3Com_Video_Game_Controller_WX1200

??clear banner motd on page 42

??set interface dhcp-client on page 171

??set vlan port on page 125

??enable ??? Enables the prompt to acknowledge the MOTD banner.

??disable ??? Disables the prompt to acknowledge the MOTD banner.

???????? Delimiting character that begins and ends the prompt message;

for example, double quotes (???).

??message ??? Up to 32 alphanumeric characters, but not the delimiting character.

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 6.0.

Usage Enable the MOTD prompt, then optionally specify a prompt message.

When a user logs into the WX switch using the CLI, the configured MOTD banner is displayed, followed by the MOTD prompt message (if one is specified). In response, the user has the option of entering y to proceed or any other key to terminate the connection.

Examples ??? To enable the prompt for the MOTD banner, type the following command:

WX# set banner acknowledge enable success: change accepted.

To set Do you agree? as the text to be displayed following the MOTD banner, type the following command:

WX# set banner acknowledge message ???Do you agree???? success: change accepted.

After these commands are entered, when the user logs on, the MOTD banner is displayed, followed by the text Do you agree? If the user enters y, then the login proceeds; if not, then the user is disconnected.

See Also

??set banner motd on page 56

??display banner motd on page 45

56 CHAPTER 3: SYSTEM SERVICE COMMANDS

set banner motd Configures the banner string that is displayed before the beginning of each login prompt for each CLI session on the WX switch.

Syntax ??? set banner motd ???text???

????? ??? Delimiting character that begins and ends the message; for

example, double quotes (???).

??text ??? Up to 2000 alphanumeric characters, including tabs and

carriage returns, but not the delimiting character (^). The maximum number of characters is approximately 24 lines by 80 characters.

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Usage ??? Type a delimiting character, then the message, then another delimiting character.

Examples ??? To create a banner that says Meeting @ 4:00 p.m. in

Conference Room #3, type the following command:

WX# set banner motd ???Meeting @ 4:00 p.m. in Conference Room #3???

success: motd changed.

See Also

??set banner acknowledge on page 54

??clear banner motd on page 42

??display banner motd on page 45

58 CHAPTER 3: SYSTEM SERVICE COMMANDS

History ??? Introduced in MSS Version 3.0.

Usage ??? Use this command if the output of a CLI command is greater than the number of lines allowed by default for a terminal type.

Examples ??? To set the number of lines displayed to 100, type the following command:

WX4400# set length 100

success: screen length for this session set to 100

set licenseInstalls an upgrade license, for managing more MAPs.

Syntax ??? set license license-key activation-key

??license-key ??? License key, starting with WXL. You can enter the key

with or without the hyphens.

??activation-key ??? Activation key, starting with WXA. You can enter

the key with or without the hyphens.

Defaults ??? The WX4400 can boot and manage 24 MAPs by default.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Usage ??? The license key is shipped with the switch. To obtain the activation key, access the 3Com web site. Each license and activation key pair allows the switch to actively manage an additional 24 MAPs. You can install up to three upgrade license and activation key pairs, to actively manage up to 96 MAPs.

Examples ??? To install an upgrade license and activation key, type the following command:

WX4400# set license WXL-076E-93E9-62DA-54D8

WXA-3E04-4CC2-430D-B508

set prompt 59

48 ports are enabled

success: license was installed

The additional ports refers to the number of additional MAPs the switch can boot and actively manage.

See Also

??display license on page 46

Syntax ??? set prompt string

??string ??? Alphanumeric string up to 32 characters long. To include

spaces in the prompt, you must enclose the string in double quotation marks (??????).

Defaults ??? The factory default for the WX switch name is the model number (WX1200 for the 3Com Wireless LAN Switch WX1200, WX4400 for the 3Com Wireless LAN Controller WX4400).

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Usage ??? When you first log in for the initial configuration of the WX switch, the CLI provides a WX1200> or WX4400> prompt, depending on your model. After you become enabled by typing enable and giving a suitable password, the WX1200# or WX4400# prompt is displayed.

If you use the set system name command to change the default system name, MSS uses that name in the prompt, unless you also change the prompt with set prompt.

Examples ??? The following example sets the prompt from WX4400 to happy_days:

WX4400# set prompt happy_days success: change accepted. happy_days#

See Also

??clear prompt on page 43

60CHAPTER 3: SYSTEM SERVICE COMMANDS

??display config on page 675

??set system name on page 68

set system contact Stores a contact name for the WX switch.

Syntax ??? set system contact string

??string ??? Alphanumeric string up to 256 characters long, with no

blank spaces.

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

To view the system contact string, type the display system command.

Examples ??? The following command sets the system contact information to tamara@example.com:

WX1200# set system contact tamara@example.com success: change accepted.

See Also

??set system location on page 67

??set system name on page 68

Syntax ??? set system idle-timeout seconds

??seconds ??? Number of seconds a CLI management session can remain

idle before MSS terminates the session. You can specify from 0 to 86400 seconds (one day). If you specify 0, the idle timeout is disabled.

The timeout interval is in 30-second increments. For example, the interval can be 0, or 30 seconds, or 60 seconds, or 90 seconds, and so on. If you enter an interval that is not divisible by 30, the CLI rounds up to the next 30-second increment. For example, if you enter 31, the CLI rounds up to 60.

Defaults ??? 3600 seconds (one hour).

Access ??? Enabled.

History ??? Introduced in MSS Version 4.1.

Usage ??? This command applies to all types of CLI management sessions: console, Telnet, and SSH. The timeout change applies to existing sessions only, not to new sessions.

Examples ??? The following command sets the idle timeout to 1800 seconds (one half hour):

WX1200# set system idle-timeout 1800 success: change accepted.

See Also

set system location 67

set system location Stores location information for the WX switch.

Syntax ??? set system location string

??string ??? Alphanumeric string up to 256 characters long, with no

blank spaces.

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Usage ??? You cannot include spaces in the system location string.

To view the system location string, type the display system command.

Examples ??? To store the location of the WX switch in the WX???s configuration, type the following command:

WX4400# set system location first-floor-bldg3 success: change accepted.

See Also

??set system contact on page 60

??set system name on page 68

68 CHAPTER 3: SYSTEM SERVICE COMMANDS

set system name Changes the name of the WX switch from the default system name and also provides content for the CLI prompt, if you do not specify a prompt.

Syntax ??? set system name string

??string ??? Alphanumeric string up to 256 characters long, with no

blank spaces. Use a unique name for each WX switch.

Defaults ??? By default, the system name and command prompt have the same value. The factory default for both is the model number (WX1200 for the 3Com Wireless LAN Switch WX1200, WX4400 for the 3Com Wireless LAN Controller WX4400).

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Usage ??? Entering set system name with no string resets the system name to the factory default.

To view the system name string, type the display system command.

Examples ??? The following example sets the system name to a name that identifies the WX switch:

WX4400# set system name WX-bldg3 success: change accepted. WX-bldg3#

See Also

??set system contact on page 60

??set prompt on page 59

??set system location on page 67

70 CHAPTER 4: PORT COMMANDS

Table 9 Port Commands by Usage (continued)

clear apRemoves a Distributed MAP.

CAUTION: When you clear a Distributed MAP, MSS ends user sessions that are using the MAP.

Syntax ??? clear ap {ap-number | all}

??ap-number ??? Number of the Distributed MAP(s) to remove.

??all ??? Clear all distributed MAPs.

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0. Version 6.0 renamed dap to ap.

Examples ??? The following command clears Distributed MAP 1:

WX4400# clear ap 1

This will clear specified AP devices.

Would you like to continue? (y/n) [n]y

See Also

??set ap on page 87

??display port counters on page 75

clear port counters Clears port statistics counters and resets them to 0.

Syntax ??? clear port counters

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Examples ??? The following command clears all port statistics counters and resets them to 0:

WX4400# clear port counters success: cleared port counters

See Also

??monitor port counters on page 82

Syntax ??? clear port-group name name

??name name ??? Name of the port group.

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Examples ??? The following command clears port group server1:

WX4400# clear port-group name server1 success: change accepted.

See Also

??set port-group on page 90

??display port-group on page 76

clear port mirror 73

Examples ??? The following command clears the names of ports 1 through 3:

WX4400# clear port 1-3 name

See Also

??display port status on page 79

??set port name on page 93

clear port mirror Removes a port mirroring configuration.

Syntax ??? clear port mirror

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 4.2.

Examples ??? The following command clears the port mirroring configuration from the switch:

WX4400# clear port mirror

See Also

??display port mirror on page 77

??set port mirror on page 92

Syntax ??? clear port preference port-list

??port-list ??? List of physical ports. MSS clears the preference on all

the specified ports.

Defaults ??? When both the copper and fiber interfaces of a gigabit

Ethernet port are connected, the GBIC (fiber) interface is the active link.

The RJ-45 (copper) link is unused.

Access ??? Enabled.

76CHAPTER 4: PORT COMMANDS

??receive-etherstats ??? Shows Ethernet statistics for received

packets.

??transmit-etherstats ??? Shows Ethernet statistics for transmitted

packets.

??port port-list ??? List of physical ports. If you do not specify a port

list, MSS shows statistics for all ports.

Defaults ??? None.

Access ??? All.

History ??? Introduced in MSS Version 3.0.

Usage ??? You can specify one statistic type with the command.

Examples ??? The following command shows octet statistics for port 3:

=============================================================================

3 Up2796542034886544

This command???s output has the same fields as the monitor port counters command. For descriptions of the fields, see Table 16 on page 84.

See Also

??clear port counters on page 71

??monitor port counters on page 82

display port-group Shows port group information.

Syntax ??? display port-group [name group-name]

??name group-name ??? Shows information for the specified port group.

Defaults ??? None.

Access ??? All.

History ??? Introduced in MSS Version 3.0. In Version 4.2 the option all was removed for simplicity. You can display information for all groups by entering the command without specifying a group name.

display port mirror 77

Examples ??? The following command displays the configuration of port group server2:

WX1200# display port-group name server2

Port group: server2 is up

Ports: 5, 7

Table 11 describes the fields in the display port-group output.

Table 11 Output for display port-group

See Also

??clear port-group on page 71

??set port-group on page 90

display port mirror Displays the port mirroring configuration.

Syntax ??? display port mirror

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 4.2.

Examples ??? The following command displays the port mirroring configuration on the switch:

WX4400# display port mirror

Port 1 is mirrored to port 2

If port mirroring is not configured, the message in the following example is displayed instead:

WX4400# display port mirror

No ports are mirrored

78 CHAPTER 4: PORT COMMANDS

See Also

??display port mirror on page 77

??set port mirror on page 92

display port poe Displays status information for ports on which Power over Ethernet (PoE) is enabled.

Syntax ??? display port poe [port-list]

??port-list ??? List of physical ports. If you do not specify a port list,

PoE information is displayed for all ports.

Defaults ??? None.

Access ??? All.

History ??? Introduced in MSS Version 3.0.

Examples ??? The following command displays PoE information for all ports on a WX1200 switch:

============================================================

Table 12 describes the fields in this display.

Table 12 Output for display port poe

display port status 79

Table 12 Output for display port poe (continued)

this field displays off. For gigabit Ethernet ports, this field displays invalid, because PoE is not supported on gigabit Ethernet ports.

The value overcurrent indicates a PoE problem such as a short in the cable.

See Also

??set port poe on page 94

display port status Displays configuration and status information for ports.

Syntax ??? display port status [port-list]

??port-list ??? List of physical ports. If you do not specify a port list,

information is displayed for all ports.

Defaults ??? None.

Access ??? All.

History ??? Introduced in MSS Version 3.0.

82 CHAPTER 4: PORT COMMANDS

Examples ??? The following command displays the enabled interface types on all four ports of a WX4400 switch:

WX4400# display port media-type

Port Media Type

===========================================================

1 GBIC

2 RJ45

3 GBIC

4 GBIC

Table 14 describes the fields in this display.

Table 14 Output for display port media-type

counters

Syntax ??? monitor port counters

?? octets ??? Displays octet statistics first.

?? packets ??? Displays packet statistics first.

?? receive-errors ??? Displays errors in received packets first.

?? transmit-errors ??? Displays errors in transmitted packets first.

?? collisions ??? Displays collision statistics first.

?? receive-etherstats ??? Displays Ethernet statistics for received packets first.

??transmit-etherstats ??? Displays Ethernet statistics for transmitted

packets first.

Defaults ??? All types of statistics are displayed for all ports. MSS refreshes the statistics every 5 seconds. This interval cannot be configured. Statistics types are displayed in the following order by default:

??Octets

??Packets

??Receive errors

??Transmit errors

??Collisions

??Receive Ethernet statistics

??Transmit Ethernet statistics

Access ??? All.

History???Introduced in MSS Version 3.0.

Usage ??? Each type of statistic is displayed separately. Press the Spacebar to cycle through the displays for each type.

If you use an option to specify a statistic type, the display begins with that statistic type. You can use one statistic option with the command.

Use the keys listed in Table 15 to control the monitor display.

Table 15 Key Controls for Monitor Port Counters Display

Field Description

Spacebar Advances to the next statistic type.

cClears the statistics counters for the currently displayed statistics type. The counters begin incrementing again.

84 CHAPTER 4: PORT COMMANDS

For error reporting, the cyclic redundancy check (CRC) errors include misalignment errors. Jumbo packets with valid CRCs are not counted. A short packet can be reported as a short packet, a CRC error, or an overrun. In some circumstances, the transmitted octets counter might increment a small amount for a port with nothing attached.

Examples ??? The following command starts the port statistics monitor beginning with octet statistics (the default):

WX4400# monitor port counters

As soon as you press Enter, MSS clears the window and displays statistics at the top of the window.

Port StatusRx OctetsTx Octets

===============================================================================

...

To cycle the display to the next set of statistics, press the Spacebar. In this example, packet statistics are displayed next:

Port Status Rx Unicast Rx NonUnicast Tx Unicast Tx NonUnicast

===============================================================================

...

Table 16 describes the port statistics displayed by each statistics option.

The Port and Status fields are displayed for each option.

Table 16 Output for monitor port counters

88CHAPTER 4: PORT COMMANDS

??ap-number ??? Number for the Distributed MAP. The range of valid

connection numbers depends on the WX switch model:

??For a WX4400, you can specify a number from 1 to 256.

??For a WX1200, you can specify a number from 1 to 30.

??serial-id serial-ID ??? MAP access point serial ID. The serial ID is

listed on the MAP case. To show the serial ID using the CLI, use the display version details command.

?? radiotype 11a | 11b| 11g ??? Radio type:

??11a ??? 802.11a

??11b ??? 802.11b

??11g ??? 802.11g

This option applies only to single-radio models.

Defaults ??? The default values are the same as the defaults for the set port type ap command.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0. New values for model option added in Version 4.1:

??AP3750

??AP2750

??mp-620

Version 6.0 renamed the dap command to ap.

Examples ??? The following command configures Distributed MAP 1 for

MAP model AP2750 with serial-ID M9DE48B012F00:

WX4400# set ap 1 serial-id M9DE48B012F00 model ap2750 success: change accepted.

The following command removes Distributed MAP 1:

WX4400# clear ap 1

This will clear specified AP devices. Would you like to continue? (y/n) [n]y

set port 89

See Also

??clear ap on page 70

??clear port type on page 74

??set system countrycode on page 61

Syntax ??? set port {enable | disable} port-list

??enable ??? Enables the specified ports.

??disable ??? Disables the specified ports.

??port-list ??? List of physical ports. MSS disables or reenables all the

specified ports.

Defaults ??? All ports are enabled.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Usage ??? A port that is administratively disabled cannot send or receive packets. This command does not affect the link state of the port.

Examples ??? The following command disables port 6:

WX1200# set port disable 6 success: set "disable" on port 6

The following command reenables the port:

WX1200# set port enable 6 success: set "enable" on port 6

See Also

??reset port on page 87

90 CHAPTER 4: PORT COMMANDS

or off to disable the group. The group is enabled by default.

Defaults ??? Once configured, a group is enabled by default.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Usage ??? You can configure up to 8 ports in a port group, in any combination of ports. The port numbers do not need to be contiguous and you can use 10/100 Ethernet ports and gigabit Ethernet ports in the same port group.

After you add a port to a port group, you cannot configure port parameters on the individual port. Instead, change port parameters on the entire group. Specify the group name instead of an individual port name or number in port configuration commands.

To add or remove ports in a group that is already configured, change the mode to off, add or remove the ports, then change the mode to on.

Examples ??? The following command configures a port group named server1 containing ports 1 through 5, and enables the link:

WX1200# set port-group name server1 1-5 mode on success: change accepted.

The following commands disable the link for port group server1, change the list of ports in the group, and reenable the link:

WX1200# set port-group name server1 1-5 mode off success: change accepted.

WX1200# set port-group name server1 1-4,7 mode on success: change accepted.

set port media-type 91

See Also

??clear port-group on page 71

??display port-group on page 76

set port media-type Disables the fiber interface and enables the copper interface on an WX4400 gigabit Ethernet port.

Syntax ??? set port media-type port-list rj45

??port-list???List of physical ports. MSS sets the preference on all the

specified ports.

??rj45???Uses the copper interface.

Defaults ??? The GBIC (fiber) interface is enabled, and the copper interface is disabled, by default.

Access ??? Enabled.

History ??? Introduced in MSS Version 4.0.

Usage ??? This command applies only to the WX4400.

If you set the port interface to RJ-45 on a port that already has an active fiber link, MSS immediately changes the link to the copper interface.

Examples ??? The following command disables the fiber interface and enables the copper interface on port 2:

WX4400# set port media-type 2 rj45

See Also

??clear port media-type on page 72

??display port media-type on page 81

set port name 93

Syntax ??? set port port name name

??port ??? Number of a physical port. You can specify only one port.

??name name ??? Alphanumeric string of up to 16 characters, with no

spaces.

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Usage ??? To simplify configuration and avoid confusion between a port???s number and its name, 3Com recommends that you do not use numbers as port names.

Examples ??? The following command sets the name of port 7 to adminpool:

WX1200# set port 7 name adminpool success: change accepted.

See Also

??clear port name on page 72

??display port status on page 79

set port negotiation Disables or reenables autonegotiation on gigabit Ethernet or 10/100 Ethernet ports.

Syntax ??? set port negotiation port-list {enable | disable}

??port-list ??? List of physical ports. MSS disables or reenables

autonegotiation on all the specified ports.

??enable ??? Enables autonegotiation on the specified ports.

??disable ??? Disables autonegotiation on the specified ports.

Defaults ??? Autonegotiation is enabled on all Ethernet ports by default.

set port speed 95

History ??? Introduced in MSS Version 3.0.

Usage ??? This command does not apply to any gigabit Ethernet ports or to ports 7 and 8 on the WX1200 switch.

Examples ??? The following command disables PoE on ports 4 and 5, which are connected to a MAP access point:

WX1200# set port poe 4,5 disable

If you are enabling power on these ports, they must be connected only to approved PoE devices with the correct wiring. Do you wish to continue? (y/n) [n]y

The following command enables PoE on ports 4 and 5:

WX1200# set port poe 4,5 enable

If you are enabling power on these ports, they must be connected only to approved PoE devices with the correct wiring. Do you wish to continue? (y/n) [n]y

See Also

??set port type wired-auth on page 100

Syntax ??? set port speed port-list {10 | 100 | 1000 | auto}

??port-list ??? List of physical ports. MSS sets the port speed on all the

specified ports.

??10 ??? Sets the port speed of a 10/100 Ethernet port to 10 Mbps and

sets the operating mode to full-duplex.

??100 ??? Sets the port speed of a 10/100 Ethernet port to 100 Mbps

and sets the operating mode to full-duplex.

??1000 ??? Sets the port speed of a gigabit Ethernet port to 1000 Mbps

and sets the operating mode to full-duplex.

??auto ??? Enables a port to detect the speed and operating mode of the

traffic on the link and set itself accordingly.

Defaults ??? All ports are set to auto.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

set port type ap 97

See Also

??display vlan config on page 118

set port type ap Configures an WX switch port for a MAP access point.

CAUTION: When you set the port type for MAP use, you must specify the PoE state (enable or disable) of the port. Use the WX switch???s PoE to power 3Com MAP access points only. If you enable PoE on a port connected to another device, physical damage to the device can result.

Before configuring a port as a MAP access point port, you must use the set system countrycode command to set the IEEE 802.11 country-specific regulations on the WX switch. See ???set system countrycode??? on page 61.

For a MAP that is indirectly connected to the WX switch through an intermediate Layer 2 or Layer 3 network, use the set ap command to configure a Distributed MAP.

Before changing the port type from ap to wired-auth or from wired-auth to ap, you must reset the port with the clear port type command.

Syntax ??? set port type ap port-list model {ap2750 | ap3150 | ap3750 | ap7250 | ap8250 | ap8750 | mp-52 | mp-241 | mp-252 | mp-262 | mp-341 | mp-352 | mp-372 | mp-372-CN | mp-37-JP | mp-620}

poe {enable | disable} [radiotype {11a | 11b | 11g}]

??port-list ??? List of physical ports.

??model {ap2750 | ap3150 | ap3750| ap7250 | ap8250 | ap8750 | mp-52 | mp-241 | mp-252 | mp-262 | mp-341 | mp-352 | mp-372

| mp-372-CN | mp-37-JP | mp-620} ??? MAP access point model:

?? poe enable | disable ??? Power over Ethernet (PoE) state.

?? radiotype 11a | 11b | 11g ??? Radio type:

??11a ??? 802.11a

??11b ??? 802.11b

??11g ??? 802.11g

98 CHAPTER 4: PORT COMMANDS

Defaults ??? All WX ports are network ports by default.

MAP access point models AP2750, MAP-241, and MAP-341 have a single radio that can be configured for 802.11a or 802.11b/g. Other MAP models have two radios. On two-radio models, one radio is always 802.11a. The other radio is 802.11b/g, but can be configured for 802.11b or 802.11g exclusively. If the country of operation specified by the set system countrycode command does not allow 802.11g, the default is 802.11b.

The radios in models MAP-620 require external antennas, and model MAP-262 requires an external antenna for the 802.11b/g radio. The following models have internal antennas but also have connectors for optional use of external antennas instead: AP2750, AP3150, AP3750, AP7250, AP8250, AP8750, MAP-372, MAP-372-CN, and MAP-372-JP. (Antenna support on a specific model is limited to the antennas certified for use with that model.) To specify the antenna model, use the set ap radio antennatype command.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0. New values for model options

AP3750, AP2750 added in Version 4.1. New value for model option

AP3150 added in Version 6.0.

Usage ??? You cannot set a port type if the port is a member of a port VLAN. To remove a port from a VLAN, use the clear vlan command. To reset a port as a network port, use the clear port type command.

