
- whitelist-db cpsec-master-switch-list
- whoami
- wlan dot11k-profile
- wlan client-wlan-profile
- wlan edca-parameters-profile
- wlan ht-ssid-profile
- wlan ssid-profile
- wlan traffic-management-profile
- wlan virtual-ap
- wlan voip-cac-profile
- wms ap
- wms clean-db
- wms client
- wms export-class
- wms export-db
- wms general
- wms import-db
- wms reinit-db
- wms-local system
- write
- Appendix A: Command Modes
Dell PowerConnect W-Series ArubaOS 6.1 CLI | Reference Guide crypto-local ipsec-map | 201
Usage Guidelines
You can use controllers instead of VPN concentrators to connect sites at different physical locations.
You can configure separate CA and server certificates for each site-to-site VPN. You can also configure the same
CA and server certificates for site-to-site VPN and client VPN. Use the show crypto-local ipsec-map command to
display the certificates associated with all configured site-to-site VPN maps; use the tag <map> option to display
certificates associated with a specific site-to-site VPN map.
ArubaOS supports site-to-site VPNs with two statically addressed controllers, or with one static and one
dynamically addressed controller. By default, site-to-site VPN uses IKE Main-mode with Pre-Shared-Keys to
authenticate the IKE SA. This method uses the IP address of the peer, and therefore will not work for dynamically
addressed peers.
To support site-site VPN with dynamically addressed devices, you must enable IKE Aggressive-Mode with
Authentication based on a Pre-Shared-Key. A controller with a dynamic IP address must be configured to be the
initiator of IKE Aggressive-mode for Site-Site VPN, while the controller with a static IP address must be
configured as the responder of IKE Aggressive-mode.
Examples
The following commands configures site-to-site VPN between two controllers:
(host) (config) #crypto-local ipsec-map sf-chi-vpn 100
src-net 101.1.1.0 255.255.255.0
dst-net 100.1.1.0 255.255.255.0
peer-ip 172.16.0.254
vlan 1
trusted
(host) (config) #crypto-local ipsec-map chi-sf-vpn 100
src-net 100.1.1.0 255.255.255.0
dst-net 101.1.1.0 255.255.255.0
peer-ip 172.16.100.254
vlan 1
trusted
set security-association
lifetime seconds <seconds>
Configures the lifetime, in seconds, for the security
association (SA).
300-86400 7200
seconds
set server-certificate <cert-
name>
User-defined name of a server certificate installed in
the controller. Use the show crypto-local pki
ServerCert command to display the server certificates
that have been imported into the controller.
——
set transform-set <name1> Name of the transform set for this IPsec map. One
transform set name is required, but you can specify up
to four transform sets. Configure transform sets with
the crypto ipsec transform-set command.
— default-
transform
src-net <ipaddr> <mask> IP address and netmask for the source network. — —
trusted Enables or disables a trusted tunnel. enable/
disable
disabled
version v1|v2 Select the IKE version for the IPsec map.
v1: IKEv1
v2: IKEv2
v1
vlan <vlan> VLAN ID. Enter 0 for the loopback. 1-4094 —
Parameter Description Range Default