When you change port type, MSS applies default settings appropriate for the port type. Table 17 lists the default settings that MSS applies when you set a port???s type to ap.

Table 17 MAP Access Port Defaults

This command does not apply to any gigabit Ethernet ports or to ports 7 and 8 on the WX1200 switch or port 3 on the WX2200 switch.

To manage a MAP access point on a switch model that does not have 10/100 Ethernet ports, use the set ap command to configure a Distributed MAP connection on the switch.

Examples ??? The following command sets ports 1 through 3 and port 5 for MAP access point model AP2750 and enables PoE on the ports:

WX1200# set port type ap 1-3,5 model ap2750 poe enable

This may affect the power applied on the configured ports. Would you like to continue? (y/n) [n]y

The following command sets ports 1 through 3 and port 5 for MAP access point model AP7250 and enables PoE on the ports:

WX1200# set port type ap 1-3,5 model ap7250 poe enable

This may affect the power applied on the configured ports. Would you like to continue? (y/n) [n]y

The following command sets ports 1 through 3 and port 5 for MAP access point model AP8250 and enables PoE on the ports:

WX1200# set port type ap 1-3,5 model ap8250 poe enable

This may affect the power applied on the configured ports. Would you like to continue? (y/n) [n]y

The following command sets ports 1 through 3 and port 5 for MAP access point model AP8750 and enables PoE on the ports:

WX1200# set port type ap 1-3,5 model ap8750 poe enable

This may affect the power applied on the configured ports. Would you like to continue? (y/n) [n]y

The following command resets port 5 by clearing it:

WX1200# clear port type 5

This may disrupt currently authenticated users. Are you sure? (y/n) [n]y

success: change accepted.

set port type wired-auth 101

Usage ??? You cannot set a port???s type if the port is a member of a port VLAN. To remove a port from a VLAN, use the clear vlan command. To reset a port as a network port, use the clear port type command.

When you change port type, MSS applies default settings appropriate for the port type. Table 18 lists the default settings that MSS applies when you set a port???s type to ap.

Table 18 Wired Authentication Port Details

For 802.1X clients, wired authentication works only if the clients are directly attached to the wired authentication port, or are attached through a hub that does not block forwarding of packets from the client to the PAE group address (01:80:c2:00:00:03).

Wired authentication works in accordance with the 802.1X specification, which prohibits a client from sending traffic directly to an authenticator???s MAC address until the client is authenticated. Instead of sending traffic to the authenticator???s MAC address, the client sends packets to the PAE group address.

The 802.1X specification prohibits networking devices from forwarding PAE group address packets, because this would make it possible for multiple authenticators to acquire the same client.

For non-802.1X clients, who use MAC authentication, WebAAA, or last-resort authentication, wired authentication works if the clients are directly attached or indirectly attached.

clear security 12-restrict 105

History ???Introduced in MSS Version 3.0.

Usage ??? You can delete forwarding database entries based on entry type, port, or VLAN. A VLAN name or number is required for deleting permanent or static entries.

Examples ??? The following command clears all static forwarding database entries that match VLAN blue:

WX4400# clear fdb static vlan blue success: change accepted.

The following command clears all dynamic forwarding database entries that match all VLANs:

WX4400# clear fdb dynamic success: change accepted.

The following command clears all dynamic forwarding database entries that match ports 3 and 5:

WX4400# clear fdb port 3,5 success: change accepted.

?? all ??? Removes all MAC addresses from the list.

Defaults ??? If you do not specify a list of MAC addresses or all, all addresses are removed.

clear vlan 107

Syntax ??? clear vlan vlan-id [port port-list [tag tag-value]]

??vlan-id ??? VLAN name or number.

??port port-list ??? List of physical ports. MSS removes the specified

ports from the VLAN. If you do not specify a list of ports, MSS removes the VLAN entirely.

??tag tag-value ??? Tag number that identifies a virtual port. MSS removes only the specified virtual port from the specified physical ports.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? If you do not specify a port-list, the entire VLAN is removed from the configuration.

You cannot delete the default VLAN but you can remove ports from it. To remove ports from the default VLAN, use the port port-list option.

108 CHAPTER 5: VLAN COMMANDS

Examples ??? The following command removes port 1 from VLAN green:

WX4400# clear vlan green port 1

This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y success: change accepted.

The following command removes port 4, which uses tag value 69, from

VLAN red:

WX1200# clear vlan red port 4 tag 69

This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y success: change accepted.

The following command completely removes VLAN marigold:

WX4400# clear vlan marigold

This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y success: change accepted.

See Also

??set vlan port on page 125

clear vlan-profile Removes a VLAN profile or individual entries from a VLAN profile.

Syntax ??? clear vlan-profile profile-name [vlan vlan-name]

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 6.0.

Usage ??? A VLAN profile lists the VLANs for which traffic is locally switched by MAPs where the VLAN profile is applied. Use this command to remove individual VLANs from a VLAN profile, or to remove an entire VLAN profile. If you remove all of the entries from a VLAN profile, the VLAN profile itself is removed.

??profile-name???VLAN profile name

??vlan-name???Name of a VLAN to remove from the VLAN profile.

display fdb 109

If a VLAN profile is changed so that traffic that had been tunneled to an VX switch is now locally switched by MAPs, or vice-versa, the sessions of clients associated with the MAPs where the VLAN profile is applied are terminated, and the clients must re-associate with the MAPs.

Examples ??? The following command removes the entry for VLAN red from VLAN profile locals:

WX# clear vlan-profile locals vlan red

WX#

The following command removes VLAN profile locals:

WX# clear vlan-profile locals

WX#

See Also

??display vlan-profile on page 120

?? set ap local-switching vlan-profile on page 380

??set fdb agingtime on page 122

??display vlan-profile on page 120

Syntax ??? display fdb [mac-addr-glob [vlan vlan-id ]]

display fdb {perm | static | dynamic | system | all} [port

port-list | vlan vlan-id]

??mac-addr-glob ??? A single MAC address or set of MAC addresses.

Specify a MAC address, or use the wildcard character (*) to specify a set of MAC addresses. (For details, see ???MAC Address Globs??? on page 31.)

??vlan vlan-id ??? Name or number of a VLAN for which to display

entries.

??perm ??? Displays permanent entries. A permanent entry does not age

out and remains in the database even after a reboot, reset, or power cycle.

??static ??? Displays static entries. A static entry does not age out, but

is removed from the database after a reboot, reset, or power cycle.

110CHAPTER 5: VLAN COMMANDS

??dynamic ??? Displays dynamic entries. A dynamic entry is automatically

removed through aging or after a reboot, reset, or power cycle.

??system ??? Displays system entries. A system entry is added by MSS.

For example, the authentication protocols can add entries for wired and wireless authentication users.

??all ??? Displays all entries in the database, or all the entries that match

a particular port or ports or a particular VLAN.

??port port-list ??? Destination port(s) for which to display entries.

Defaults ??? None.

Access ??? All.

History ???Introduced in MSS Version 3.0.

Usage ??? To display the entire forwarding database, enter the display fdb command without options. To display only a portion of the database, use optional parameters to specify the types of entries you want to display.

Examples ??? The following command displays all entries in the forwarding database:

Total Matching FDB Entries Displayed = 3

The top line of the display identifies the characters to distinguish among the entry types.

The following command displays all entries that begin with the MAC address glob 00:

Total Matching FDB Entries Displayed = 2

112 CHAPTER 5: VLAN COMMANDS

VLAN 2 aging time = 600 sec

VLAN 1 aging time = 300 sec

Because the forwarding database aging timeout period can be configured only on an individual VLAN basis, the command lists the aging timeout period for each VLAN separately.

See Also

display fdb count Lists the number of entries in the forwarding database.

Syntax ??? display fdb count {perm | static | dynamic}

[vlan vlan-id]

??perm ??? Lists the number of permanent entries. A permanent entry

does not age out and remains in the database even after a reboot, reset, or power cycle.

??static ??? Lists the number of static entries. A static entry does not

age out, but is removed from the database after a reboot, reset, or power cycle.

??dynamic ??? Lists the number of dynamic entries. A dynamic entry is

automatically removed through aging or after a reboot, reset, or power cycle.

??vlan vlan-id ??? VLAN name or number. Entries are listed for only the

specified VLAN.

Defaults ??? None.

Access ??? All.

History ???Introduced in MSS Version 3.0.

The following command lists the number of dynamic entries that the forwarding database contains:

WX1200# display fdb count dynamic

Total Matching Entries = 2

See Also

??display fdb on page 109

display roaming vlan 115

display roaming Shows all VLANs in the mobility domain, the WX switches servicing the vlanVLANs, and their tunnel affinity values configured on each switch for the

VLANs.

Syntax ??? display roaming vlan

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? The following command shows the current roaming

VLANs:

Table 22 describes the fields in the display.

Table 22 Output for display roaming vlan

See Also

??display roaming station on page 113

??display vlan config on page 118

120 CHAPTER 5: VLAN COMMANDS

display vlan-profile Displays the contents of the VLAN profiles configured on the WX switch. A VLAN profile lists the VLANs for which traffic is locally switched by MAPs where the VLAN profile is applied.

Syntax ??? display vlan-profile [profile-name]

??profile-name ???VLAN profile name

Defaults ??? If a profile-name is not specified, the contents of all VLAN profiles configured on the WX switch are displayed.

Access ??? All.

History ??? Introduced in MSS Version 6.0.

Examples ??? The following command displays the contents of VLAN profile locals:

WX# display vlan-profile locals vlan-profile: locals

Table 26 describes the fields in the display vlan-profile output.

Table 26 Output for display vlan-profile

See Also

??clear vlan-profile on page 108

??set ap local-switching vlan-profile on page 380

??display fdb agingtime on page 111

set fdb 121

Syntax ??? set fdb {perm | static}

mac-addr port port-list vlan vlan-id [tag tag-value]

??perm ??? Adds a permanent entry. A permanent entry does not age out

and remains in the database even after a reboot, reset, or power cycle.

??static ??? Adds a static entry. A static entry does not age out, but is

removed from the database after a reboot, reset, or power cycle.

??mac-addr ??? Destination MAC address of the entry. Use colons to

separate the octets (for example, 00:11:22:aa:bb:cc).

??port port-list ??? List of physical destination ports for which to add

the entry. A separate entry is added for each port you specify.

??vlan vlan-id ??? Name or number of a VLAN of which the port is a

member. The entry is added only for the specified VLAN.

??tag tag-value ??? VLAN tag value that identifies a virtual port. You

can specify a number from 1 through 4095. If you do not specify a tag value, an entry is created for an untagged interface only. If you specify a tag value, an entry is created only for the specified tagged interface.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? You cannot add a multicast or broadcast address as a permanent or static FDB entry.

Examples ??? The following command adds a permanent entry for MAC address 00:11:22:aa:bb:cc on ports 3 and 5 in VLAN blue:

WX1200# set fdb perm 00:11:22:aa:bb:cc port 3,5 vlan blue success: change accepted.

The following command adds a static entry for MAC address 00:2b:3c:4d:5e:6f on port 1 in the default VLAN:

WX4400# set fdb static 00:2b:3c:4d:5e:6f port 1 vlan default success: change accepted.

122 CHAPTER 5: VLAN COMMANDS

See Also

??clear fdb on page 104

??display fdb on page 109

set fdb agingtime Changes the aging timeout period for dynamic entries in the forwarding database.

Syntax ??? set fdb agingtime vlan-id age seconds

??vlan-id ??? VLAN name or number. The timeout period change

applies only to entries that match the specified VLAN.

??age seconds ??? Value for the timeout period, in seconds. You can

specify a value from 0 through 1,000,000. If you change the timeout period to 0, aging is disabled.

Defaults ??? The aging timeout period is 300 seconds (5 minutes).

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? The following command changes the aging timeout period to 600 seconds for entries that match VLAN orange:

WX4400# set fdb agingtime orange age 600 success: change accepted.

See Also

set security l2-restrict 123

??vlan-id ??? VLAN name or number.

??mode ??? Enables or disables restriction of Layer 2 forwarding.

{enable | disable}

??permit-mac mac-addr ??? MAC addresses to which clients are

Defaults ??? Layer 2 restriction is disabled by default.

Access ??? Enabled.

History ???Introduced in MSS Version 4.1.

Usage ??? You can specify multiple addresses by listing them on the same command line or by entering multiple commands. To change a MAC address, use the clear security 12-restrict command to remove it, then use the set security 12-restrict command to add the correct address.

Restriction of client traffic does not begin until you enable the permitted

MAC list. Use the mode enable option with this command

Examples ??? The following command restricts Layer 2 forwarding of client data in VLAN abc_air to the gateway routers with MAC address aa:bb:cc:dd:ee:ff and 11:22:33:44:55:66:

WX4400# set security 12-restrict vlan abc_air mode enable permit-mac aa:bb:cc:dd:ee:ff 11:22:33:44:55:66

success: change accepted.

??clear security 12-restrict counters on page 106

??display security 12-restrict on page 116

124 CHAPTER 5: VLAN COMMANDS

Syntax ??? set vlan vlan-num name name

??vlan-num ??? VLAN number. You can specify a number from 2 through

4093.

??name ??? String up to 16 alphabetic characters long.

Defaults ??? VLAN 1 is named default by default. No other VLANs have default names.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? You must assign a name to a VLAN (other than the default

VLAN) before you can add ports to the VLAN.

3Com recommends that you do not use the name default. This name is already used for VLAN 1. 3Com also recommends that you do not rename the default VLAN.

You cannot use a number as the first character in a VLAN name. It is recommended that you do not use the same name with different capitalizations for VLANs. For example, do not configure two separate VLANs with the names red and RED.

VLAN names are case-sensitive for RADIUS authorization when a client roams to a wireless LAN switch. If the WX switch is not configured with the VLAN the client is on, but is configured with a VLAN that has the same spelling but different capitalization, authorization for the client fails. For example, if the client is on VLAN red but the WX switch to which the client roams has VLAN RED instead, RADIUS authorization fails.

Examples ??? The following command assigns the name marigold to

VLAN 3:

WX4400# set vlan 3 name marigold success: change accepted.

See Also

??set vlan port on page 125

126 CHAPTER 5: VLAN COMMANDS

Syntax ??? set vlan vlan-id tunnel-affinity num

??vlan-id ??? VLAN name or number.

??num ??? Preference of this switch for forwarding user traffic for the

VLAN. You can specify a value from 1 through 10. A higher number indicates a greater preference.

Defaults ??? Each VLAN on a WX switch???s network ports has an affinity value of 5 by default.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? Increasing a WX switch???s affinity value increases the WX???s preferability for forwarding user traffic for the VLAN.

If more than one WX switch has the highest affinity value, MSS randomly selects one of the WX switches for the tunnel.

Examples ??? The following command changes the VLAN affinity for

VLAN beige to 10:

WX4400# set vlan beige tunnel-affinity 10 success: change accepted.

See Also

??display roaming vlan on page 115

??display vlan config on page 118

130CHAPTER 6: QUALITY OF SERVICE COMMANDS

??Classify inbound packets by mapping their DSCP values to one of eight internal QoS values

??Classify outbound packets by marking their DSCP values based on the switch???s internal QoS values

Syntax ??? clear qos [cos-to-dscp-map [from-qos] | dscp-to-cos-map [from-dscp]]

??cos-to-dscp-map ??? Resets the mapping between the specified

internal QoS value and the DSCP values with which MSS marks outbound packets. QoS values are from 0 to 7.

??dscp-to-cos-map ??? Resets the mapping between the specified range

of DSCP values and internal QoS value with which MSS classifies inbound packets.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 4.1.

Usage ??? To reset all mappings to their default values, use the clear qos command without the optional parameters.

Examples ??? The following command resets all QoS mappings:

WX1200# clear qos success: change accepted.

The following command resets the mapping used to classify packets with

DSCP value 44:

WX1200# clear qos dscp-to-qos-map 44 success: change accepted.

138CHAPTER 7: IP SERVICES COMMANDS

??Topology reporting for dual-homed MAP access points

??Default source IP address used in unsolicited communications such as AAA accounting reports and SNMP traps

Examples ??? The following command removes the IP interface configured on VLAN mauve:

WX1200# clear interface mauve ip success: cleared ip on vlan mauve

See Also

??set interface on page 170

??set interface dhcp-client on page 171

??display interface on page 152

Syntax ??? clear ip alias name

name ??? Alias name

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Examples ??? The following command removes the alias server1:

WX1200# clear ip alias server1 success: change accepted.

See Also

??display ip alias on page 153

clear ip dns domain 139

clear ip dns domain Removes the default DNS domain name.

Syntax ??? clear ip dns domain

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Examples ??? The following command removes the default DNS domain name from a WX switch:

WX1200# clear ip dns domain

Default DNS domain name cleared.

See Also

??set ip dns on page 175

clear ip dns server Removes a DNS server from a WX switch configuration.

Syntax ??? clear ip dns server ip-addr

??ip-addr ??? IP address of a DNS server.

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Examples ??? The following command removes DNS server 10.10.10.69 from a WX configuration:

WX4400# clear ip dns server 10.10.10.69 success: change accepted.

clear ip telnet 141

See Also

??display snmp usm on page 164

Syntax ??? clear ntp server {ip-addr | all}

??ip-addr ??? IP address of the server to remove, in dotted decimal

notation.

??all ??? Removes all NTP servers from the configuration.

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

clear summertime 145

Examples ??? The following command clears SNMPv3 user snmpmgr1:

WX1200# clear snmp usm snmpmgr1 success: change accepted.

See Also

??set snmp usm on page 199

clear summertime Clears the summertime setting from a WX.

Syntax ??? clear summertime

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Examples ??? To clear the summertime setting from a WX, type the following command:

WX1200# clear summertime success: change accepted.

See Also

??clear timezone on page 146

??display timedate on page 165

??clear summertime on page 145

display arp 147

Examples ??? To return the WX real-time clock to UTC, type the following command:

WX4400# clear timezone success: change accepted.

See Also

??display timedate on page 165

Syntax ??? display arp [ip-addr]

??ip-addr ??? IP address.

Defaults ??? If you do not specify an IP address, the entire ARP table is displayed.

Usage ??? All.

History ???Introduced in MSS Version 3.0.

Examples ??? The following command displays ARP entries:

WX4400# display arp

ARP aging time: 1200 seconds

??? Displays the IP addresses leased by the

150 CHAPTER 7: IP SERVICES COMMANDS

display dhcp-server Displays MSS DHCP server information.

Syntax ??? display dhcp-server [interface vlan-id] [verbose]

interface vlan-id specified VLAN.

verbose??? Displays configuration and status information for the MSS DHCP server.

Defaults ??? None.

Access ??? All.

History ??? Introduced in MSS Version 4.0.

Examples ??? The following command displays the addresses leased by the MSS DHCP server:

The following command displays configuration and status information for each VLAN on which the DHCP server is configured:

WX1200# display dhcp-server verbose

152 CHAPTER 7: IP SERVICES COMMANDS

Table 32 Output for display dhcp-server verbose

See Also

??set interface dhcp-server on page 172

display interface Displays the IP interfaces configured on the WX.

Syntax ??? display interface [vlan-id]

??vlan-id ??? VLAN name or number.

Defaults ??? If you do not specify a VLAN ID, interfaces for all VLANs are displayed.

Usage ??? All.

History ???Introduced in MSS Version 3.0.

Examples ??? The following command displays all the IP interfaces configured on a WX switch:

Table 33 describes the fields in this display.

156 CHAPTER 7: IP SERVICES COMMANDS

Table 36 Output for display ip https

HTTPS is set to use port TCP port number on which the WX switch listens for

HTTPS connections.

See Also

??clear snmp notify profile on page 143

Syntax ??? display ip route [destination]

??destination ??? Route destination IP address, in dotted decimal

notation.

Defaults ??? None.

Access ??? All.

History ???Introduced in MSS Version 3.0.

display ip route 157

Usage ??? When you add an IP interface to a VLAN that is up, MSS adds direct and local routes for the interface to the route table. If the VLAN is down, MSS does not add the routes. If you add an interface to a VLAN but the routes for that interface do not appear in the route table, use the display vlan config command to check the VLAN state.

If you add a static route and the route???s state is shown as Down, use the display interface command to verify that the route has an IP interface in the gateway router???s subnet. MSS cannot resolve a static route unless one of the WX switch???s VLANs has an interface in the gateway router???s subnet. If the WX switch has such an interface but the static route is still down, use the display vlan config command to check the state of the VLAN???s ports.

Examples ??? The following command shows all routes in a WX IP route table:

Table 37 describes the fields in this display.

Table 37 Output of display ip route

FieldDescription

Destination/Mask IP address and subnet mask of the route destination.

160 CHAPTER 7: IP SERVICES COMMANDS

Examples ??? To display NTP information for a WX switch, type the following command:

WX4400> display ntp

NTP client: enabled

Current update-interval: 20(secs)

Current time: Fri Feb 06 2004, 12:02:57

Timezone is set to 'PST', offset from UTC is -8:0 hours. Summertime is enabled.

Last NTP update: Fri Feb 06 2004, 12:02:46

NTP Server Peer state Local State

---------------------------------------------------

192.168.1.5 SYSPEERSYNCED

Table 39 describes the fields in this display.

Table 39 Output for display ntp

Current update-interval Number of seconds between queries sent by the WX to the NTP servers for updates.

162 CHAPTER 7: IP SERVICES COMMANDS

counters

Syntax ??? display snmp counters

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 4.0.

display snmp notify Displays SNMP notification profiles. profile

Syntax ??? display snmp notify profile

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 4.0.

See Also

display snmp notify Displays SNMP notification targets. target

Syntax ??? display snmp notify target

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 4.0.

display timedate 165

??clear summertime on page 145

display timedate Shows the date and time of day currently set on a WX real-time clock.

Syntax ??? display timedate

Defaults ??? None.

Access ??? All.

History ???Introduced in MSS Version 3.0.

Examples ??? To display the time and date set on a WX real-time clock, type the following command:

WX1200# display timedate

Sun Feb 29 2004, 23:59:02 PST

See Also

??clear timezone on page 146

display timezone Displays the time offset for the real-time clock from UTC on a WX.

Syntax ??? display timezone

Defaults ??? None.

Access ??? All.

History ???Introduced in MSS Version 3.0.

ping 167

Because the WX switch adds header information, the ICMP packet size is 8 bytes larger than the size you specify.

??source-ip ip-addr ??? IP address, in dotted decimal notation, to use

as the source IP address in the ping packets.

??source-ip vlan-name ??? VLAN name to use as the ping source. MSS

uses the IP address configured on the VLAN as the source IP address in the ping packets.

Defaults

??count ??? 5.

??dnf ??? Disabled.

??interval ??? 100 (one tenth of a second)

??size ??? 56.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Usage ??? To stop a ping command that is in progress, press Ctrl+C.

Examples ??? The following command pings a WX switch that has IP address 10.1.1.1:

See Also

??traceroute on page 207

set arp agingtime 169

set arp agingtime Changes the aging timeout for dynamic ARP entries.

Syntax ??? set arp agingtime seconds

??seconds ??? Number of seconds an entry can remain unused before

MSS removes the entry. You can specify from 0 through 1,000,000. To disable aging, specify 0.

Defaults ??? None.

Access ??? Enabled.

History??? Introduced in MSS Version 3.0.

Usage ??? Aging applies only to dynamic entries.

To reset the ARP aging timeout to its default value, use the set arp agingtime 1200 command.

Examples ??? The following command changes the ARP aging timeout to 1800 seconds:

WX1200# set arp agingtime 1800

success: set arp aging time to 1800 seconds

The following command disables ARP aging:

WX1200# set arp agingtime 0

success: set arp aging time to 0 seconds

See Also

??set arp on page 168

??telnet on page 206

170 CHAPTER 7: IP SERVICES COMMANDS

If an interface is already configured on the specified VLAN, this command replaces the interface. If you replace an interface in use as the system IP address, replacing the interface can interfere with system tasks that use the system IP address, including the following:

??Mobility domain operations

??Topology reporting for dual-homed MAP access points

??Default source IP address used in unsolicited communications such as AAA accounting reports and SNMP traps

Examples ??? The following command configures IP interface 10.10.10.10/24 on VLAN default:

WX1200# set interface default ip 10.10.10.10/24

success: set ip address 10.10.10.10 netmask 255.255.255.0 on vlan default

The following command configures IP interface 10.10.20.10 255.255.255.0 on VLAN mauve:

WX1200# set interface mauve ip 10.10.20.10 255.255.255.0

success: set ip address 10.10.20.10 netmask 255.255.255.0 on vlan mauve

set interface status 173

Access ??? Enabled.

History ???Introduced in MSS Version 4.0.

Usage ??? By default, all addresses except the host address of the VLAN, the network broadcast address, and the subnet broadcast address are included in the range. If you specify the range, the start address must be lower than the stop address, and all addresses must be in the same subnet. The IP interface of the VLAN must be within the same subnet but is not required to be within the range.

Examples ??? The following command enables the DHCP server on VLAN red-vlan to serve addresses from the 192.168.1.5 to 192.168.1.25 range:

WX1200# set interface red-vlan ip dhcp-server enable start 192.168.1.5 stop 192.168.1.25

success: change accepted.

See Also

??display dhcp-server on page 150

??display interface on page 152

set interface status Administratively disables or reenables an IP interface.

Syntax ??? set interface vlan-id status {up | down}

??vlan-id ??? VLAN name or number.

??up ??? Enables the interface.

??down ??? Disables the interface.

Defaults ??? IP interfaces are enabled by default.

Access ??? Enabled.

History??? Introduced in MSS Version 3.0.

174 CHAPTER 7: IP SERVICES COMMANDS

Examples ??? The following command disables the IP interface on VLAN mauve:

WX4400# set interface mauve status down success: set interface mauve to down

See Also

??clear interface on page 137

??set interface on page 170

Syntax ??? set ip alias name ip-addr

??name ??? String of up to 32 alphanumeric characters, with no spaces.

??ip-addr ??? IP address in dotted decimal notation.

Defaults ??? None.

Access ??? Enabled.

History??? Introduced in MSS Version 3.0.

Examples ??? The following command configures the alias HR1 for IP address 192.168.1.2:

WX4400# set ip alias HR1 192.168.1.2 success: change accepted.

See Also

??clear ip alias on page 138

??display ip alias on page 153

set ip dns 175

Syntax ??? set ip dns {enable | disable}

??enable ??? Enables DNS.

??disable ??? Disables DNS.

Defaults ??? DNS is disabled by default.

Access ??? Enabled.

History??? Introduced in MSS Version 3.0.

Examples ??? The following command enables DNS on a WX switch:

WX1200# set ip dns enable

Start DNS Client

See Also

??clear ip dns domain on page 139

??clear ip dns domain on page 139

set ip dns domain Configures a default domain name for DNS queries. The WX appends the default domain name to domain names or hostnames you enter in commands.

Syntax ??? set ip dns domain name

??name ??? Domain name of between 1 and 64 alphanumeric characters

with no spaces (for example, example.org).

Defaults ??? None.

Access ??? Enabled.

Usage ??? To override the default domain name when entering a hostname in a CLI command, enter a period at the end of the hostname. For example, if the default domain name is example.com, enter chris. if the fully qualified hostname is chris and not chris.example.com.

176 CHAPTER 7: IP SERVICES COMMANDS

Aliases take precedence over DNS. When you enter a hostname, MSS checks for an alias with that name first, before using DNS to resolve the name.

Examples ??? The following command configures the default domain name example.com:

WX1200# set ip dns domain example.com

Domain name changed

See Also

??set ip dns on page 175

??clear ip dns domain on page 139

set ip dns server Specifies a DNS server to use for resolving hostnames you enter in CLI commands.

Syntax ??? set ip dns server ip-addr {primary | secondary}

??ip-addr ??? IP address of a DNS server, in dotted decimal or CIDR

notation.

??primary ??? Makes the server the primary server, which MSS always

consults first for resolving DNS queries.

??secondary ??? Makes the server a secondary server. MSS consults a

secondary server only if the primary server does not reply.

Defaults ??? None.

Access ??? Enabled.

Usage ??? You can configure a WX to use one primary DNS server and up to five secondary DNS servers.

Examples ??? The following commands configure a WX to use a primary

DNS server and two secondary DNS servers:

WX1200# set ip dns server 10.10.10.50/24 primary success: change accepted.

WX1200# set ip dns server 10.10.20.69/24 secondary

set ip https server 177

success: change accepted.

WX1200# set ip dns server 10.10.30.69/24 secondary success: change accepted.

See Also

??set ip dns on page 175

set ip https server Enables the HTTPS server on a WX. The HTTPS server is required for Web View access to the switch.

CAUTION: If you disable the HTTPS server, Web View access to the WX switch is also disabled.

Syntax ??? set ip https server {enable | disable}

??enable ??? Enables the HTTPS server.

??disable ??? Disables the HTTPS server.

Defaults ??? The HTTPS server is disabled by default.

Access ??? Enabled.

History ??? The default is changed to disabled in 3.1. In addition, the

HTTPS server is no longer required for WebAAA.

Examples ??? The following command enables the HTTPS server on a WX switch:

WX1200# set ip https server enable success: change accepted.

See Also

??display interface on page 152

178 CHAPTER 7: IP SERVICES COMMANDS

Syntax ??? set ip route {default | ip-addr mask |

ip-addr/mask-length} gateway metric

??default ??? Default route. A WX switch uses the default route if an

explicit route is not available for the destination.

Default is an alias for IP address 0.0.0.0/0.

??ip-addr mask ??? IP address and subnet mask for the route

destination, in dotted decimal notation (for example, 10.10.10.10 255.255.255.0).

??ip-addr/mask-length ??? IP address and subnet mask length in CIDR

format (for example, 10.10.10.10/24).

??gateway ??? IP address, DNS hostname, or alias of the next-hop router.

??metric ??? Cost for using the route. You can specify a value from

0 through 2,147,483,647. Lower-cost routes are preferred over higher-cost routes.

Defaults ??? The HTTPS server is enabled by default.

Access ??? Enabled.

Usage ??? MSS can use a static route only if a direct route in the route table resolves the static route. MSS adds routes with next-hop types Local and Direct when you add an IP interface to a VLAN, if the VLAN is up. If one of these added routes can resolve the static route, MSS can use the static route.

Before you add a static route, use the display interface command to verify that the WX switch has an IP interface in the same subnet as the route???s next-hop router. If not, the VLAN:Interface field of the display ip route command output shows that the route is down.

You can configure a maximum of 4 routes per destination. This includes default routes, which have destination 0.0.0.0/0. Each route to a given destination must have a unique gateway address. When the route table contains multiple default or explicit routes to the same destination, MSS uses the route with the lowest cost. If two or more routes to the same destination have the lowest cost, MSS selects the first route in the route table.

set ip route 179

When you add multiple routes to the same destination, MSS groups the routes and orders them from lowest cost at the top of the group to highest cost at the bottom of the group. If you add a new route that has the same destination and cost as a route already in the table, MSS places the new route at the top of the group of routes with the same cost.

Examples ??? The following command adds a default route that uses gateway 10.5.4.1 and gives the route a cost of 1:

WX4400# set ip route default 10.5.4.1 1 success: change accepted.

The following commands add two default routes, and configure MSS to always use the route through 10.2.4.69 when the interface to that gateway router is up:

WX4400# set ip route default 10.2.4.69 1 success: change accepted.

WX4400# set ip route default 10.2.4.17 2 success: change accepted.

The following command adds an explicit route from a WX to any host on the 192.168.4.x subnet through the local router 10.5.4.2, and gives the route a cost of 1:

WX4400# set ip route 192.168.4.0 255.255.255.0 10.5.4.2 1 success: change accepted.

The following command adds another explicit route, using CIDR notation to specify the subnet mask:

WX4400# set ip route 192.168.5.0/24 10.5.5.2 1 success: change accepted.

See Also

??clear ip route on page 140

??display ip route on page 156

182 CHAPTER 7: IP SERVICES COMMANDS

Defaults ??? The default Telnet port number is 23.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? The following command changes the Telnet port number on a WX to 5000:

WX4400# set ip telnet 5000 success: change accepted.

See Also

set ip telnet server Enables the Telnet server on a WX.

CAUTION: If you disable the Telnet server, Telnet access to the WX is also disabled.

Syntax ??? set ip telnet server {enable | disable}

??enable ??? Enables the Telnet server.

??disable ??? Disables the Telnet server.

Defaults ??? The Telnet server is disabled by default.

Access ??? Enabled.

Usage ??? The maximum number of Telnet sessions supported on a WX is eight. If SSH is also enabled, the WX can have up to eight Telnet or SSH sessions, in any combination, and one console session.

Examples ??? The following command enables the Telnet server on a WX:

WX4400# set ip telnet server enable success: change accepted.

set ntp 183

See Also

??clear ntp server on page 141

Syntax ??? set ntp {enable | disable}

??enable ??? Enables the NTP client.

??disable ??? Disables the NTP client.

Defaults ??? The NTP client is disabled by default.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? If NTP is configured on a system whose current time differs from the NTP server time by more than 10 minutes, convergence of the WX time can take many NTP update intervals. 3Com recommends that you set the time manually to the NTP server time before enabling NTP to avoid a significant delay in convergence.

Examples ??? The following command enables the NTP client:

WX4400# set ntp enable success: NTP Client enabled

See Also

??clear ntp update-interval on page 142

??display ntp on page 159

??set ntp server on page 184

??set ntp update-interval on page 185

184 CHAPTER 7: IP SERVICES COMMANDS

Syntax ??? set ntp server ip-addr

??ip-addr ??? IP address of the NTP server, in dotted decimal notation.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? You can configure up to three NTP servers. MSS queries all the servers and selects the best response based on the method described in RFC 1305, Network Time Protocol (Version 3) Specification, Implementation and Analysis.

To use NTP, you also must enable the NTP client with the set ntp command.

Examples ??? The following command configures a WX switch to use

NTP server 192.168.1.5:

WX4400# set ntp server 192.168.1.5

See Also

??clear ntp server on page 141

??clear ntp update-interval on page 142

??display ntp on page 159

??set ntp on page 183

??set ntp update-interval on page 185

186CHAPTER 7: IP SERVICES COMMANDS

??read-notify ??? Allows an SNMP management application using the

string to get object values on the switch but not to set them. The switch can use the string to send notifications.

??notify-only ??? Allows the WX to use the string to send

notifications.

??read-write ??? Allows an SNMP management application using the

string to get and set object values on the switch.

??notify-read-write ??? Allows an SNMP management application

using the string to get and set object values on the switch. The switch also can use the string to send notifications.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. Default community strings changed from public (for read-only) and private (for read-write) to blank in MSS Version 3.1. Default strings removed and new access types added for SNMPv3 (read-notify, notify-only, notify-read-write) in MSS Version 4.0.

Usage ??? SNMP community strings are passed as clear text in SNMPv1 and SNMPv2c. 3Com recommends that you use strings that cannot easily be guessed by unauthorized users. For example, do not use the well-known strings public and private.

If you are using SNMPv3, you can configure SNMPv3 users to use authentication and to encrypt SNMP data.

Examples ??? The following command configures the read-write community good_community:

WX4400# set snmp community read-write good_community success: change accepted.

The following command configures community string switchmgr1 with access level notify-read-write:

WX4400# set snmp community name switchmgr1 notify-read-write success: change accepted.

188CHAPTER 7: IP SERVICES COMMANDS

??APTimeoutTraps???Generated when a MAP access point fails to respond to the WX switch.

??AuthenTraps???Generated when the WX switch???s SNMP engine receives a bad community string.

??AutoTuneRadioChannelChangeTraps???Generated when the RF Auto-Tuning feature changes the channel on a radio.

??AutoTuneRadioPowerChangeTraps???Generated when the RF Auto-Tuning feature changes the power setting on a radio.

??ClientAssociationFailureTraps???Generated when a client???s attempt to associate with a radio fails.

??ClientAssociationSuccessTraps???Generated when a client is successfully associated.

??ClientAuthorizationSuccessTraps???Generated when a client is successfully authorized.

??ClientAuthenticationFailureTraps???Generated when authentication fails for a client.

??ClientAuthenticationSuccessTraps???Generated when a client is successfully authenticated.

??ClientAuthorizationFailureTraps???Generated when authorization fails for a client.

??ClientClearedTraps???Generated when a client???s session is cleared.

??ClientDeAssociationTraps???Generated when a client is dissociated from a radio.

??ClientDeAuthenticationTraps???Generated when a client is disauthenticated from a radio.

??ClientDot1xFailureTraps???Generated when a client experiences an 802.1X failure.

??ClientIpAddressChangeTraps???Generated when a client???s IP address changes.

??ClientRoamingTraps???Generated when a client roams.

??CounterMeasureStartTraps???Generated when MSS begins countermeasures against a rogue access point.

??CounterMeasureStopTraps???Generated when MSS stops countermeasures against a rogue access point.

set snmp notify profile 189

??DAPConnectWarningTraps???Generated when a Distributed MAP whose fingerprint has not been configured in MSS establishes a management session with the switch.

??DeviceFailTraps???Generated when an event with an Alert severity occurs.

??DeviceOkayTraps???Generated when a device returns to its normal state.

??LinkDownTraps???Generated when the link is lost on a port.

??LinkUpTraps???Generated when the link is detected on a port.

??MichaelMICFailureTraps???Generated when two Michael message integrity code (MIC) failures occur within 60 seconds, triggering Wi-Fi Protected Access (WPA) countermeasures.

??MobilityDomainJoinTraps???Generated when the WX switch is initially able to contact a mobility domain seed member, or can contact the seed member after a timeout.

??MobilityDomainTimeoutTraps???Generated when a timeout occurs after a WX switch has unsuccessfully tried to communicate with a seed member.

??PoEFailTraps???Generated when a serious PoE problem, such as a short circuit, occurs.

??RFDetectAdhocUserTraps???Generated when MSS detects an ad-hoc user.

??RFDetectAdhocUserDisappearTraps???Generated when an ad-hoc user is no longer being detected.

??RFDetectBlacklistedTraps???Generated when an association, re-association, or deassociation request is detected from a blacklisted transmitter.

??RFDetectRogueAPTraps???Generated when MSS detects a rogue access point.

??RFDetectRogueDisappearTraps???Generated when a rogue access point is no longer being detected.

??RFDetectClientViaRogueWiredAPTraps???Generated when MSS detects, on the wired part of the network, the MAC address of a wireless client associated with a third-party AP.

190CHAPTER 7: IP SERVICES COMMANDS

??RFDetectDoSPortTraps???Generated when MSS detects an associate request flood, reassociate request flood, or disassociate request flood.

??RFDetectDoSTraps???Generated when MSS detects a DoS attack other than an associate request flood, reassociate request flood, or disassociate request flood.

??RFDetectInterferingRogueAPTraps???Generated when an interfering device is detected.

??RFDetectInterferingRogueDisappearTraps???Generated when an interfering device is no longer detected.

??RFDetectSpoofedMacAPTraps???Generated when MSS detects a wireless packet with the source MAC address of a MAP, but without the spoofed MAP???s signature (fingerprint).

??RFDetectSpoofedSsidAPTraps???Generated when MSS detects beacon frames for a valid SSID, but sent by a rogue AP.

??RFDetectUnAuthorizedAPTraps???Generated when MSS detects the MAC address of a MAP that is on the attack list.

??RFDetectUnAuthorizedOuiTraps???Generated when a wireless device that is not on the list of permitted vendors is detected.

??RFDetectUnAuthorizedSsidTraps???Generated when an SSID that is not on the permitted SSID list is detected.

??all ??? Sends or drops all notifications.

Defaults ??? A default notification profile (named default) is already configured on the WX. All notifications in the default profile are dropped by default.

Access ??? Enabled.

History ??? Introduced in MSS Version 4.0.

Examples ??? The following command changes the action in the default notification profile from drop to send for all notification types:

WX1200# set snmp notify profile default send all success: change accepted.

The following commands create notification profile snmpprof_rfdetect, and change the action to send for all RF detection notification types:

set snmp notify profile 191

WX1200# set snmp notify profile snmpprof_rfdetect send

RFDetectAdhocUserTraps success: change accepted.

WX1200# set snmp notify profile snmpprof_rfdetect send

RFDetectAdhocUserDisappearTraps success: change accepted.

WX1200# set snmp notify profile snmpprof_rfdetect send

RFDetectBlacklistedUserTraps success: change accepted.

WX1200# set snmp notify profile snmpprof_rfdetect send

RFDetectClientViaRogueWiredAPTraps success: change accepted.

WX1200# set snmp notify profile snmpprof_rfdetect send

RFDetectDoSTraps success: change accepted.

WX1200# set snmp notify profile snmpprof_rfdetect send

RFDetectAdhocUserTraps success: change accepted.

WX1200# set snmp notify profile snmpprof_rfdetect send

RFDetectInterferingRogueAPTraps success: change accepted.

WX1200# set snmp notify profile snmpprof_rfdetect send

RFDetectInterferingRogueDisappearTraps success: change accepted.

WX1200# set snmp notify profile snmpprof_rfdetect send

RFDetectRogueAPTraps success: change accepted.

WX1200# set snmp notify profile snmpprof_rfdetect send

RFDetectRogueDisappearTraps success: change accepted.

WX1200# set snmp notify profile snmpprof_rfdetect send

RFDetectSpoofedMacAPTraps success: change accepted.

WX1200# set snmp notify profile snmpprof_rfdetect send

RFDetectSpoofedSsidAPTraps success: change accepted.

WX1200# set snmp notify profile snmpprof_rfdetect send

RFDetectUnAuthorizedAPTraps success: change accepted.

WX1200# set snmp notify profile snmpprof_rfdetect send

RFDetectUnAuthorizedOuiTraps success: change accepted.

WX1200# set snmp notify profile snmpprof_rfdetect send

RFDetectUnAuthorizedSsidTraps success: change accepted.

set snmp notify target 193

??username ??? USM username. This option is applicable only when the

SNMP version is usm. If the user will send informs rather than traps, you also must specify the snmp-engine-id of the target.

??snmp-engine-id ??? SNMP engine ID of the target. Specify ip if the

{ip | hex hex-string} target SNMP engine ID is based on its

IP address. If the target???s SNMP engine ID is a hexadecimal value, use hex hex-string to specify the value.

??profile profile-name ??? Notification profile that this SNMP user

will use to specify the notification types to send or drop.

??security ??? Specifies the security level, and is applicable only

{unsecured | when the SNMP version is usm: authenticated | - unsecured ??? Message exchanges are not encrypted} authenticated, nor are they encrypted. This is

the default.

- authenticated ??? Message exchanges are authenticated, but are not encrypted.

- encrypted ??? Message exchanges are authenticated and encrypted.

??retries num ??? Specifies the number of times the MSS SNMP engine

will resend a notification that has not been acknowledged by the target. You can specify from 0 to 3 retries.

??timeout num ??? Specifies the number of seconds MSS waits for

acknowledgement of a notification. You can specify from 1 to 5 seconds.

SNMPv3 with Traps To configure a notification target for traps from SNMPv3, use the following command:

Syntax ??? set snmp notify target target-num ip-addr[:udp-port-number] usm trap user username

[profile profile-name]

[security {unsecured | authenticated | encrypted}]

??target-num ??? ID for the target. This ID is local to the WX switch and

does not need to correspond to a value on the target itself. You can specify a number from 1 to 10.

??ip-addr[:udp-port-number] ??? IP address of the server. You also can

specify the UDP port number to send notifications to.

194CHAPTER 7: IP SERVICES COMMANDS

??username ??? USM username. This option is applicable only when the

SNMP version is usm.

??profile profile-name ??? Notification profile this SNMP user will use

to specify the notification types to send or drop.

??security ??? Specifies the security level, and is applicable only {unsecured | when the SNMP version is usm:

authenticated | - unsecured ??? Message exchanges are not encrypted} authenticated, nor are they encrypted. This is

the default.

- authenticated ??? Message exchanges are authenticated, but are not encrypted.

- encrypted ??? Message exchanges are authenticated and encrypted.

SNMPv2c with To configure a notification target for informs from SNMPv2c, use the Informs following command:

Syntax ??? set snmp notify target target-num ip-addr[:udp-port-number]

v2c community-string inform [profile profile-name] [retries num]

[timeout num]

??target-num ??? ID for the target. This ID is local to the WX switch and

does not need to correspond to a value on the target itself. You can specify a number from 1 to 10.

??ip-addr[:udp-port-number] ??? IP address of the server. You also

can specify the UDP port number to send notifications to.

??community-string ??? Community string.

??profile profile-name ??? Notification profile this SNMP user will use

to specify the notification types to send or drop.

??retries num ??? Notification profile this SNMP user will use to specify

the notification types to send or drop.

??timeout num ??? Specifies the number of seconds MSS waits for

acknowledgement of a notification. You can specify from 1 to 5 seconds.

set snmp notify target 195

SNMPv2c with Traps To configure a notification target for traps from SNMPv2c, use the following command:

Syntax ??? set snmp notify target target-num ip-addr[:udp-port-number]

v2c community-string trap

[profile profile-name]

??target-num ??? ID for the target. This ID is local to the WX switch and

does not need to correspond to a value on the target itself. You can specify a number from 1 to 10.

??ip-addr[:udp-port-number] ??? IP address of the server. You also

can specify the UDP port number to send notifications to.

??community-string ??? Community string.

??profile profile-name ??? Notification profile this SNMP user will use

to specify the notification types to send or drop.

SNMPv1 with Traps To configure a notification target for traps from SNMPv1, use the following command:

Syntax ??? set snmp notify target target-num ip-addr[:udp-port-number]

v1 community-string [profile profile-name]

??target-num ??? ID for the target. This ID is local to the WX switch and

does not need to correspond to a value on the target itself. You can specify a number from 1 to 10.

??ip-addr[:udp-port-number] ??? IP address of the server. You also

can specify the UDP port number to send notifications to.

??community-string ??? Community string.

??profile profile-name ??? Notification profile this SNMP user will use

to specify the notification types to send or drop.

Defaults ??? The default UDP port number on the target is 162. The default minimum required security level is unsecured. The default number of retries is 0 and the default timeout is 2 seconds.

Access ??? Enabled.

History ??? Introduced in MSS Version 4.0.

196 CHAPTER 7: IP SERVICES COMMANDS

Usage ??? The inform or trap option specifies whether the MSS SNMP engine expects the target to acknowledge notifications sent to the target by the WX switch. Use inform if you want acknowledgements. Use trap if you do not want acknowledgements. The inform option is applicable to SNMP version v2c or usm only.

Examples ??? The following command configures a notification target for acknowledged notifications:

WX1200# set snmp notify target 1 10.10.40.9 usm inform user securesnmpmgr1 snmp-engine-id ip

success: change accepted.

This command configures target 1 at IP address 10.10.40.9. The target???s SNMP engine ID is based on its address. The MSS SNMP engine will send notifications based on the default profile, and will require the target to acknowledge receiving them.

The following command configures a notification target for unacknowledged notifications:

WX1200# set snmp notify target 2 10.10.40.10 v1 trap success: change accepted.

See Also

??clear snmp notify target on page 144

??set snmp protocol on page 197

??set snmp security on page 198

??set snmp usm on page 199

??display snmp notify target on page 162

set snmp protocol 197

set snmp protocol Enables an SNMP protocol. MSS supports SNMPv1, SNMPv2c, and SNMPv3.

Syntax ??? set snmp protocol {v1 | v2c | usm | all} {enable | disable}

??v1 ??? SNMPv1

??V2c ??? SNMPv2c

??usm ??? SNMPv3 (with the user security model)

??all ??? Enables all supported versions of SNMP.

??enable ??? Enables the specified SNMP version(s).

??disable ??? Disables the specified SNMP version(s).

Defaults ??? All SNMP versions are disabled by default.

Access ??? Enabled.

History ???Introduced in MSS Version 4.0.

Usage ??? SNMP requires the switch system IP address to be set. SNMP does not work without the system IP address.

You also must enable the SNMP service using the set ip snmp server command.

Examples ??? The following command enables all SNMP versions:

WX1200# set snmp protocol all enable success: change accepted.

See Also

??set snmp notify target on page 192

??set snmp security on page 198

??set snmp usm on page 199

??display snmp status on page 163

198 CHAPTER 7: IP SERVICES COMMANDS

set snmp security Sets the minimum level of security MSS requires for SNMP message exchanges.

Syntax ??? set snmp security

{unsecured | authenticated | encrypted | auth-req-unsec-notify}

??unsecured ??? SNMP message exchanges are not secure. This is the

only value supported for SNMPv1 and SNMPv2c.

??authenticated ??? SNMP message exchanges are authenticated but

are not encrypted.

??encrypted ??? SNMP message exchanges are authenticated and

encrypted.

??auth-req-unsec-notify??? SNMP message exchanges are

authenticated but are not encrypted, and notifications are neither authenticated nor encrypted.

Defaults ??? By default, MSS allows nonsecure (unsecured) SNMP message exchanges.

Access ??? Enabled.

History ??? Introduced in MSS Version 4.0.

Usage ??? SNMPv1 and SNMPv2c do not support authentication or encryption. If you plan to use SNMPv1 or SNMPv2c, leave the minimum level of SNMP security set to unsecured.

Examples ??? The following command sets the minimum level of SNMP security allowed to authentication and encryption:

WX1200# set snmp security encrypted success: change accepted.

See Also

??set snmp notify target on page 192

??set snmp protocol on page 197

200CHAPTER 7: IP SERVICES COMMANDS

??notify-only???The switch can use the string to send notifications.

??read-write???An SNMP management application using the string

can get and set object values on the switch.

??notify-read-write ??? An SNMP management application using

the string can get and set object values on the switch. The switch can use the string to send notifications.

??auth-type {none | md5 | sha} {auth-pass-phrase string | auth-key hex-string} ??? Specifies the authentication type used to

authenticate communications with the remote SNMP engine. You can specify one of the following:

??none???No authentication is used.

??md5???Message-digest algorithm 5 is used.

??sha???Secure Hashing Algorithm (SHA) is used.

If the authentication type is md5 or sha, you can specify a passphrase or a hexadecimal key.

??To specify a passphrase, use the auth-pass-phrase string option. The string can be from 8 to 32 alphanumeric characters long, with no spaces.

??To specify a key, use the auth-key hex-string option.

??encrypt-type {none | des | 3des | aes} {encrypt-pass-phrase string | encrypt-key hex-string} ???

Specifies the encryption type used for SNMP traffic. You can specify one of the following:

??none???No encryption is used. This is the default.

??des???Data Encryption Standard (DES) encryption is used.

??3des???Triple DES encryption is used.

??aes???Advanced Encryption Standard (AES) encryption is used.

If the encryption type is des, 3des, or aes, you can specify a passphrase or a hexadecimal key.

??To specify a passphrase, use the encrypt-pass-phrase string option. The string can be from 8 to 32 alphanumeric characters long, with no spaces.

??To specify a key, use the encrypt-key hex-string option.

set snmp usm 201

Defaults ??? No SNMPv3 users are configured by default. When you configure an SNMPv3 user, the default access is read-only, and the default authentication and encryption types are both none.

Access ??? Enabled.

History ??? Introduced in MSS Version 4.0.

Examples ??? The following command creates USM user snmpmgr1, associated with the local SNMP engine ID. This user can send traps to notification receivers.

WX#1200 set snmp usm snmpmgr1 snmp-engine-id local success: change accepted.

The following command creates USM user securesnmpmgr1, which uses SHA authentication and 3DES encryption with passphrases. This user can send informs to the notification receiver that has engine ID 192.168.40.2.

WX4400# set snmp usm securesnmpmgr1 snmp-engine-id ip 192.168.40.2 auth-type sha auth-pass-phrase myauthpword encrypt-type 3des encrypt-pass-phrase mycryptpword success: change accepted.

See Also

??clear snmp usm on page 144

??set snmp notify target on page 192

??set snmp protocol on page 197

??set snmp security on page 198

??display snmp usm on page 164

202 CHAPTER 7: IP SERVICES COMMANDS

set summertime Offsets the real-time clock of a WX by +1 hour and returns it to standard time for daylight savings time or a similar summertime period.

Syntax ??? set summertime summer-name [start week weekday month hour min end week weekday month hour min]

??summer-name ??? Name of up to 32 alphanumeric characters that

describes the summertime offset. You can use a standard name or any name you like.

??start ??? Start of the time change period.

??week ??? Week of the month to start or end the time change. Valid

values are first, second, third, fourth, or last.

??weekday ??? Day of the week to start or end the time change. Valid

values are sun, mon, tue, wed, thu, fri, and sat.

??month ??? Month of the year to start or end the time change. Valid

values are jan, feb, mar, apr, may, jun, jul, aug, sep, oct, nov, and dec.

??hour ??? Hour to start or end the time change ??? a value between 0

and 23 on the 24-hour clock.

??min ??? Minute to start or end the time change ??? a value between 0

and 59.

??end ??? End of the time change period.

Defaults ??? If you do not specify a start and end time, the system implements the time change starting at 2:00 a.m. on the first Sunday in April and ending at 2:00 a.m. on the last Sunday in October, according to the North American standard.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? You must first set the time zone with the set timezone command for the offset to work properly without the start and end values.

Configure summertime before you set the time and date. Otherwise, summertime???s adjustment of the time will make the time incorrect, if the date is within the summertime period.

204 CHAPTER 7: IP SERVICES COMMANDS

Examples ??? The following commands configure an IP interface on

VLAN taupe and configure the interface to be the system IP address:

WX4400# set interface taupe ip 10.10.20.20/24

success: set ip address 10.10.20.20 netmask 255.255.255.0 on vlan taupe WX4400# set system ip-address 10.10.20.20

success: change accepted.

See Also

??clear system ip-address on page 146

??clear summertime on page 145

??set interface on page 170

Syntax ??? set timedate {date mmm dd yyyy [time hh:mm:ss]}

?? date mmm dd yyyy ??? System date:

??mmm ??? month

??dd ??? day

??yyyy ??? year

??time hh:mm:ss ??? System time, in hours, minutes, and seconds.

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Usage ??? The day of week is automatically calculated from the day that you set. The time displayed by the CLI after you type the command might be slightly later than the time you enter due to the interval between when you press Enter and when the CLI reads and displays the new time and date.

Configure summertime before you set the time and date. Otherwise, the summertime adjustment makes the time incorrect, if the date is within the summertime period.

These values are also used by Network Time Protocol (NTP), if it is enabled.

Syntax ??? set timezone zone-name {-hours [minutes]}

??zone-name ??? Time zone name of up to 32 alphabetic characters. You

can use a standard name or any name you like.

??- (minus sign) ??? Minus time to indicate hours (and minutes) to be

subtracted from UTC. Otherwise, hours and minutes are added by default.

??hours ??? Number of hours to add or subtract from UTC.

??minutes ??? Number of minutes to add or subtract from UTC.

Defaults ??? If this command is not used, then the default time zone is

UTC.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

206 CHAPTER 7: IP SERVICES COMMANDS

Examples ??? To set the time zone for Pacific Standard Time (PST), type the following command:

WX1200# set timezone PST -8

Timezone is set to 'PST', offset from UTC is -8:0 hours.

See Also

??clear timezone on page 146

??display timedate on page 165

??display sessions on page 616

Syntax ??? telnet {ip-addr | hostname} [port port-num]

??ip-addr ??? IP address of the remote device.

??hostname ??? Hostname of the remote device.

??port port-num ??? TCP port number on which the TCP server on the

remote device listens for Telnet connections.

Defaults ??? MSS attempts to establish Telnet connections with TCP port 23 by default.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? To end a Telnet session from the remote device, press Ctrl+t or type quit or logout in the management session on the remote device. To end a client session from the local WX switch, use the clear sessions telnet client command.

If the configuration of the WX switch from which you enter the telnet command has an ACL that denies Telnet client traffic, the ACL also denies access by the telnet command.

traceroute 207

Examples ??? In the following example, an administrator establishes a Telnet session with another device and enters a command on the remote device:

WX4400# telnet 10.10.10.90

Session 0 pty tty2.d Trying 10.10.10.90...

Connected to 10.10.10.90

Disconnect character is '^t'

When the administrator presses Ctrl+t to end the Telnet connection, the management session returns to the local prompt:

WX1200-remote> Session 0 pty tty2.d terminated tt name tty2.d

WX1200#

See Also

??clear sessions on page 613

Syntax ??? traceroute host [dnf] [no-dns] [port port-num] [queries num] [size size] [ttl hops] [wait ms]

??host ??? IP address, hostname, or alias of the destination host. Specify

the IP address in dotted decimal notation.

208CHAPTER 7: IP SERVICES COMMANDS

??dnf ??? Sets the Do Not Fragment bit in the ping packet to prevent the

packet from being fragmented.

??no-dns ??? Prevents MSS from performing a DNS lookup for each hop

to the destination host.

??port port-num ??? TCP port number listening for the traceroute

probes.

??queries num ??? Number of probes per hop.

??size size ??? Probe packet size in bytes. You can specify from 40

through 1,460.

??ttl hops ??? Maximum number of hops, which can be from 1 through

255.

??wait ms ??? Probe wait in milliseconds. You can specify from 1 through

100,000.

Defaults

??dnf ??? Disabled

??no-dns ??? Disabled

??port ??? 33434

??queries ??? 3

??size ??? 38

??ttl ??? 30

??wait ??? 5000

Access ??? All.

History ???Introduced in MSS Version 3.0.

Usage ??? To stop a traceroute command that is in progress, press

Ctrl+C.

Examples ??? The following example traces the route to host server1:

WX4400# traceroute server1

traceroute to server1.example.com (192.168.22.7), 30 hops max, 38 byte packets 1 engineering-1.example.com (192.168.192.206) 2 ms 1 ms 1 ms

2 engineering-2.example.com (192.168.196.204) 2 ms 3 ms 2 ms 3 gateway_a.example.com (192.168.1.201) 6 ms 3 ms 3 ms

4 server1.example.com (192.168.22.7) 3 ms * 2 ms

traceroute 209

The first row of the display indicates the target host, the maximum number of hops, and the packet size. Each numbered row displays information about one hop. The rows are displayed in the order in which the hops occur, beginning with the hop closest to the WX switch.

The row for a hop lists the total time in milliseconds for each ICMP packet to reach the router or host, plus the time for the ICMP Time Exceeded message to return to the host.

An exclamation point (!) following any of these values indicates that the Port Unreachable message returned by the destination has a maximum hop count of 0 or 1. This can occur if the destination uses the maximum hop count value from the arriving packet as the maximum hop count in its ICMP reply. The reply does not arrive at the source until the destination receives a traceroute packet with a maximum hop count equal to the number of hops between the source and destination.

An asterisk (*) indicates that the timeout period expired before MSS received a Time Exceeded message for the packet.

If Traceroute receives an ICMP error message other than a Time Exceeded or Port Unreachable message, MSS displays one of the error codes described in Table 40 instead of displaying the round-trip time or an asterisk (*).

Table 40 describes the traceroute error messages.

Table 40 Error messages for traceroute

See Also

??ping on page 166

clear accounting 213

Table 41 AAA Commands by Usage (continued)

clear accounting Removes accounting services for specified wireless users with administrative access or network access.

Syntax ??? clear accounting {admin | dot1x} {user-glob}

??admin ??? Users with administrative access to the WX through a

console connection or through a Telnet or Web View connection.

??dot1x ??? Users with network access through the WX. Users with

network access are authorized to use the network through either an IEEE 802.1X method or their media access control (MAC) address.

??user-glob ??? Single user or set of users with administrative access or

network access.

Specify a username, use the double-asterisk wildcard character (**) to specify all usernames, or use the single-asterisk wildcard character (*) to specify a set of usernames up to or following the first delimiter character???either an at sign (@) or a period (.). (For details, see ???User Globs??? on page 30.)

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

clear authentication console 215

Syntax ??? clear authentication console user-glob

??user-glob ??? A single user or set of users.

Specify a username, use the double-asterisk wildcard character (**) to specify all usernames, or use the single-asterisk wildcard character (*) to specify a set of usernames up to or following the first delimiter character, either an at sign (@) or a period (.). (For details, see ???User Globs??? on page 30.)

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

The syntax descriptions for the clear authentication commands are separate for clarity. However, the options and behavior for the clear authentication console command are the same as in previous releases.

Examples ??? The following command clears authentication for administrator Regina:

WX4400# clear authentication console Regina

success: change accepted.

??clear authentication dot1x on page 216

216CHAPTER 8: AAA COMMANDS

??clear authentication proxy on page 218

??clear authentication console on page 215

clear authentication Removes an 802.1X authentication rule. dot1x

Syntax ??? clear authentication dot1x {ssid ssid-name | wired}

user-glob

??ssid ssid-name ??? SSID name to which this authentication rule

applies.

??wired ??? Clears a rule used for access over a WX wired-authentication

port.

??user-glob ??? A single user or a set of users with 802.1X network

access.

Specify a username, use the double-asterisk wildcard character (**) to specify all usernames, or use the single-asterisk wildcard character (*) to specify a set of usernames up to or following the first delimiter character, either an at sign (@) or a period (.). (For details, see ???User Globs??? on page 30.)

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? The following command removes 802.1X authentication for network users with usernames ending in @thiscorp.com who try to access SSID finance:

WX4400# clear authentication dot1x ssid finance *@thiscorp.com

??clear authentication proxy on page 218

clear authentication mac 217

??clear authentication console on page 215

clear authentication Removes a MAC authentication rule. mac

Syntax ??? clear authentication mac {ssid ssid-name | wired}

mac-addr-glob

??ssid ssid-name ??? SSID name to apply the authentication.

??wired ??? Clears a rule used for access over a WX wired-authentication

port.

??mac-addr-glob ??? A single user or set of users with access via a MAC

address. Specify a MAC address, or use the wildcard (*) character to specify a set of MAC addresses. (For details, see ???MAC Address Globs??? on page 31.)

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? The following command removes a MAC authentication rule for access to SSID thatcorp by MAC addresses beginning with aa:bb:cc:

WX4400# clear authentication mac ssid thatcorp aa:bb:cc:*

??clear authentication dot1x on page 216

??clear authentication proxy on page 218

??set authentication proxy on page 253

?? user-glob

??? SSID name to which this authentication rule

218 CHAPTER 8: AAA COMMANDS

clear authentication Removes a proxy rule for third-party AP users. proxy

Syntax ??? clear authentication proxy ssid ssid-name user-glob

??ssid ssid-name ??? SSID name to which this authentication rule

applies.

??user-glob ??? User-glob associated with the rule you are removing.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 4.0.

Examples ??? The following command removes the proxy rule for SSID mycorp and userglob **:

WX4400# clear authentication proxy ssid mycorp

See Also

??clear authentication console on page 215

clear authentication Removes a WebAAA rule. web

Syntax ??? clear authentication web {ssid ssid-name | wired}

user-glob

ssid ssid-name applies.

wired ??? Clears a rule used for access over a WX switch???s wired-authentication port.

??? User-glob associated with the rule you are removing.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS 3.0.

clear location policy 219

Examples ??? The following command removes WebAAA for SSID research and userglob temp*@thiscorp.com:

WX4400# clear authentication web ssid research temp*@thiscorp.com

??clear authentication dot1x on page 216

clear location policy Removes a rule from the location policy on a WX switch.

Syntax ??? clear location policy rule-number

??rule-number ??? Index number of a location policy rule to remove

from the location policy.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? To determine the index numbers of location policy rules, use the display location policy command. Removing all the ACEs from the location policy disables this function on the WX switch.

Examples ??? The following command removes location policy rule 4 from an WX switch???s location policy:

WX4400# clear location policy 4 success: clause 4 is removed.

220 CHAPTER 8: AAA COMMANDS

Syntax ??? clear mac-user mac-addr

??mac-addr ??? MAC address of the user, in hexadecimal numbers

separated by colons (:). You can omit leading zeros.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? Deleting a MAC user???s profile from the database deletes the assignment of any attributes in the profile to the user.

Examples ??? The following command removes the user profile for a user at MAC address 01:02:03:04:05:06:

WX4400# clear mac-user 01:02:03:04:05:06 success: change accepted.

See Also

??set mac-usergroup attr on page 267

clear mac-user attr 221

clear mac-user attr Removes an authorization attribute from the user profile in the local database on the WX switch, for a user who is authenticated by a MAC address.

(To remove an authorization attribute in RADIUS, see the documentation for your RADIUS server.)

Syntax ??? clear mac-user mac-addr attr attribute-name

??mac-addr ??? MAC address of the user, in hexadecimal numbers

separated by colons (:). You can omit leading zeros.

??attribute-name ??? Name of an attribute used to authorize the MAC

user for a particular service or session characteristic. (For a list of authorization attributes, see Table 44 on page 262.)

Syntax ??? clear mac-user mac-addr group

??mac-addr ??? MAC address of the user, in hexadecimal numbers

separated by colons (:). You can omit leading zeros.

Defaults ??? None.

clear user attr 225

Syntax ??? clear user username attr attribute-name

??username ??? Username of a user with a password.

??attribute-name ??? Name of an attribute used to authorize the user

for a particular service or session characteristic. (For a list of authorization attributes, see Table 44 on page 262.)

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? The following command removes the Session-Timeout attribute from Hosni???s user profile:

WX4400# clear user Hosni attr session-timeout success: change accepted.

See Also

??set user attr on page 273

226 CHAPTER 8: AAA COMMANDS

clear user group Removes a user with a password from membership in a user group in the local database on the WX.

(To remove a user from a user group in RADIUS, see the documentation for your RADIUS server.)

Syntax ??? clear user username group

??username ??? Username of a user with a password.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? Removing the user from the group removes the group name from the user profile, but does not delete either the user or the user group from the local WX database. To remove the group, use clear usergroup.

Examples ??? The following command removes the user Nin from a user group:

WX4400# clear user Nin group success: change accepted.

See Also

??clear usergroup on page 227

??clear usergroup attr on page 228

??set user group on page 275

clear user lockout Restores access to a user who has been locked out of the system due to an expired password or exceeding the maximum number of failed

Syntax ??? clear user username lockout

Defaults ??? None.

Access ??? Enabled.

228 CHAPTER 8: AAA COMMANDS

See Also

??set usergroup on page 275

clear usergroup attr Removes an authorization attribute from a user group in the local database on the WX.

(To remove an authorization attribute in RADIUS, see the documentation for your RADIUS server.)

Syntax ??? clear usergroup group-name attr attribute-name

??group-name ??? Name of an existing user group.

??attribute-name ??? Name of an attribute used to authorize all the

users in the group for a particular service or session characteristic. (For a list of authorization attributes, see Table 44 on page 262.)

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? The following command removes the members of the user group cardiology from a network access time restriction by deleting the Time-Of-Day attribute from the group:

WX4400# clear usergroup cardiology attr time-of-day success: change accepted.

See Also

??clear usergroup on page 227

??clear location policy on page 219

??set usergroup on page 275

display aaa 229

Examples ??? To display all current AAA settings, type the following command:

--------------------------------------------------------------------

Server groups sg1: rs-3 sg2: rs-4 sg3: rs-5

Web Portal: enabled

set authentication admin Jose sg3 set authentication console * none

set authentication mac ssid mycorp * local

set authentication dot1x ssid mycorp Geetha eap-tls

set authentication dot1x ssid mycorp * peap-mschapv2 sg1 sg2 sg3 set authentication dot1x ssid any ** peap-mschapv2 sg1 sg2 sg3 set accounting dot1x Nin ssid mycorp stop-only sg2

set accounting admin Natasha start-stop local

user Nin

Password = 082c6c64060b (encrypted) Filter-Id = acl-999.in

Filter-Id = acl-999.out

234 CHAPTER 8: AAA COMMANDS

Table 43 display accounting statistics Output (continued)

Examples ??? The following command displays the list of location policy rules in the location policy on an WX switch:

WX4400 display location policy

Id Clauses

----------------------------------------------------------------

1)deny if user eq *.theirfirm.com

2)permit vlan guest_1 if vlan neq *.wodefirm.com

3)permit vlan bld4.tac inacl tac_24.in if user eq *.ny.wodefirm.com

See Also

??set location policy on page 256

236CHAPTER 8: AAA COMMANDS

??Specify a username, use the double-asterisk wildcard character (**) to specify all usernames, or use the single-asterisk wildcard character (*) to specify a set of usernames up to or following the first delimiter character???either an at sign (@) or a period (.). (For details, see ???User Globs??? on page 30.)

This option does not apply if mac is specified. For mac, specify a mac-addr-glob. (See ???MAC Address Globs??? on page 31.)

??start-stop ??? Sends accounting records at the start and end of a

network session.

??stop-only ??? Sends accounting records only at the end of a network

session.

??method1, method2, method3, method4 ??? At least one of up to four

methods that MSS uses to process accounting records. Specify one or more of the following methods in priority order. If the first method does not succeed, MSS tries the second method, and so on.

A method can be one of the following:

??local ??? Stores accounting records in the local database on the

WX switch. When the local accounting storage space is full, MSS overwrites older records with new ones.

??server-group-name ??? Stores accounting records on one or more

Remote Authentication Dial-In User Service (RADIUS) servers. You can also enter the names of existing RADIUS server groups as methods.

Defaults ??? Accounting is disabled for all users by default.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? For network users with start-stop accounting whose records are sent to a RADIUS server, MSS sends interim updates to the RADIUS server when the user roams.

Examples ??? The following command issues start-and-stop accounting records at the local WX database for administrator Natasha, when she accesses the switch using Telnet or Web Manager:

WX4400# set accounting admin Natasha start-stop local success: change accepted.

set accounting {dot1x | mac | web | last-resort} 237

See Also

??clear accounting on page 213

??display accounting statistics on page 232

set accounting {dot1x | mac | web | last-resort}

Sets up accounting services for specified wireless users with network access, and defines the accounting records and where they are sent.

Syntax ??? set accounting {dot1x | mac | web | last-resort} {ssid ssid-name | wired} {user-glob | mac-addr-glob} {start-stop | stop-only} method1 [method2] [method3]

[method4]

??dot1x ??? Users with network access through the WX switch who are

authenticated by 802.1X.

??mac ??? Users with network access through the WX switch who are

authenticated by MAC authentication

??web ??? Users with network access through the WX switch who are

authenticated by WebAAA

??ssid ssid-name ??? SSID name to which this accounting rule applies.

To apply the rule to all SSIDs, type any.

??wired ??? Applies this accounting rule specifically to users who are

authenticated on a wired authentication port.

??user-glob ??? Single user or set of users with administrative access or

network access.

Specify a username, use the double-asterisk wildcard character (**) to specify all usernames, or use the single-asterisk wildcard character (*) to specify a set of usernames up to or following the first delimiter character ??? either an at sign (@) or a period (.). (For details, see ???User Globs??? on page 30.)

This option does not apply if mac or last-resort is specified. For mac, specify a mac-addr-glob. (See ???MAC Address Globs??? on page 31.)

??mac-addr-glob ??? A single user or set of users with access via a MAC

address. Specify a MAC address, or use the wildcard (*) character to specify a set of MAC addresses. (For details, see ???MAC Address Globs??? on page 31.)

This option applies only when mac is specified.

238CHAPTER 8: AAA COMMANDS

??start-stop ??? Sends accounting records at the start and end of a network session.

??stop-only ??? Sends accounting records only at the end of a network session.

??method1, method2, method3, method4 ??? At least one of up to four methods that MSS uses to process accounting records. Specify one or more of the following methods in priority order. If the first method does not succeed, MSS tries the second method, and so on.

A method can be one of the following:

??local ??? Stores accounting records in the local database on the

WX switch. When the local accounting storage space is full, MSS overwrites older records with new ones.

??server-group-name ??? Stores accounting records on one or more

Remote Authentication Dial-In User Service (RADIUS) servers. You can also enter the names of existing RADIUS server groups as methods.

Defaults ??? Accounting is disabled for all users by default.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? For network users with start-stop accounting profiles whose records are sent to a RADIUS server, MSS sends interim updates to the RADIUS server when the user roams.

Examples ??? The following command issues stop-only records to the RADIUS server group sg2 for network user Nin, who is authenticated by 802.1X:

WX4400# set accounting dot1x Nin stop-only sg2 success: change accepted.

See Also

??clear accounting on page 213

??display accounting statistics on page 232

240 CHAPTER 8: AAA COMMANDS

History ???Introduced in MSS Version 3.0.

The syntax descriptions for the set authentication commands are separated for clarity. However, the options and behavior for the set authentication admin command are the same as in previous releases.

Usage ??? You can configure different authentication methods for different groups of users. (For details, see ???User Globs, MAC Address Globs, and VLAN Globs??? on page 30.)

If you specify multiple authentication methods in the set authentication console command, MSS applies them in the order that they appear in the command, with these results:

If the first method responds with pass or fail, the evaluation is final.

If the first method does not respond, MSS tries the second method, and so on.

However, if local appears first, followed by a RADIUS server group, MSS ignores any failed searches in the local WX database and sends an authentication request to the RADIUS server group.

If a AAA rule specifies local as a secondary AAA method, to be used if the RADIUS servers are unavailable, and MSS authenticates a client with the local method, MSS starts again at the beginning of the method list when attempting to authorize the client. This can cause unexpected delays during client processing and can cause the client to time out before completing logon.

Examples ??? The following command configures administrator Jose, who connects via Telnet, for authentication on RADIUS server group sg3:

WX4400# set authentication admin Jose sg3 success: change accepted.

242 CHAPTER 8: AAA COMMANDS

Defaults ??? By default, authentication is deactivated for all console users, and the default authentication method in a console authentication rule is none. MSS requires no username or password, by default. These users can press Enter at the prompts for administrative access.

It is recommended that you change the default setting unless the WX is in a secure physical location.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

The syntax description for the set authentication commands are separated for clarity. However, the options and behavior for the set authentication console command are the same as in previous releases.

Usage ??? You can configure different authentication methods for different groups of users. (For details, see ???User Globs, MAC Address Globs, and VLAN Globs??? on page 30.)

If you specify multiple authentication methods in the set authentication console command, MSS applies them in the order in which they appear in the command, with these results:

If the first method responds with pass or fail, the evaluation is final.

If the first method does not respond, MSS tries the second method, and so on.

However, if local appears first, followed by a RADIUS server group, MSS ignores any failed searches in the local WX database and sends an authentication request to the RADIUS server group.

Examples ??? To set the console port so that it does not enforce username-password authentication for administrators, type the following command:

WX4400# set authentication console * none success: change accepted.

set authentication dot1x 243

set authentication Configures authentication and defines how it is performed for specified dot1xwireless or wired authentication clients who use an IEEE 802.1X

authentication protocol to access the network through the WX.

Syntax ??? set authentication dot1x {ssid ssid-name | wired}

user-glob [bonded] protocol method1 [method2] [method3] [method4]

??ssid ssid-name ??? SSID name to which this authentication rule

applies. To apply the rule to all SSIDs, type any.

??wired ??? Applies this authentication rule specifically to users

connected to a wired authentication port.

??user-glob ??? A single user or a set of users with 802.1X network

access.

Specify a username, use the double-asterisk wildcard character (**) to specify all usernames, or use the single-asterisk wildcard character (*) to specify a set of usernames up to or following the first delimiter character ??? either an at sign (@) or a period (.). (For details, see ???User Globs??? on page 30.)

??bonded ??? Enables Bonded Auth??? (bonded authentication). When

this feature is enabled, MSS authenticates the user only if the computer the user is on has already been authenticated.

??protocol ??? Protocol used for authentication. Specify one of the

following:

??eap-md5 ??? Extensible Authentication Protocol (EAP) with

message-digest algorithm 5. For wired authentication clients:

Uses challenge-response to compare hashes

Provides no encryption or integrity checking for the connection

??eap-tls ??? EAP with Transport Layer Security (TLS):

244 CHAPTER 8: AAA COMMANDS

Provides mutual authentication, integrity-protected negotiation, and key exchange

Requires X.509 public key certificates on both sides of the connection

Provides encryption and integrity checking for the connection

Cannot be used with RADIUS server authentication (requires user information to be in the WX local database)

??peap-mschapv2 ??? Protected EAP (PEAP) with Microsoft Challenge

Handshake Authentication Protocol version 2 (MS-CHAP-V2). For wireless clients:

Uses TLS for encryption and data integrity checking and server-side authentication.

Provides MS-CHAP-V2 mutual authentication.

Only the server side of the connection needs a certificate.

The wireless client authenticates using TLS to set up an encrypted session. Then MS-CHAP-V2 performs mutual authentication using the specified AAA method.

??pass-through ??? MSS sends all the EAP protocol processing to a

RADIUS server.

EAP-MD5 does not work with Microsoft wired authentication clients.

??method1, method2, method3, method4 ??? At least one and up to four

methods that MSS uses to handle authentication. Specify one or more of the following methods in priority order. MSS applies multiple methods in the order you enter them.

A method can be one of the following:

??local ??? Uses the local database of usernames and user groups on

the WX switch for authentication.

??server-group-name ??? Uses the defined group of RADIUS servers

for authentication. You can enter up to four names of existing RADIUS server groups as methods.

RADIUS servers cannot be used with the EAP-TLS protocol.

set authentication dot1x 245

Defaults ??? By default, authentication is unconfigured for all clients with network access through MAP ports or wired authentication ports on the WX switch. Connection, authorization, and accounting are also disabled for these users.

Bonded authentication is disabled by default.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? You can configure different authentication methods for different groups of users by ???globbing.??? (For details, see ???User Globs??? on page 30.)

You can configure a rule either for wireless access to an SSID, or for wired access through a WX wired authentication port. If the rule is for wireless access to an SSID, specify the SSID name or specify any to match on all SSID names. If the rule is for wired access, specify wired instead of an SSID name.

You cannot configure client authentication that uses both EAP-TLS protocol and one or more RADIUS servers. EAP-TLS authentication is supported only on the local WX database.

If you specify multiple authentication methods in the set authentication dot1x command, MSS applies them in the order in which they appear in the command, with these results:

If the first method responds with pass or fail, the evaluation is final.

If the first method does not respond, MSS tries the second method, and so on.

However, if local appears first, followed by a RADIUS server group, MSS overrides any failed searches in the local WX database and sends an authentication request to the server group.

If the user does not support 802.1X, MSS attempts to perform MAC authentication for the user. In this case, if the WX configuration contains a set authentication mac command that matches the SSID the user is attempting to access and the user MAC address, MSS uses the method specified by the command. Otherwise, MSS uses local MAC authentication by default.

246 CHAPTER 8: AAA COMMANDS

If the username does not match an authentication rule for the SSID the user is attempting to access, MSS uses the fallthru authentication type configured for the SSID, which can be last-resort, web-portal (for WebAAA), or none.

Examples ??? The following command configures EAP-TLS authentication in the local WX database for SSID mycorp and 802.1X client Geetha:

WX4400# set authentication dot1x ssid mycorp Geetha eap-tls local

success: change accepted.

The following command configures PEAP-MS-CHAP-V2 authentication at RADIUS server groups sg1 through sg3 for all 802.1X clients at example.com who want to access SSID examplecorp:

WX4400# set authentication dot1x ssid examplecorp *@example.com peap-mschapv2 sg1 sg2 sg3

success: change accepted.

set authentication mac 247

set authentication Configures authentication and defines where it is performed for specified macnon-802.1X users with network access through a media access control

(MAC) address.

Syntax ??? set authentication mac

{ssid ssid-name | wired} mac-addr-glob method1

[method2] [method3] [method4]

??ssid ssid-name ??? SSID name to which this authentication rule

applies. To apply the rule to all SSIDs, type any.

??wired ??? Applies this authentication rule specifically to users

connected to a wired authentication port.

??mac-addr-glob ??? A single user or set of users with access via a MAC

address. Specify a MAC address, or use the wildcard (*) character to specify a set of MAC addresses. (For details, see ???MAC Address Globs??? on page 31.)

??method1, method2, method3, method4 ??? At least one of up to four

methods that MSS uses to handle authentication. Specify one or more of the following methods in priority order. MSS applies multiple methods in the order you enter them.

A method can be one of the following:

??local ??? Uses the local database of usernames and user groups on

the WX switch for authentication.

??server-group-name ??? Uses the defined group of RADIUS servers

for authentication. You can enter up to four names of existing RADIUS server groups as methods.

For more information, see ???Usage.???

Defaults ??? By default, authentication is deactivated for all MAC users, which means MAC address authentication fails by default. When using RADIUS for authentication, the default password for a MAC user is the MAC address of the user.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? You can configure different authentication methods for different groups of MAC addresses by ???globbing.??? (For details, see ???User Globs, MAC Address Globs, and VLAN Globs??? on page 30.)

248 CHAPTER 8: AAA COMMANDS

If you specify multiple authentication methods in the set authentication mac command, MSS applies them in the order in which they appear in the command, with these results:

If the first method responds with pass or fail, the evaluation is final.

If the first method does not respond, MSS tries the second method, and so on.

However, if local appears first, followed by a RADIUS server group, MSS ignores any failed searches in the local WX database and sends an authentication request to the RADIUS server group.

If the WX configuration contains a set authentication mac command that matches the SSID the user is attempting to access and the user MAC address, MSS uses the method specified by the command. Otherwise, MSS uses local MAC authentication by default.

Examples ??? To use the local WX database to authenticate all users who access the mycorp2 SSID by their MAC address, type the following command:

WX4400# set authentication ssid mycorp2 mac ** local success: change accepted.

See Also

??clear user lockout on page 226

set authentication minimum-password-length 251

set authentication minimum-password -length

Specifies the minimum allowable length for user passwords.

Syntax ??? set authentication minimum-password-length length

??length ??? Minimum number of characters that can be in a user

password. You can specify a minimum password length between 0

??? 32 characters. Specifying 0 removes the restriction on password

length.

Defaults ??? By default, there is no minimum length for user passwords.

Access ??? Enabled.

History ??? Introduced in MSS 6.0.

Usage ??? Use this command to specify the minimum length for user

passwords. When this command is configured, you cannot configure a password shorter than the specified length.

When you enable this command, MSS evaluates the passwords configured on the WX and displays a list of users whose password does not meet the minimum length restriction.

Examples ??? To set the minimum length for user passwords at 7 characters, type the following command:

WX# set authentication minimum-password-length 7

Warning: The following users have passwords that are shorter than the minimum password length:

dan admin user2 goofball

success: change accepted.

See Also

??set authentication minimum-password-length on page 251

??set user on page 271

252 CHAPTER 8: AAA COMMANDS

set authentication Activates password restrictions for network and administrative users. password-restrict

Syntax ??? set authentication password-restrict {enable | disable}

??enable ??? Enables password restrictions on the WX.

??disable ??? Disables password restrictions on the WX.

Defaults ??? By default the password restrictions are disabled.

Access ??? Enabled.

History ???Introduced in MSS 6.0.

Usage ??? When this command is enabled, the following password restrictions take effect:

Passwords must be a minimum of 10 characters in length, and a mix of uppercase letters, lowercase letters, numbers, and special characters, including at least two of each (for example, Tre%Pag32!).

A user cannot reuse any of his or her 10 previous passwords (not applicable to network users).

When a user changes his or her password, at least 4 characters must be different from the previous password.

When you enable the password restrictions, MSS evaluates the passwords configured on the WX switch and displays a list of users whose password does not meet the restriction on length and character types.

Examples ??? To enable password restrictions on the WX switch, type the following command:

WX# set authentication password-restrict enable

warning: the following users have passwords that do not have at least 2 each of upper-case letters, lower-case letters, numbers and special characters -

dan admin user1 user2 goofball dang

success: change accepted.

254 CHAPTER 8: AAA COMMANDS

??set radius proxy client on page 585

??set radius proxy port on page 586

set authentication Configures an authentication rule to allow a user to log in to the network webusing a web page served by the WX. The rule can be activated if the user

is not otherwise granted or denied access by 802.1X, or granted access by MAC authentication.

Syntax ??? set authentication web {ssid ssid-name | wired}

user-glob method1 [method2] [method3] [method4]

??user-glob ??? A single user or a set of users.

??ssid ssid-name ??? SSID name to which this authentication rule

applies. To apply the rule to all SSIDs, type any.

??wired ??? Applies this authentication rule specifically to users

connected to a wired authentication port.

??method1, method2, method3, method4 ??? At least one and up to four

methods that MSS uses to handle authentication. Specify one or more of the following methods in priority order. MSS applies multiple methods in the order you enter them.

A method can be one of the following:

??local ??? Uses the local database of usernames and user groups on

the WX switch for authentication.

??server-group-name ??? Uses the defined group of RADIUS servers

for authentication. You can enter up to four names of existing RADIUS server groups as methods.

RADIUS servers cannot be used with the EAP-TLS protocol.

For more information, see ???Usage.???

set authentication web 255

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? You can configure different authentication methods for different groups of users by ???globbing.??? (For details, see ???User Globs??? on page 30.)

If you specify multiple authentication methods in the set authentication web command, MSS applies them in the order in which they appear in the command, with these results:

If the first method responds with pass or fail, the evaluation is final.

If the first method does not respond, MSS tries the second method, and so on.

However, if local appears first, followed by a RADIUS server group, MSS overrides any failed searches in the local WX database and sends an authentication request to the server group.

MSS uses a WebAAA rule only under the following conditions:

The client is not denied access by 802.1X or does not support 802.1X.

The client MAC address does not match a MAC authentication rule.

The fallthru method is web. (For a wireless authentication rule, the fallthru method is specified by the set service-profile auth-fallthru command. For a wired authentication rule, the fallthru method is specified by the auth-fall-thru option of the set port type wired-auth command.)

256 CHAPTER 8: AAA COMMANDS

Examples ??? The following command configures a WebAAA rule in the local WX database for SSID ourcorp and userglob rnd*:

WX4400# set authentication web ssid ourcorp rnd* local success: change accepted.

set location policy Creates and enables a location policy on a WX. The location policy enables you to locally set or change authorization attributes for a user after the user is authorized by AAA, without making changes to the AAA server.

Syntax ??? set location policy deny if {ssid operator ssid-name

| vlan operator vlan-glob | user operator user-glob | port port-list | ap ap-num} [before rule-number | modify rule-number ]

Syntax ??? set location policy permit

{vlan vlan-name | inacl inacl-name | outacl outacl-name}

if {ssid operator ssid-name | vlan operator vlan-glob | user operator user-glob | port port-list | ap ap-num}

[before rule-number | modify rule-number]

??deny ??? Denies access to the network to users with attributes that

match the location policy rule.

??permit ??? Allows access to the network or to a specified VLAN,

and/or assigns a particular security ACL to users with attributes matching match the location policy rule.

??Action options ??? For a permit rule, MSS changes the attributes

assigned to the user to the values specified by the following options:

??vlan vlan-name ??? Name of an existing VLAN to assign to users with

attributes matching the location policy rule.

set location policy 257

??inacl inacl-name ??? Name of an existing security ACL to apply to

packets sent to the WX with attributes matching the location policy rule.

Optionally, you can add the suffix .in to the name.

??outacl outacl-name ??? Name of an existing security ACL to apply to

packets sent from the WX with attributes matching the location policy rule.

Optionally, you can add the suffix .out to the name.

??Condition options ??? MSS takes the action specified by the rule if

all conditions in the rule are met. You can specify one or more of the following conditions:

??ssid operator ssid-name ??? SSID with which the user is associated.

The operator must be eq, which applies the location policy rule to all users associated with the SSID. Asterisks (wildcards) are not supported in SSID names. You must specify the complete SSID name.

??vlan operator vlan-glob ??? VLAN-Name attribute assigned by AAA

and condition that determines if the location policy rule applies. Replace operator with one of the following operands:

??eq ??? Applies the location policy rule to all users assigned VLAN

names matching vlan-glob.

??neq ??? Applies the location policy rule to all users assigned VLAN

names not matching vlan-glob.

For vlan-glob, specify a VLAN name, use the double-asterisk wildcard character (**) to specify all VLAN names, or use the single-asterisk wildcard character (*) to specify a set of VLAN names up to or following the first delimiter character, either an at sign (@) or a period

(.). (For details, see ???VLAN Globs??? on page 32.)

??user operator user-glob ??? Username and condition that

determines if the location policy rule applies. Replace operator with one of the following operands:

??eq ??? Applies the location policy rule to all usernames matching

user-glob.

??neq ??? Applies the location policy rule to all usernames not

matching user-glob.

258 CHAPTER 8: AAA COMMANDS

For user-glob, specify a username, use the double-asterisk wildcard character (**) to specify all usernames, or use the single-asterisk wildcard character (*) to specify a set of usernames up to or following the first delimiter character, either an at sign (@) or a period (.). (For details, see ???User Globs??? on page 30.)

??before rule-number ??? Inserts the new location policy rule in front of

another rule in the location policy. Specify the number of the existing location policy rule. (To determine the number, use the display location policy command.)

??modify rule-number ??? Replaces the rule in the location policy with

the new rule. Specify the number of the existing location policy rule. (To determine the number, use the display location policy command.)

??port port-list ??? List of physical port(s) that determines if the

location policy rule applies.

Defaults ??? By default, users are permitted VLAN access and assigned security ACLs according to the VLAN-Name and Filter-Id attributes applied to the users during normal authentication and authorization.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. SSID option added in MSS

Version 3.2.

Usage ??? Only a single location policy is allowed per WX switch. Once configured, the location policy becomes effective immediately. To disable location policy operation, use the clear location policy command.

Conditions within a rule are AND???ed. All conditions in the rule must match for MSS to take the specified action. If the location policy contains multiple rules, MSS compares the user information to the rules one at a time, in the order the rules appear in the WX configuration file, beginning with the rule at the top of the list. MSS continues comparing until a user matches all conditions in a rule or until there are no more rules.

The order of rules in the location policy is important to ensure users are properly granted or denied access. To position rules within the location policy, use before rule-number and modify rule-number in the set location policy command, and the clear location policy rule-number command.

set location policy 259

When applying security ACLs:

Use inacl inacl-name to filter traffic that enters the WX from users via a MAP access port or wired authentication port, or from the network via a network port.

Use outacl outacl-name to filter traffic sent from the switch to users via a MAP access port or wired authentication port, or from the network via a network port.

You can optionally add the suffixes .in and .out to inacl-name and outacl-name so that they match the names of security ACLs stored in the local WX database.

Examples ??? The following command denies network access to all users at *.theirfirm.com, causing them to fail authorization:

WX4400# set location policy deny if user eq *.theirfirm.com

The following command authorizes access to the guest_1 VLAN for all users who are not at *.wodefirm.com:

WX4400# set location policy permit vlan guest_1 if user neq *.wodefirm.com

The following command authorizes users at *.ny.ourfirm.com to access the bld4.tac VLAN instead, and applies the security ACL tac_24 to the traffic they receive:

WX4400# set location policy permit vlan bld4.tac outacl tac_24 if user eq *.ny.ourfirm.com

The following command authorizes access to users on VLANs with names matching bld4.* and applies security ACLs svcs_2 to the traffic they send and svcs_3 to the traffic they receive:

WX4400# set location policy permit inacl svcs_2 outacl svcs_3 if vlan eq bldg4.*

The following command authorizes users entering the network on WX ports 1 and 2 to use the floor2 VLAN, overriding any settings from AAA:

WX4400# set location policy permit vlan floor2 if port 1-2

260 CHAPTER 8: AAA COMMANDS

Syntax ??? set mac-user mac-addr [group group-name]

??mac-addr ??? MAC address of the user, in hexadecimal numbers

separated by colons (:). You can omit leading zeros.

??group-name ??? Name of an existing MAC user group.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? MSS does not require MAC users to belong to user groups.

Users authenticated by MAC address are authenticated only for network access through the WX. MSS does not support passwords for MAC users.

Examples ??? The following command creates a user profile for a user at MAC address 01:02:03:04:05:06 and assigns the user to the eastcoasters user group:

WX4400# set mac-user 01:02:03:04:05:06 group eastcoasters success: change accepted.

set mac-user attr 261

See Also

??clear mac-user on page 220

set mac-user attr Assigns an authorization attribute in the local database on the WX to a user authenticating with a MAC address.

(To assign authorization attributes through RADIUS, see the documentation for your RADIUS server.)

Syntax ??? set mac-user mac-addr attr attribute-name value

??mac-addr ??? MAC address of the user, in hexadecimal numbers

separated by colons (:). You can omit leading zeros.

??attribute-name value ??? Name and value of an attribute used to

authorize a MAC user for a particular service or session characteristic. For a list of authorization attributes and values that you can assign to local users, see Table 44.

set mac-user attr 265

Table 44 Authentication Attributes for Local Users (continued)

time-of-day

(network access mode only)

Day(s) and time(s) during which the user is permitted to log into the network.

After authorization, the user session can last until either the Time-Of-Day range or the Session-Timeout duration (if set) expires, whichever is shorter.

One of the following:

??never???Access is always denied.

??any???Access is always allowed.

??al???Access is always allowed.

??One or more ranges of values that consist of one of the following day designations (required), and a time range in hhmm-hhmm 4-digit 24-hour format (optional):

mo???Monday tu???Tuesday we???Wednesday th???Thursday fr???Friday sa???Saturday su???Sunday

wk???Any day between Monday and Friday

Separate values or a series of ranges (except time ranges) with commas (,) or a vertical bar (|). Do not use spaces.

The maximum number of characters is 253.

For example, to allow access only on Tuesdays and Thursdays between 10 a.m. and 4 p.m., specify the following:

time-of-day tu1000-1600,th1000-1600

To allow access only on weekdays between 9 a.m and 5 p.m., and on Saturdays from 10 p.m. until 2 a.m., specify the following:

time-of-day wk0900-1700,sa2200-0200

(Also see the examples for set user attr on page 273.)

You can use time-of-day in conjunction with start-date, end-date, or both.

266 CHAPTER 8: AAA COMMANDS

Table 44 Authentication Attributes for Local Users (continued)

to use the standard RADIUS attribute Tunnel-Pvt-Group-ID, instead of VLAN-Name.

acct-interim-inte Interval in seconds rvalbetween accounting

updates, if start-stop accounting mode is enabled.

Number between 180 and 3,600 seconds, or 0 to disable periodic accounting updates.

The WX ignores the acct-interim-interval value and issues a log message if the value is below 60 seconds.

If both a RADIUS server and the WX supply a value for the acct-interim-interval attribute, then the value from the WX takes precedence.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? To change the value of an attribute, enter set mac-user attr with the new value. To delete an attribute, use clear mac-user attr.

set mac-usergroup attr 267

You can assign attributes to individual MAC users and to MAC user groups. If attributes are configured for a MAC user and also for the group the MAC user is in, the attributes assigned to the individual MAC user take precedence for that user. For example, if the start-date attribute configured for a MAC user is sooner than the start-date configured for the MAC user group the user is in, the MAC user???s network access can begin as soon as the user start-date. The MAC user does not need to wait for the MAC user group???s start date.

Examples ??? The following command assigns input access control list (ACL) acl-03 to filter packets from a user at MAC address 01:02:03:04:05:06:

WX4400# set mac-user 01:02:03:04:05:06 attr filter-id acl-03.in

success: change accepted.

The following command restricts a user at MAC address 06:05:04:03:02:01 to network access between 7 p.m. on Mondays and Wednesdays and 7 a.m. on Tuesdays and Thursdays:

WX4400# set mac-user 06:05:04:03:02:01 attr time-of-day mo1900-1159,tu0000-0700,we1900-1159,th0000-0700 success: change accepted.

See Also

??clear mac-user attr on page 221

set mac-usergroup Creates a user group in the local database on the WX for users

attrauthenticated by a MAC address, and assigns authorization attributes for the group.

(To configure a user group and assign authorization attributes through RADIUS, see the documentation for your RADIUS server.)

Syntax ??? set mac-usergroup

group-name attr attribute-name value

??group-name ??? Name of a MAC user group. Specify a name of up to

32 alphanumeric characters, with no spaces.

268CHAPTER 8: AAA COMMANDS

??attribute-name value ??? Name and value of an attribute used to

authorize all MAC users in the group for a particular service or session characteristic. (For a list of authorization attributes, see Table 44 on page 262.)

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? To change the value of an attribute, enter set mac-usergroup attr with the new value. To delete an attribute, use clear mac-usergroup attr.

You can assign attributes to individual MAC users and to MAC user groups. If attributes are configured for a MAC user and also for the group of the MAC user, the attributes assigned to the individual MAC user take precedence for that user. For example, if the start-date attribute configured for a MAC user is earlier than the start-date configured for the MAC user group, the MAC user network access can begin as soon as the user start-date. The MAC user does not need to wait for the MAC user group start date.

Examples ??? The following command creates the MAC user group eastcoasters and assigns the group members to VLAN orange:

WX4400# set mac-usergroup eastcoasters attr vlan-name orange success: change accepted.

See Also

??clear mac-usergroup attr on page 223

set mobility-profile 269

set mobility-profile Creates a Mobility Profile and specifies the MAP access point and/or wired authentication ports on the WX switch through which any user assigned to the profile is allowed access.

Syntax ??? set mobility-profile name name {port {none | all |

port-list}} | {ap {none | all | ap-num}}

??name ??? Name of the Mobility Profile. Specify up to 32 alphanumeric

characters, with no spaces.

??none ??? Prevents any user to whom this profile is assigned from

accessing any MAP access point or wired authentication port on the WX switch.

??all ??? Allows any user to whom this profile is assigned to access all

MAP access ports and wired authentication port on the WX switch.

??port-list ??? List of MAP access ports or wired authentication ports

through which any user assigned this profile is allowed access. The same port can be used in multiple Mobility Profile port lists.

??ap-num ??? List of Distributed MAP connections through which any

user assigned this profile is allowed access. The same Distributed MAP can be used in multiple Mobility Profile port lists.

Defaults ??? No default Mobility Profile exists on the WX. If you do not assign Mobility Profile attributes, all users have access through all ports, unless denied access by other AAA servers or by access control lists (ACLs).

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? To assign a Mobility Profile to a user or group, specify it as an authorization attribute in one of the following commands:

set user attr mobility-profile name

set usergroup attr mobility-profile name set mac-user attr mobility-profile name

set mac-usergroup attr mobility-profile name

To enable the use of the Mobility Profile feature on the WX switch, use the set mobility-profile mode command.

270 CHAPTER 8: AAA COMMANDS

CAUTION: When the Mobility Profile feature is enabled, a user is denied access if assigned a Mobility-Profile attribute in the local WX database or RADIUS server when no Mobility Profile of that name exists on the WX.

To change the ports in a profile, use set mobility-profile again with the updated port list.

Examples ??? The following commands create the Mobility Profile magnolia, which restricts user access to port 2; enable the Mobility Profile feature on the WX switch; and assign the magnolia Mobility Profile to user Jose.

WX1200# set mobility-profile name magnolia port 2 success: change accepted.

WX1200# set mobility-profile mode enable success: change accepted.

WX1200# set user Jose attr mobility-profile magnolia success: change accepted.

The following command adds port 3 to the magnolia Mobility Profile (which is already assigned to port 2):

WX1200# set mobility-profile name magnolia port 3 success: change accepted.

See Also

??clear mobility-profile on page 224

??display mobility-profile on page 235

??set mac-usergroup attr on page 267

??set mobility-profile mode on page 271

??set user attr on page 273

??set usergroup on page 275

272CHAPTER 8: AAA COMMANDS

??encrypted ??? Indicates that the password string you entered is

already in its encrypted form. If you use this option, MSS does not encrypt the displayed form of the password string, and instead displays the string exactly as you entered it. If you omit this option, MSS does encrypt the displayed form of the string.

??password string ??? Password of up to 32 alphanumeric characters,

with no spaces.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? Although MSS allows you to configure a user password for the special ???last-resort??? guest user, the password has no effect. Last-resort users can never access a WX in administrative mode and never require a password.

Examples ??? The following command creates a user profile for user Nin in the local database, and assigns the password goody:

WX4400# set user Nin password goody success: User Nin created

The following command assigns the password chey3nne to the admin user:

WX4400# set user admin password chey3nne success: User admin created

The following command changes Nin???s password from goody to 29Jan04:

WX4400# set user Nin password 29Jan04

See Also

??clear user on page 224

??clear usergroup attr on page 228

276CHAPTER 8: AAA COMMANDS

??attribute-name value ??? Name and value of an attribute you are

using to authorize all users in the group for a particular service or session characteristic. For a list of authorization attributes and values that you can assign to users, see Table 44 on page 262.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? To change the value of an attribute, enter set usergroup attr with the new value. To delete an attribute, use clear usergroup attr.

To add a user to a group, user the command set user group.

You can assign attributes to individual users and to user groups. If attributes are configured for a user and also for the group the user is in, the attributes assigned to the individual user take precedence for that user. For example, if the start-date attribute configured for a user is sooner than the start-date configured for the user group the user is in, the user???s network access can begin as soon as the user start-date. The user does not need to wait for the user group???s start date.

Examples ??? The following command adds the user group cardiology to the local database and assigns all the group members to VLAN crimson:

WX4400# set usergroup cardiology attr vlan-name crimson success: change accepted.

See Also

??clear usergroup on page 227

278 CHAPTER 8: AAA COMMANDS

Syntax ??? set web-portal {enable | disable}

??enable ??? Enables WebAAA on the switch.

??disable ??? Disables WebAAA on the switch.

Defaults ??? Enabled.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. Command name changed from set web-aaa to set web-portal, to match change to portal-based implementation in MSS Version 4.0.

Usage ??? This command disables or reenables support for WebAAA. However, WebAAA has additional configuration requirements. For information, see the ???Configuring AAA for Network Users??? chapter in the Wireless LAN Switch and Controller Configuration Guide.

Examples ??? To disable WebAAA, type the following command:

WX4400# set web-portal disable success: change accepted.

set mobility-domain member on page 284

??set user on page 271

Use Mobility Domain commands to configure and manage Mobility

Domain groups.

A Mobility Domain is a system of WX switches and MAP access points working together to support a roaming user (client). One WX acts as a seed switch, which maintains and distributes a list of IP addresses of the domain members.

3Com recommends that you run the same MSS version on all the WX switches in a Mobility Domain.

page 288

set mobility-domain mode member seed-ip on page 286

set mobility-domain mode secondary-seed domain-name on page 287

display mobility-domain on page 281

display mobility-domain status on page 283

display mobility-domain config on page 282

display mobility-domain status on page 283

clear mobility-domain member on page 280

clear mobility-domain on page 280

set domain security on page 289

282 CHAPTER 9: MOBILITY DOMAIN COMMANDS

Table 46 display mobility-domain Output

See Also

??set mobility-domain member on page 284

??set mobility-domain mode member seed-ip on page 286

display mobility-domain config

Displays the configuration of the Mobility Domain.

Syntax ??? display mobility-domain config

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? The following command displays the Mobility Domain configuration:

WX# display mobility-domain config

This switch is the seed for domain dang-modo. 10.8.107.1 is a member

10.10.10.66 is a member

See Also

??display mobility-domain status on page 283

??set mobility-domain member on page 284

display mobility-domain status 283

display mobility-domain status

On the seed WX, displays the Mobility Domain status and members.

Syntax ??? display mobility-domain status

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? To display Mobility Domain status, type the following command:

WX4400# display mobility-domain status

Table 47 describes the fields in the display.

Table 47 display mobility-domain Output

See Also

??set mobility-domain member on page 284

??set mobility-domain mode member seed-ip on page 286

set mobility-domain mode member secondary seed-ip 285

set mobility-domain mode member secondary seed-ip

Sets the IP address of the secondary seed WX on a nonseed WX.

Syntax ??? set mobility-domain mode member secondary seed-ip

secondary-seed-ip-addr key hex-bytes

??secondary-seed-ip-addr ??? IP address of the secondary seed, in

dotted decimal notation.

??key hex-bytes ??? Fingerprint of the public key to use for WX-WX

security. Specify the key as 16 hexadecimal bytes. Use a colon between each byte, as in the following example: 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 1.0.

Examples ??? The following command sets the current WX switch as a nonseed member of the Mobility Domain whose secondary seed has the IP address 192.168.1.8:

WX4400# set mobility-domain mode member seed-ip 192.168.1.8 mode is: member

seed IP is: 192.168.1.8

See Also

??display mobility-domain config on page 282

set mobility-domain mode secondary-seed domain-name 287

set mobility-domain mode secondary-seed domain-name

Sets the current WX as a secondary-seed device for the Mobility Domain.

Syntax ??? set mobility-domain mode secondary-seed domain-name

mob-domain-name seed-ip primary-seed-ip-addr

??mob-domain-name ??? Name of the Mobility Domain. Specify between 1 and 32 characters with no spaces.

??primary-seed-ip-addr ??? The address of the seed device in the

Mobility Domain

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS 6.0.

Usage ??? You can optionally specify a secondary seed in a Mobility Domain. The secondary seed provides redundancy for the primary seed switch in the Mobility Domain. If the primary seed becomes unavailable, the secondary seed assumes the role of the seed switch. This allows the Mobility Domain to continue functioning if the primary seed becomes unavailable.

When the primary seed switch fails, the remaining members form a Mobility Domain, with the secondary seed taking over as the primary seed switch.

If countermeasures had been in effect on the primary seed, they are stopped while the secondary seed gathers RF data from the member switches. Once the secondary seed has rebuilt the RF database, countermeasures can be restored.

VLAN tunnels (other than those between the member switches and the primary seed) continue to operate normally.

Roaming and session statistics continue to be gathered, providing that the primary seed is uninvolved with roaming.

When the primary seed is restored, it resumes its role as the primary seed switch in the Mobility Domain. The secondary seed returns to its role as a regular member of the Mobility Domain.

288 CHAPTER 9: MOBILITY DOMAIN COMMANDS

Examples ??? The following command configures this WX as the secondary seed in a Mobility Domain named Pleasanton:

WX# set mobility-domain mode secondary-seed domain-name

Pleasanton

mode is: secondary-seed

domain name is: Pleasanton

??display mobility-domain on page 281

set mobility-domain mode seed domain-name

Creates a Mobility Domain by setting the current WX as the seed device and naming the Mobility Domain.

Syntax ??? set mobility-domain mode seed domain-name

mob-domain-name

?? mob-domain-name ??? Name of the Mobility Domain. Specify between 1 and 32 characters with no spaces.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. Version 4.2 increased the maximum length of mob-domain-name to 32 characters.

Usage ??? Before you use this command, the current WX must have its IP address set with the set system ip-address command. After you enter this command, all Mobility Domain traffic is sent and received from the specified IP address.

You must explicitly configure only one WX switch per domain as the seed. All other WX switches in the domain receive their Mobility Domain information from the seed.

Examples ??? The following command creates a Mobility Domain named Pleasanton with the current WX as the seed:

WX4400# set mobility-domain mode seed domain-name Pleasanton mode is: seed

domain name is: Pleasanton

set domain security 289

??display mobility-domain status on page 283

set domain security Sets mobility domain security to required (enabled) or none (disabled) on the wireless LAN switch. The command needs to be entered on each wireless LAN switch that will participate as a member of the secure mobility domain.

Syntax ??? set domain security {required | none}

Defaults ??? Mobility domain security is disabled by default.

Access ??? Enabled.

History ??? Introduced in MSS 5.0.

Usage ??? Domain keys for all switches must be properly configured before enabling domain security on the wireless LAN switch.

Examples ??? The following command enables mobility domain security on the wireless LAN switch:

WX4400# set domain security required success: change accepted.

Use Network Domain commands to configure and manage Network

Domain groups.

A Network Domain is a group of geographically dispersed Mobility Domains that share information over a WAN link. This shared information allows a user configured on a WX in one Mobility Domain to establish connectivity on a WX in another Mobility Domain in the same Network Domain. The WX forwards the user traffic by creating a VLAN tunnel to a WX in the remote Mobility Domain.

In a Network Domain, one or more WX switches serve as a seed switch. At least one of the Network Domain seeds maintains a connection with each of the member WX switches in the Network Domain. The Network Domain seeds share information about the VLANs configured on their members, so that all the Network Domain seeds have a common database of VLAN information.

Network Domain This chapter presents Network Domain commands alphabetically. Use Commands by Table 48 to locate commands in this chapter based on their use.

Usage

Table 48 Network Domain Commands by Usage

300 CHAPTER 10: NETWORK DOMAIN COMMANDS

set network-domain mode seed domain-name

Creates a Network Domain by setting the current WX as a seed device and naming the Network Domain.

Syntax ??? set network-domain mode seed domain-name

net-domain-name

?? net-domain-name ??? Name of the Network Domain. Specify between 1 and 16 characters with no spaces.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS 4.1.

Usage ??? Before you use this command, the current WX must have its IP address set with the set system ip-address command. After you enter this command, Network Domain traffic is sent and received from the specified IP address.

You can configure multiple WX switches as Network Domain seeds. If you do this, you must identify them as peers by using the set network domain peer command.

Examples ??? The following command creates a Network Domain named California with the current WX as a seed:

WX1200# set network-domain mode seed domain-name California success: change accepted.

The seed switch in a Network Domain must also be configured as a member of the Network Domain, with the specified seed IP address pointing to the seed itself.

set network-domain mode member seed-ip ip-addr [affinity num]

For example, the following command sets the current WX switch as a member of a Network Domain where the WX switch with IP address 192.168.9.254 is a seed:

WX1200# set network-domain mode member seed-ip 192.168.9.254 success: change accepted.

See Also

??clear network-domain on page 292

??display network-domain on page 296

Use MAP access point commands to configure and manage MAP access points. Be sure to do the following before using the commands:

??Define the country-specific IEEE 802.11 regulations on the WX switch. (See set system countrycode on page 61.)

??Install the MAP access point and connect it to a port on the WX switch.

??Configure a MAP as a directly connected MAP or a Distributed MAP. (See set port type ap on page 97 and set ap on page 87.)

CAUTION: Changing the system country code after MAP configuration disables MAP access points and deletes their configuration. If you change the country code on a WX, you must reconfigure all MAP access points.

MAP Access Point This chapter presents MAP access point commands alphabetically. Use the Commands by following table to locate commands in this chapter based on their use.

Usage

Table 50 Map Access Point Commands by Usage

clear ap radio 309

Table 51 Radio-Specific Parameters (continued)

Number of the channel in which a radio transmits and receives traffic

Access ??? Enabled

History ???Introduced in MSS Version 3.0. Version 6.0 removed the dap option for distributed MAPs.

Usage ??? When you clear a radio, MSS performs the following actions:

??Clears the transmit power, channel, and external antenna setting from the radio.

??Removes the radio from its radio profile and places the radio in the default radio profile.

This command does not affect the PoE setting.

Examples ??? The following command disables and resets radio 2 on the MAP access point connected to port 3:

WX1200# clear ap 3 radio 2

See Also

clear ap radio load-balancing group 311

clear ap radio load-balancing group

Removes a MAP radio from its load-balancing group.

Syntax clear ap ap-number radio {1 | 2} load-balancing group

??ap ap-number ??? Index value that identifies the MAP on the WX.

??radio 1 ??? Radio 1 of the MAP.

??radio 2 ??? Radio 2 of the MAP. (This option does not apply to single-radio models.)

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 6.0.

Usage ??? If an MAP radio has been assigned to an RF load balancing group, you can use this command to remove the MAP radio from the

group.

Examples ??? The following command clears radio 1 on MAP 7 from the load balancing group to which it had been assigned:

WX# clear ap 7 radio 1 load-balancing group

WX#

312 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

clear radio-profile Removes a radio profile or resets one of the profile???s parameters to its default value.

Syntax ??? clear radio-profile name [parameter]

??name ??? Radio profile name.

??parameter ??? Radio profile parameter:

??beacon-interval

??countermeasures

??dtim-interval

??frag-threshold

??max-rx-lifetime

??max-tx-lifetime

??preamble-length

??rts-threshold

??service-profile

For information about these parameters, see the set radio-profile commands that use them.

Defaults ??? If you reset an individual parameter, the parameter is returned to the default value listed in Table 72 on page 416.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. countermeasure parameter added in Version 4.1. Version 4.2 removes the long-retry and short-retry parameters that no longer apply to radio profiles.

Usage ??? If you specify a parameter, the setting is reset to its default value. The settings of the other parameters are unchanged and the radio profile remains in the configuration. If you do not specify a parameter, the entire radio profile is deleted from the configuration. All radios that use this profile must be disabled before you can delete the profile.

Examples ??? The following commands disable the radios using radio profile rp1 and reset the beaconed-interval parameter to its default value:

WX4400# set radio-profile rp1 mode disable WX4400# clear radio-profile rp1 beacon-interval success: change accepted.

clear service-profile 313

The following commands disable the radios using radio profile rptest and remove the profile:

WX4400# set radio-profile rptest mode disable

WX4400# clear radio-profile rptest

success: change accepted.

See Also

clear service-profile Removes a service profile or resets one of the profile???s parameters to its default value.

Syntax ??? clear service-profile name

[soda {agent-directory | failure-page | remediation-acl | success-page | logout-page}]

??soda agent-directory ??? Resets the directory for Sygate

On-Demand (SODA) agent files to the default directory. By default, the directory name for SODA agent files is the same as the service profile name.

??soda failure-page ??? Resets the page that is loaded when a client

fails the SODA agent checks. By default, the page is generated dynamically.

??soda remediation-acl ??? Disables use of the specified remediation

ACL for the service profile. When no remediation ACL is specified, a client is disconnected from the network when it fails SODA agent checks.

??soda success-page ??? Resets the page loaded when a client passes

the checks performed by the SODA agent. By default, the page is generated dynamically.

??soda logout-page ??? Resets the page loaded when a client logs out

of the network. By default, the client is disconnected from the network without loading a page.

Defaults ??? None.

display ap arp 315

Examples ??? The following command displays ARP entries for AP 7:

WX# display ap arp 7

AP 7:

Table 52 describes the fields in this display.

Table 52 Output for display ap arp

?? LOCAL???Entry for the WX MAC address. Each VLAN has one local entry for the switch MAC address.

?? PERMANENT???Entry does not age out and remains in the configuration even following a reboot.

?? STATIC???Entry does not age out but is removed after a reboot.

316 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

display ap config Displays global and radio-specific settings for a MAP access point.

Syntax ??? display ap config [port-list [radio {1 | 2}]]

??ap-number ??? Index value that identifies the MAP on the WX.

??radio 1 ??? Shows configuration information for radio 1.

??radio 2 ??? Shows configuration information for radio 2. (This option

does not apply to single-radio models.)

Defaults ??? None.

Access ??? All.

History ???Introduced in MSS Version 3.0. Version 6.0 removed the dap option. Version 6.0 also added Field commnication timeout, Field load-balance-enable, Field force-rebalance, Field local-switching, and Field vlan-profile.

Usage ??? MSS lists information separately for each MAP access point.

Examples ??? The following example shows configuration information for MAP 2:

WX# display ap config 2

AP 2: serial-id: 123456789, AP model: MP-372, bias: high, name: AP02 upgrade-firmware: YES

force-image-download: NO

communication timeout: 10 location:

contact:

Radio 1: type: 802.11g, mode: disabled, channel: dynamic

tx pwr: 18, profile: default

auto-tune max-power: default,

load-balance-group: ,

load-balance-enable: YES,

force-rebalance: NO,

local-switching: disabled, vlan-profile: default

Table 53 describes the fields in this display.

display ap counters 319

??set ap radio antennatype on page 383

??set ap radio channel on page 387

??set ap radio tx-power on page 393

display ap counters Displays MAP access point and radio statistics counters.

Syntax ??? display ap counters [ap-number[radio {1 | 2}]]

??ap-number ??? Index value that identifies the MAP on the WX.

??radio 1 ??? Shows statistics counters for radio 1.

??radio 2 ??? Shows statistics counters for radio 2. (This option does not

apply to single-radio models.)

Defaults ??? None.

Access ??? All.

History ???Introduced in MSS Version 3.0. New fields added in MSS

Version 4.0:

??Radio Recv Phy Err Ct

??Transmit Retries

??Radio Adjusted Tx Pwr

??Noise Floor

??802.3 Packet Tx Ct

??803.3 Packet Rx Ct

??No Receive Descriptor

Version 6.0 removed the dap option and added the Illegal Rates field.

Usage ??? To display statistics counters and other information for individual user sessions, use the display sessions network command.

326 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

display ap qos-stats Displays statistics for MAP forwarding queues.

Syntax ??? display ap qos-stats [ap-number][clear]

??ap-number ??? Index value that identifies the MAP on the WX.

??clear ??? Clears the counters after displaying their current values.

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 4.0. Version 4.2 added the TxDrop field. Version 6.0 removed the dap option.

Usage ??? Repeating this command with the clear option at regular intervals allows you to monitor transmission and drop rates.

Examples ??? The following command shows statistics for the MAP forwarding queues on a Distributed MAP.

======================================

display ap status [terse] [ap-number | all [radio

display ap status 331

display ap status Displays MAP access point and radio status information.

Syntax ???

{1 | 2}]]

??terse ??? Displays a brief line of essential status information for each

MAP.

??ap-number ??? Index value that identifies the MAP on the WX.

??all ??? Shows status information for all directly attached MAP access

points and all Distributed MAP access points configured on the switch.

??radio 1 ??? Shows status information for radio 1.

??radio 2 ??? Shows status information for radio 2. (This option does

not apply to single-radio models.)

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. True base MAC addresses of radios are displayed in MSS Version 3.2. Previously, the base MAC address displayed for a radio was the true base MAC address plus 2. Note that a radio???s base MAC address is also used as the BSSID of the first SSID configured on the radio. New option added: terse; new option added for display ap status: all; new field added: fingerprint; MAP-WX security status added to State field in MSS Version 4.0. External antenna information added after the radio state information, to indicate when an antenna has been detected and to indicate the configured antenna model number; auto flag added to indicate operational channel or power settings that are configured by RF Auto-Tuning in MSS Version 4.1. Version 4.2 added Radar Scan and Radar Detected flags to indicate when the Dynamic Frequency Selection (DFS) feature is scanning for radar or has stopped transmitting due to detected radar. The flags apply to 802.11a radios only, and only for country codes where DFS is used.

Version 6.0 removed the dap option.

332 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

Examples ??? The following command displays the status of a MAP access point:

WX4400# display ap status 7

Dap: 1, IP-addr: 10.2.34.56 (vlan 'vlan-corp'), MAP model: AP2750, manufacturer: 3Com, name: DAP01

fingerprint: b4:f9:2a:52:37:58:f4:d0:10:75:43:2f:45:c9:52:c3

====================================================

State: operational

CPU info: IBM:PPC speed=266666664 Hz version=405GPr id=0x28f10158a47f0408 ram=33554432 s/n=0332600444 hw_rev=A3

Uptime: 21 hours, 27 minutes, 51 seconds

Radio 1 type: 802.11g, state: configure succeed [Enabled] operational channel: 64 operational power: 14

base mac: 00:0b:0e:00:d2:c1

bssid1: 00:0b:0e:00:d2:94, ssid: private

The following command displays the status of a directly connected MAP:

WX# display ap status 7

AP: 7, AP model: MP-252, manufacturer 3Com, name: MP07

====================================================

State: operational (not encrypt)

CPU info: IBM:PPC speed=266666664 Hz version=405GPr, ram=33554432 s/n=0333703050 hw_rev=A3

Uptime: 503 hours, 51 minutes, 5 seconds

Radio 1 type: 802.11g, state: configure succeed [Enabled]

operational channel: 11 (Auto) operational power: 1

bssid1: 00:0b:0e:00:ca:c0, ssid: public

bssid2: 00:0b:0e:00:ca:c2, ssid: employee-net

load balance: enabled, current load: (unavailable)

RFID Reports: Inactive

Radio 2 type: 802.11a, state: configure succeed [Disabled] (Sweep mode)

operational channel: 44 (Auto) operational power: 1

bssid1: 00:0b:0e:00:ca:c1, ssid: mycorp-tkip

load balance: enabled, current load: (unavailable)

RFID Reports: Inactive

display ap status 335

Table 59 Output for display ap status (continued)

Countermeasures Enabled indicates that the radio is sending countermeasures packets to combat a rogue.

Radar Scan indicates that the radio is performing the initial channel availability check for Dynamic Frequency Selection (DFS). This state lasts during the first 60 seconds an 802.11a radio is on a new channel, during which time the radio does not transmit. If the radio does not detect any radar on the channel, the radio starts using the channel for data. If the radio does detect radar, the flag changes to Radar Detected. (See below).

??Radar Detected indicates that DFS has detected radar on the channel. When this occurs, the MAP stops transmitting on the channel for 30 minutes. If RF Auto-Tuning is enabled for channel assignment, the radio selects another channel and performs the initial channel availability check on the new channel, during which time the flag changes back to Radar Scan.

Note: Radar Scan and Radar Detected apply only to 802.11a radios, for country codes that use DFS.

340 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

Syntax ??? display auto-tune neighbors [ap ap-number [radio {1 | 2| all}]]

??ap-number ??? Index value that identifies the MAP on the WX.

??radio 1 ??? Shows neighbor information for radio 1.

??radio 2 ??? Shows neighbor information for radio 2. (This option does

not apply to single-radio models.)

??radio all ??? Shows neighbor information for both radios.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. Version 6.0 removed the dap option.

Usage ??? For simplicity, this command displays a single entry for each 3Com radio, even if the radio is supporting multiple BSSIDs. However, BSSIDs for third-party 802.11 radios are listed separately, even if a radio is supporting more than one BSSID.

Information is displayed for a radio if the radio sends beacon frames or responds to probe requests. Even if a radio SSIDs are unadvertised, 3Com radios detect the empty beacon frames (beacon frames without SSIDs) sent by the radio, and include the radio in the neighbor list.

342 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

Syntax ??? display ap boot-configuration ap-number

??ap-number ??? Index value that identifies the MAP on the WX.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 4.2. Version 6.0 removed the dap option, and added the following fields.

??Field Mesh

??Field Mesh SSID

??Field Mesh PSK

Examples ??? The following command displays static IP configuration information for Distributed MAP 1:

WX# display ap boot-configuration 1

Static Boot Configuration

AP: 7

IP Address: Disabled

VLAN Tag: Disabled

Switch: Disabled

Mesh: Disabled

IP Address:

Netmask:

Gateway:

VLAN Tag:

Switch IP:

Switch Name:

Mesh SSID:

Mesh PSK:

Table 64 describes the fields in this display.

344 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

History ???Introduced in MSS Version 3.0. Version 6.0 removed the dap option.

Usage ??? The serial-id parameter displays the active connection for the specified Distributed MAP even if that MAP is not configured on this WX switch. If you instead use the command with the dap-num parameter or without a parameter, connection information is displayed only for Distributed MAPs that are configured on this WX switch.

This command provides information only if the Distributed MAP is configured on the switch where you use the command. The switch does not need to be the one that booted the MAP, but it must have the MAP in its configuration. Also, the switch that booted the MAP must be in the same Mobility Domain as the switch where you use the command.

If a Distributed MAP is configured on this WX switch (or another WX switch in the same Mobility Domain) but does not have an active connection, the command does not display information for the MAP. To show connection information for Distributed MAPs, use the display ap global command on one of the switches where the MAPs are configured.

Examples ??? The following command displays information for all Distributed MAPs configured on this WX switch that have active connections:

The following command displays connection information specifically for a

Distributed MAP with serial ID M9DE48B6EAD00:

Table 65 describes the fields in this display.

display ap global 345

Table 65 Output of display ap connection

See Also

??display ap global on page 345

??display ap unconfigured on page 347

display ap global Displays connection information for Distributed MAPs configured on a WX.

Syntax ??? display ap global [ap-number | serial-id serial-ID]

??ap-number ??? Index value that identifies the MAP on the WX.

??serial-id serial-ID ??? MAP access point serial ID.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. Version 6.0 removed the dap option.

Usage ??? Connections are shown only for the Distributed MAPs that are configured on the WX switch from which you enter the command, and only for the Mobility Domain the switch is in.

To show information only for Distributed MAPs that have active connections, use the display ap connection command.

348 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

Table 67 Output for display ap unconfigured (continued)

group

Syntax ??? display load-balaning group {group-name | all}| [ap ap-number radio {1 | 2}]}

?? group-name ??? Name of an RF load-balancing group configured on the WX.

?? all ??? Displays information for every load-balancing group that has a radio on this WX as a member.

?? ap-name ??? Index value that identifies the MAP on the WX.

?? radio {1 | 2}??? Displays status information for a radio on an MAP. This option displays information about radios in the same group as the specified radio.

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 6.0. Version 6.0 removed the dap option.

Usage ??? Use this command to display information about the RF load-balancing groups configured on the WX and the individual MAP radios in the load-balancing groups.

display load-balancing group 349

Examples ??? The following command displays information about the MAP radios that are in the same group as radio 1 on MAP 3:

Radios in the same load-balancing group as: ap3/radio1

--------------------------------------------------

The following command displays information about RF load balancing group blue:

Table 57 describes the fields in displayed by the display load-balancing group command.

Table 68 Output for display load-balancing group

See Also

??set ap auto mode on page 366

??set ap auto persistent on page 364

??set ap auto radiotype on page 365

??set ap bias on page 367

364CHAPTER 11: MANAGED ACCESS POINT COMMANDS

??set ap blink on page 368

??set ap group on page 379

??set ap radio auto-tune max-power on page 384

??set ap radio auto-tune max- retransmissions on page 385

??set ap radio link-calibration on page 388

??set ap auto mode on page 366

??set ap upgrade-firmware on page 396

Syntax ??? set ap auto persistent [ap-number | all]

??ap-number ??? Index value that identifies the MAP on the WX.

??all ??? Converts the configurations of all Auto-APs being managed by

the switch into permanent configurations.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS 4.0. Version 6.0 removed the dap option.

Usage ??? To display the Distributed MAP numbers assigned to

Auto-MAPs, use the display ap status auto command.

Examples ??? The following command converts the configuration of

Auto-AP 10 into a permanent configuration:

WX4400# set ap auto persistent 10 success: change accepted.

See Also

??set ap auto on page 362

??set ap auto radiotype on page 365

366 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

set ap auto mode Enables a WX profile for automatic Distributed MAP configuration.

Syntax ??? set ap auto mode {enable | disable}

??enable ??? Enables the MAP configuration profile.

??disable ??? Disables the MAP configuration profile.

Defaults ??? The MAP configuration profile is disabled by default.

Access ??? Enabled.

History ???Introduced in MSS 4.0. Version 6.0 removed the dap option.

Usage ??? You must use the set ap auto command to create the profile before you can enable it.

Examples ??? The following command enables the profile for automatic

Distributed MAP configuration:

WX4400# set ap auto mode enable success: change accepted.

See Also

??set ap auto on page 362

??set ap auto persistent on page 364

??set ap auto radiotype on page 365

??set ap bias on page 367

??set ap blink on page 368

??set ap group on page 379

??set ap radio auto-tune max-power on page 384

??set ap radio auto-tune max- retransmissions on page 385

??set ap radio link-calibration on page 388

set ap auto on page 362.)

??set ap upgrade-firmware on page 396

set ap bias 367

Syntax ??? set ap ap-number auto bias {high | low}

??ap ap-number ??? Index value that identifies the MAP on the WX.

??ap auto ??? Configures bias for the MAP configuration profile. (See

??high ??? High bias.

??low ??? Low bias.

Defaults ??? The default bias is high.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. Option auto added for configuration of the MAP configuration profile. Version 6.0 removed the dap option.

Usage ??? High bias is preferred over low bias. Bias applies only to WX switches indirectly attached to the MAP through an intermediate Layer 2 or Layer 3 network. A MAP always attempts to boot on MAP port 1 first, and if an WX is directly attached on MAP port 1, the MAP always boots from it.

If MAP port 1 is indirectly connected to WX switches through the network, the MAP boots from the WX with the high bias for the MAP. If the bias for all connections is the same, the MAP selects the WX that has the greatest capacity to add more active MAPs. For example, if a MAP is dual homed to two WX4400 wireless LAN switches, and one of the switches has 50 active MAPs while the other WX has 60 active MAPs, the new MAP selects the WX that has only 50 active MAPs.

If the boot request on MAP port 1 fails, the MAP attempts to boot over its port 2, using the same process described above.

MAP selection of a WX is sticky. After a MAP selects a WX to boot from, the MAP continues to use that WX for its active data link even if another switch configured with high bias for the MAP becomes available.

set ap boot-configuration mesh psk-phrase 371

set ap boot-configuration mesh psk-phrase

Specifies a preshared key (PSK) phrase that a Mesh AP uses for authentication to its Mesh Portal AP.

Syntax ??? set ap ap-number boot-configuration mesh psk-phrase

passphrase

??ap ap-number ??? Index value that identifies the MAP on the WX.

??passphrase ??? An ASCII string from 8 to 63 characters long. The

string can contain blanks if you use quotation marks at the

beginning and end of the string.

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 6.0.

Usage ??? Use this command to configure the preshared key that a Mesh AP uses to authenticate to a Mesh Portal AP. You must connect the MAP to an WX switch and enter this command to configure the MAP for mesh services prior to deploying the Mesh AP in its final untethered location.

MSS converts the passphrase into a 256-bit binary number for system use and a raw hexadecimal key to store in the WX configuration. Neither the binary number nor the passphrase itself is ever displayed in the configuration. To use PSK authentication, you must enable it and you also must enable the WPA IE.

Examples ??? The following command configures MAP 7 to use passphrase ???1234567890123<>?=+&% The quick brown fox jumps over the lazy sl??? when authenticating with a Mesh Portal AP

WX# set ap 7 boot-configuration mesh psk-phrase "1234567890123<>?=+&%

success: change accepted.

See Also

372 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

set ap boot-configuration mesh psk-raw

Configures a raw hexadecimal preshared key (PSK) to use for authenticating a Mesh AP to a Mesh Portal AP. Radios use the PSK as a pairwise master key (PMK) to derive unique pairwise session keys for individual WPA clients.

Syntax ??? set ap ap-number boot-configuration mesh psk-raw hex

??ap ap-number ??? Index value that identifies the MAP on the WX.

??hex ??? A 64-bit ASCII string representing a 32-digit hexadecimal

number. Enter the two-character ASCII form of each hexadecimal number.

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 6.0.

MSS converts the hexadecimal into a 256-bit binary number for system use. MSS also stores the hexadecimal key in the WX configuration. The binary number is never displayed in the configuration. To use PSK authentication, you must enable it and you also must enable the WPA IE.

Examples ??? The following command configures MAP 7 to use a raw PSK to authenticate with a Mesh Portal AP:

WX# set ap 7 boot-configuration mesh psk-raw c25d3fe4483e867d1df96eaacdf8b02451fa0836162e758100f5f6b87965 e59d

success: change accepted.

See Also

??display ap boot-configuration on page 342

set ap boot-configuration vlan 375

WX1200# set ap 1 boot- configuration switch switch-ip 172.16.0.21 mode enable

success: change accepted.

The following command configures Distributed MAP 1 to use the WX with the name wxr2 as its boot device. The DNS server at 172.16.0.1 is used to resolve the name of the WX switch.

WX4400# set ap 1 boot-configuration switch name wxr2 dns 172.16.0.1 mode enable

success: change accepted.

??set ap boot- configuration ip on page 369

??set ap boot-configuration vlan on page 375

set ap boot-configuration vlan

Specifies 802.1Q VLAN tagging information for a Distributed MAP.

Syntax ??? set ap ap-number boot-configuration vlan vlan-tag tag-value [mode {enable | disable}]

Syntax ??? set ap ap-number boot-configuration vlan mode {enable | disable}

??ap ap-number ??? Index value that indentifies the MAP on the WX.

??vlan-tag tag-value ??? The VLAN tag value. You can specify a

number from 1 ??? 4095.

??mode {enable | disable} ??? Enables or disables use of the specified

VLAN tag on the Distributed MAP.

Defaults ??? None.

Examples ??? Enabled.

History ???Introduced in MSS 4.2. Version 6.0 removed the dap option.

set ap fingerprint 377

??fingerprint ??? The 16-digit hexadecimal number of the fingerprint.

Use a colon between each digit. Make sure the fingerprint you enter matches the fingerprint used by the MAP.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS 4.0. Version 6.0 removed the dap option.

Usage ??? MAPs are configured with an encryption key pair at the factory. The fingerprint for the public key is displayed on a label on the back of the MAP, in the following format:

RSA aaaa:aaaa:aaaa:aaaa: aaaa:aaaa:aaaa:aaaa

If a MAP is already installed and operating, you can use the display ap status command to display the fingerprint. The display ap config command lists a MAP fingerprint only if the fingerprint has been verified in MSS. If the fingerprint has not been verified, the fingerprint information in the command output is blank.

Examples ??? The following example verifies the fingerprint for Distributed MAP 8:

WX4400# set ap 8 fingerprint b4:f9:2a:52:37:58:f4:d0:10:75:43:2f:45:c9:52:c3

success: change accepted.

See Also

??display ap status on page 331

??set ap security on page 395

378 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

Defaults ??? Forced image download is disabled by default.

Access ??? Enabled.

History ???Version 5.0Command introduced. Version 6.0Option dap removed.

Usage ??? A change to the forced image download option takes place the next time the MAP is restarted.

Even when forced image download is disabled (the default), the MAP still checks with the WX to verify that the MAP has the latest image, and to verify that the WX is running MSS Version 5.0 or later.

The MAP loads a local image only if the WX is running MSS Version 5.0 or later and does not have a different MAP image than the one in the MAP local storage. If the WX is not running MSS Version 5.0 or later, or the WX has a different version of the MAP image than the current version on the MAP, the MAP loads an image from the WX.

Examples ??? The following command enables forced image download on Distributed MAP 69:

WX1200# set ap 69 force-image-download enable success: change accepted.

See Also

?? display ap config on page 316

See Also

??set ap contact on page 376

set ap local-switching mode

Enables local switching for a specified MAP.

Syntax ??? set ap ap-number local-switching mode {enable | disable}]

??ap-number ??? Index value that identifies the MAP on the WX.

??mode {enable | disable} ??? Enables or disables local switching for the

MAP.

Defaults ??? Local switching is disabled by default.

Access ??? Enabled.

History ??? Introduced in MSS Version 6.0.

Usage ??? Local switching allows traffic for specified VLANs to be switched by the MAP itself, instead of being tunneled back to a WX. The VLANs for which local switching is performed are specified in a VLAN profile.

Local switching can be enabled on MSPs that are connected to the WX via an intermediate Layer 2 or Layer 3 network. Local switching is not supported for MAPs that are directly connected to an WX.

380 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

If local switching is enabled on an MAP, but no VLAN profile is configured, then a default VLAN profile is used. The default VLAN profile includes a single VLAN named default that is not tagged.

Examples ??? The following command enables local switching for MAP 7:

WX# set ap 7 local-switching mode enable success: change accepted.

set ap local-switching vlan-profile

Applies a specified VLAN profile to an MAP to use with local switching.

Syntax ??? set ap ap-number local-switching vlan-profile

profile name

??ap-number ??? Index value that identifies the MAP on the WX.

??profile-name ??? The name of a VLAN profile configured on the WX.

Defaults ??? If local switching is enabled on an MAP, but no VLAN profile isconfigured, then a default VLAN profile is used. The default VLAN profile includes a single VLAN named default that is not tagged.

Access ??? Enabled.

History ??? Introduced in MSS Version 6.0.

History ??? A VLAN profile consists of a list of VLANs and tags. When a VLAN profile is applied to an MAP, traffic for the VLANs specified in the VLAN profile is locally switched by the MAP instead of being tunneled back to an WX.

When applying a VLAN profile causes traffic that had been tunneled to an WX to be locally switched by MAPs, or vice-versa, the sessions of clients associated with the MAPs where the VLAN profile is applied are terminated, and the clients must re-associate with the MAPs.

set ap name 381

Examples ??? The following command specifies that MAP 7 use VLAN profile locals:

WX# set ap 7 local-switching vlan-profile locals success: change accepted.

Syntax ??? set ap ap number name name

??ap ap-number ??? Index value that identifies the MAP on the WX.

??name ??? Alphanumeric string of up to 16 characters, with no spaces.

Defaults ??? The default name of a directly attached MAP is based on the port number of the MAP access port attached to the MAP. For example, the default name for a MAP on MAP access port 1 is MAP01.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. Default Distributed MAP name changed from DMPnum to DAPnum in MSS Version 4.1. Version 6.0 removed the dap option.

Examples ??? The following command changes the name of the MAP on port 1 to techpubs:

WX1200# set ap 1 name techpubs success: change accepted.

See Also

382 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

?? antenna-location???Specify antenna location.

?? indoors???Specifies that the external antenna is installed indoors (inside the building).

?? outdoors???Specifies that the external antenna is installed outdoors.

Defaults ??? The default antenna location is indoors.

Access ??? Enabled.

History ???Introduced in MSS 5.0.

Examples ??? The following command sets the antenna location for radio 1 on Distributed MAP 22 to outdoors:

WX2200# set ap 22 radio 1 antenna-location outdoors success: change accepted.

See Also

?? set ap radio antennatype on page 383

set {ap ap-number auto} radio {1 | 2} auto-tune

384 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

Defaults ??? All radios use the internal antenna by default, if the MAP model has an internal antenna. The MP-620 802.11b/g radio uses model ANT-1360-OUT by default. The MP-620 802.11a radio uses model ANT-5360-OUT by default. The AP 3150 802.11b/g radio uses model ANT1060 by default.)

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0. Model numbers added for 802.11a external antennas, and the default changed to internal (except for the AP3150) in MSS Version 3.2. Model numbers added for MP-620 external antennas.

Examples ??? The following command configures the 802.11b/g radio on

Distributed MAP 1 to use antenna model ANT1060:

WX4400# set ap 1 radio 1 antennatype ANT1060 success: change accepted.

See Also

set ap radio auto-tune max-power

Sets the maximum power that RF Auto-Tuning can set on a radio.

Syntax ???

max-power power-level

??ap ap-number ??? Index value that identifies the MAP on the WX.

??ap auto ??? Sets the maximum power for radios configured by the

MAP configuration profile. (See set ap auto on page 362.)

??radio 1 ??? Radio 1 of the MAP.

??radio 2 ??? Radio 2 of the MAP. (This option does not apply to

single-radio models.)

??power-level ??? Maximum power setting RF Auto-Tuning can assign

to the radio, expressed as the number of decibels in relation to 1 milliwatt (dBm). You can specify a value from 1 up to the maximum value allowed for the country of operation.

The power-level can be a value from 1 to 20.

set ap radio auto-tune max- retransmissions 385

Defaults ??? The default maximum power setting that RF Auto-Tuning can set on a radio is the highest setting allowed for the country of operation or highest setting supported on the hardware, whichever is lower.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. Option auto added for configuration of the MAP configuration profile.

Examples ??? The following command sets the maximum power that RF Auto-Tuning can set on radio 1 on the MAP access point on port 6 to 12 dBm.

WX1200# set ap 7 radio 1 auto-tune max-power 12 success: change accepted.

??set radio-profile auto-tune power-config on page 406

??set radio-profile auto-tune power-interval on page 407

set ap radio auto-tune max- retransmissions

Sets the maximum percentage of client retransmissions a radio can experience before RF Auto-Tuning considers changing the channel on the radio. A high percentage of retransmissions is a symptom of interference on the channel.

Syntax ??? set {ap ap-number auto} radio {1 | 2} auto-tune max-retransmissions retransmissions

??ap ap-number ??? Index value that identifies the MAP on the WX..

??ap auto ??? Sets the maximum retransmissions for radios configured

by the MAP configuration profile. (See set ap auto on page 362.)

??radio 1 ??? Radio 1 of the MAP.

??radio 2 ??? Radio 2 of the MAP. (This option does not apply to

single-radio models.)

??retransmissions ??? Percentage of packets that can result in

retransmissions without resulting in a channel change. You can specify from 1 to 100.

386 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

Defaults ??? The default is 10 percent.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. Option auto added for configuration of the MAP configuration profile. Version 6.0 removed the dap option.

Usage ??? A retransmission is a packet sent from a client to a MAP radio that the radio receives more than once. This can occur when the client does not receive an 802.11 acknowledgement for a packet sent to the radio.

If the radio receives only a single copy of a packet that is transmitted multiple times by a client, the packet is not counted by the radio as a retransmission. For example, if a packet is corrupted and the radio does not receive it, but the second copy of the packet does reach the radio, the radio does not count the packet as a retransmission since the radio received only one recognizable copy of the packet.

The interval is 1000 packets. If more than the specified percentage of packets within a group of 1000 packets received by the radio are retransmissions, the radio increases power.

When the percentage of retransmissions exceeds the max-retransmissions threshold, the radio does not immediately increase power. Instead, if the data rate at which the radio is sending packets to the client is above the minimum data rate allowed, the radio lowers the data rate by one setting. If the retransmissions still exceed the maximum allowed, the radio continues to lower the data rate, one setting at a time, until either the retransmissions fall within the allowed percentile or the minimum allowed data rate is reached.

If the retransmissions still exceed the threshold after the minimum allowed data rate is reached, the radio increases power by 1 dBm. The radio continues increasing the power in 1 dBm increments until the retransmissions fall below the threshold.

After the retransmissions fall below the threshold, the radio reduces power by 1 dBm. As long as retransmissions remain below the threshold, the radio continues reducing power in 1 dBm increments until it returns to its default power level.

388 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

Usage ??? You can configure the transmit power of a radio on the same command line. Use the tx-power option.

This command is not valid if dynamic channel tuning (RF Auto-Tuning) is enabled.

Examples ??? The following command configures the channel on the 802.11a radio on the MAP access point connected to port 5:

WX1200# set ap 5 radio 1 channel 36 success: change accepted.

The following command configures the channel and transmit power on the 802.11b/g radio on the MAP access point connected to port 1:

WX1200# set ap 1 radio 1 channel 1 tx-power 10 success: change accepted.

See Also

??set ap radio tx-power on page 393

Syntax ??? set ap ap-number radio {1 | 2} link-calibration mode {enable | disable}

??ap ap-number ??? Index value that indentifies the MAP on the WX.

??radio 1 ??? Radio 1 of the MAP.

??radio 2 ??? Radio 2 of the MAP. (This option does not apply to

single-radio models.)

??mode enable ??? Enables link calibration packets for the MAP radio.

??mode disable ??? Disables link calibration packets for the MAP radio.

Defaults ??? Disabled.

Access ??? Enabled.

History ??? Introduced in MSS Version 6.0.

set ap radio load balancing 389

Usage ??? A Mesh Portal MAP can be configured to emit link calibration packets to assist with positioning the Mesh AP. A link calibration packet is an unencrypted 802.11 management packet of type Action. When enabled on an MAP, link calibration packets are sent at a rate of 5 per second.

The MP-620 is equipped with a connector to which an external RSSI meter can be attached during installation. When an RSSI meter is attached to an MP-620 and a calibration packet is received, the MP-620 emits a voltage to the RSSI meter proportional to the received signal strength of the packet. This can aid in positioning the MP-620 where it has a strong signal to the Mesh Portal AP.

Only one radio on an MAP can be configured to send link calibration packets. Link calibration packets are intended to be used only during installation of MAPs; they are not intended to be enabled on a continual basis.

Examples ??? The following command enables link calibration packets for MAP radio 1 on MAP 7:

WX# set ap 7 radio 1 link-calibration mode enable

WX#

See Also

set ap radio load Disables or enables RF load balancing for an MAP radio. balancing

Syntax ??? set ap ap-number radio {1 | 2} load balancing {enable | disable}

??ap ap-number ??? Index value that indentifies the MAP on the WX.

??radio 1 ??? Radio 1 of the MAP.

??radio 2 ??? Radio 2 of the MAP. (This option does not apply to

single-radio models.)

??enable ??? Enables link calibration packets for the MAP radio.

390CHAPTER 11: MANAGED ACCESS POINT COMMANDS

??disable ??? Disables link calibration packets for the MAP radio.

Defaults ??? Disabled.

Access ??? Enabled.

History ??? Introduced in MSS Version 6.0.

Usage ??? By default, RF load balancing is enabled on all MAP radios. Use this command to disable or re-enable RF load balancing for the specified MAP radio.

RF load balancing can also be disabled or re-enabled globally with the set load-balancing mode command. If RF load balancing has been enabled or disabled for a specific MAP radio, then the setting for the individual radio takes precedence over the global setting.

Examples ??? The following command disables RF load balancing for

MAP radio 1 on MAP 7:

WX# set ap 7 radio 1 load-balancing disable

WX#

??clear ap radio load-balancing group on page 311

??display load-balancing group on page 348

set ap radio load Assigns an MAP radio to a load balancing group. balancing group

Syntax ??? set ap ap-number radio {1 | 2} load-balancing group name [rebalance]

??ap ap-number ??? Index value that indentifies the MAP on the WX.

??radio 1 ??? Radio 1 of the MAP.

??radio 2 ??? Radio 2 of the MAP. (This option does not apply to

single-radio models.)

??group name ??? Name of an RF load balancing group to which the

MAP radio is assigned. A radio can belong to only one group.

set ap radio mode 391

??rebalance ??? Configures the MAP radio to disassociate its client

sessions and rebalance them whenever a new MAP radio is added to the load balancing group.

Defaults ??? By default, MAP radios are not part of an RF load balancing group.

Access ??? Enabled.

History ??? Introduced in MSS Version 6.0.

Usage ??? Assigning radios to specific load balancing groups is optional. When you do this, MSS considers them to have exactly overlapping coverage areas, rather than using signal strength calculations to determine their overlapping coverage. MSS attempts to distribute client sessions across radios in the load balancing group evenly. A radio can be assigned to only one group.

Examples The following command assigns MAP radio 1 on MAP 7 to load balancing group room1:

WX# set ap 7 radio 1 load-balancing group room1

WX#

??display load-balancing group on page 348

set ap radio mode Enables or disables a radio on a MAP access point.

Syntax ??? set ap {ap-number | auto} radio {1 | 2} mode {enable | disable}

??ap ap-number ??? Index value that indentifies the MAP on the WX.

??radio 1 ??? Radio 1 of the MAP.

??radio 2 ??? Radio 2 of the MAP. (This option does not apply to

single-radio models.)

?? mode enable ??? Enables a radio.

392CHAPTER 11: MANAGED ACCESS POINT COMMANDS

??mode disable ??? Disables a radio.

Defaults ??? MAP access point radios are disabled by default.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. Option auto added for configuration of the MAP configuration profile. Version 6.0 removed the dap option.

Usage ??? To enable or disable one or more radios to which a profile is assigned, use the set ap radio radio-profile command. To enable or disable all radios that use a specific radio profile, use the set radio-profile command.

Examples ??? The following command enables radio 1 on the MAP 1:

WX1200# set ap 1 radio 1 mode enable success: change accepted.

The following command enables radio 2 on on MAP 1:

WX1200# set ap 1 radio 2 mode enable success: change accepted.

See Also

??clear ap radio on page 308

set ap radio tx-power 393

??radio-profile name ??? Radio profile name of up to 16 alphanumeric

characters, with no spaces.

??mode enable ??? Enables radios on the specified ports with the

parameter settings in the specified radio profile.

??mode disable ??? Disables radios on the specified ports.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. Option auto added for configuration of the MAP configuration profile. Version 6.0 removed the dap option.

Usage ??? When you create a new profile, the radio parameters in the profile are set to their factory default values.

To enable or disable all radios using a specific radio profile, use set radio-profile.

Examples ??? The following command enables radio 1 on MAP 5 assigned to radio profile rp1:

WX1200# set ap 5radio 1 radio-profile rp1 mode enable success: change accepted.

See Also

??clear ap radio on page 308

394CHAPTER 11: MANAGED ACCESS POINT COMMANDS

??tx-power power-level ??? Number of decibels in relation to

1 milliwatt (dBm). The valid values depend on the country of operation.

The maximum transmit power you can configure on any 3Com radio is the maximum allowed for the country in which you plan to operate the radio or one of the following values if that value is less than the country maximum: on an 802.11a radio, 11 dBm for channel numbers less than or equal to 64, or 10 dBm for channel numbers greater than 64; on an 802.11b/g radio, 16 dBm for all valid channel numbers for 802.11b, or 14 dBm for all valid channel numbers for 802.11g.

Defaults ??? The default transmit power on all MAP radio types is the highest setting allowed for the country of operation or highest setting supported on the hardware, whichever is lower.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. Version 6.0 removed the dap option.

Usage ??? You also can configure a radio channel on the same command line. Use the channel option.

This command is not valid if dynamic power tuning (RF Auto-Tuning) is enabled.

Examples ??? The following command configures the transmit power on the 802.11a radio on the MAP access point connected to port 5:

WX1200# set ap 5 radio 1 tx-power 10 success: change accepted.

The following command configures the channel and transmit power on the 802.11b/g radio on the MAP access point connected to port 1:

WX1200# set ap 1 radio 1 channel 1 tx-power 10 success: change accepted.

See Also

??set ap radio channel on page 387

set band-preference 397

set band-preference Configures MSS to steer clients that support both the 802.11a and 802.11b/g radio bands to a specific radio on an MAP for the purpose of RF load balancing.

Syntax ??? set band-preference {none | 11bg | 11a}

??none ??? When a client supports both 802.11a and 802.11b/g radio

bands, does not steer the client to a specific MAP radio.

??enable ??? When a client supports both 802.11a and 802.11b/g radio

bands, steers the client to the 802.11b/g radio.

??disable ??? When a client supports both 802.11a and 802.11b/g

radio bands, steers the client to the 802.11a radio.

Defaults ??? By default, clients are not steered to specific MAP radios for

RF load balancing.

Access ??? Enabled.

History ??? Introduced in MSS Version 6.0.

Usage ??? Use this command to steer clients that support both the 802.11a and 802.11b/g bands, to a specific radio on an MAP for the purpose of load balancing. This global ??band-preference?? option controls the degree that an MAP with two radios attempts to conceal one of its radios from a client with the purpose of steering the client to the other radio.

Examples ??? The following command steers clients that support both the 802.11a and 802.11b/g bands to the 802.11a radio on an MAP:

WX# set band-preference 11a

WX#

??set load-balancing mode on page 398

398 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

set load-balancing Disables or reenables RF load balancing globbaly on the WXMAP. mode

Syntax ??? set load-balancing mode {enable | disable}

??enable ??? Enables RF load balancing globally on the WX.

??disable ??? Disables RF load balancing globally on the WX.

Defaults ??? RF load balancing is enabled by default.

Access ??? Enabled.

History ??? Introduced in MSS Version 6.0.

Usage ??? By default, RF load balancing is enabled on all MAP radios. Use this command to disable or re-enable RF load balancing globally for all MAP radios managed by the WX.

If RF load balancing has been enabled or disabled for a specific MAP radio, then the setting for the individual radio takes precedence over the global setting.

Examples ??? The following command globally disables RF load balancing for all MAP radios managed by the WX switch:

WX# set load-balancing mode disable

WX#

??set band-preference on page 397

400 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

At the other end of the spectrum, when max strictness is specified, if an MAP radio has reached its maximum client load, MSS makes it invisible to new clients, causing them to attempt to connect to other MAP radios. In the event that all the MAP radios in the group have reached their maximum client load, then no new clients would be able to connect to the network.

Examples The following command sets the RF load balancing strictness

to the maximum setting:

WX# set load-balancing strictness max

Success: strictness set to "MAX"

??set load-balancing mode on page 398

??set band-preference on page 397

set radio-profile Disables or reenables active RF detection scanning on the MAP radios active-scanmanaged by a radio profile. When active scanning is enabled, MAP radios

look for rogue devices by sending probe any requests (probe requests with a null SSID name), to solicit probe responses from other access points.

Passive scanning is always enabled and cannot be disabled. During passive scanning, radios look for rogues by listening for beacons and probe responses.

Syntax ??? set radio-profile name active-scan {enable | disable}

??name ??? Radio profile name.

??enable ??? Configures radios to actively scan for rogues.

set radio-profile auto-tune 11a-channel-range 401

??disable ??? Configures radios to scan only passively for rogues by

listening for beacons and probe responses.

Defaults ??? Active scanning is enabled by default.

Access ??? Enabled.

History ???Introduced in MSS Version 4.0.

Usage ??? You can enter this command on any WX in the Mobility Domain. The command takes effect only on that WX.

Examples ??? The following command disables active scan in radio profile radprof3:

wx4400# set radio-profile radprof3 active-scan disable success: change accepted.

See Also

set radio-profile auto-tune 11a-channel-range

When configured, the MAP 802.11a radio selects a channel from a limited range of available channels or all available channels.

Syntax ??? set radio-profile name auto-tune 11a-channel-range {lower-bands | all-bands}

??name???The name of the radio profile to configure the 802.11a

channel range.

??lower-bands???Only the lower channels are available for the 802.11a

radio: 36, 40, 44, 48, 52, 56, 60, or 64.

??all-bands???All 802.11a channels are available for the 802.11a radio: 36. 40, 44, 48, 52, 56, 60, 64, 149, 153, 157, and 161.

Defaults ??? None

Access ??? Enabled

History ???Version 6.0Command introduced.

Usage ??? Improves the 802.11a radio usage on the network.

402 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

Examples ??? The following command enables the 802.11a radio to select any available channel in the 802.11a range:

WX1200# set radio-profile test auto-tune 11a-channel-range all-bands

success: change accepted.

set radio-profile auto-tune channel-config

Disables or reenables dynamic channel tuning (RF Auto-Tuning) for the MAP radios in a radio profile.

Syntax ??? set radio-profile name auto-tune channel-config

{enable | disable}[ignore-client]

??name ??? Radio profile name.

??enable ??? Configures radios to dynamically select their channels when

the radios ares started.

??disable ??? Configures radios to use their statically assigned channels,

or the default channels if unassigned, when the radios are started.

??ignore-clients ??? Configures radios to change channels regardless

of client status. Without this option, a radio changes the channel only if the radio does not have any active clients on that channel.

Defaults ??? Dynamic channel assignment is enabled by default.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. No-client changed to ignore-clients in MSS Version 6.0.

Usage ??? If you disable RF Auto-Tuning for channels, MSS does not dynamically set the channels when radios are first enabled and also does not tune the channels during operation.

If RF Auto-Tuning for channels is enabled, MSS does not allow you to manually change channels.

RF Auto-Tuning of channels on 802.11a radios uses only the bottom eight channels in the band (36, 40, 44, 48, 52, 56, 60, and 64). To use a higher channel number, you must disable RF Auto-Tuning of channels on the radio profile the radio is in, and use the set ap | radio channel command to statically configure the channel.

set radio-profile auto-tune channel-holddown 403

Examples ??? The following command disables dynamic channel tuning for radios in the rp2 radio profile:

WX4400# set radio-profile rp2 auto-tune channel-config disable

success: change accepted.

See Also

??set ap radio channel on page 387

??set radio-profile auto-tune channel-holddown on page 403

??set radio-profile auto-tune channel-interval on page 404

??set radio-profile auto-tune power-config on page 406

set radio-profile auto-tune channel-holddown

Sets the minimum number of seconds a radio in a radio profile must remain at its current channel assignment before RF Auto-Tuning can change the channel. The channel holddown provides additional stability to the network by preventing the radio from changing channels too rapidly in response to spurious RF anomalies such as short-duration channel interference.

Syntax ??? set radio-profile name auto-tune channel-holddown

holddown

??name ??? Radio profile name.

??holddown ??? Minimum number of seconds a radio must remain on its

current channel setting before RF Auto-Tuning is allowed to change the channel. You can specify from 0 to 65535 seconds.

Defaults ??? The default RF Auto-Tuning channel holddown is 900 seconds.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? The channel holddown applies even if RF anomalies occur that normally cause an immediate channel change.

404 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

Examples ??? The following command changes the channel holddown for radios in radio profile rp2 to 600 seconds:

WX4400# set radio-profile rp2 auto-tune channel-holddown 600 success: change accepted.

See Also

??set radio-profile auto-tune channel-config on page 402

??set radio-profile auto-tune channel-lockdown on page 405

set radio-profile auto-tune channel-interval

Sets the interval at which RF Auto-Tuning decides whether to change the channels on radios in a radio profile. At the end of each interval, MSS processes the results of the RF scans performed during the previous interval, and changes radio channels if needed.

Syntax ??? set radio-profile name auto-tune channel-interval

seconds

??name ??? Radio profile name.

??seconds ??? Number of seconds RF Auto-Tuning waits before changing

radio channels to adjust to RF changes, if needed. You can specify from 0 to 65535 seconds.

Defaults ??? The default channel interval is 3600 seconds (one hour).

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? 3Com recommends that you use an interval of at least 300 seconds (5 minutes).

RF Auto-Tuning can change a radio???s channel before the channel interval expires in response to RF anomalies. Even in this case, channel changes cannot occur more frequently than the channel holddown interval.

If you set the interval to 0, RF Auto-Tuning does not reevaluate the channel at regular intervals. However, RF Auto-Tuning can still change the channel in response to RF anomalies.

set radio-profile auto-tune channel-lockdown 405

Examples ??? The following command sets the channel interval for radios in radio profile rp2 to 2700 seconds (45 minutes):

WX4400# set radio-profile rp2 auto-tune channel-interval 2700 success: change accepted.

See Also

??set radio-profile auto-tune channel-config on page 402

??set radio-profile auto-tune channel-holddown on page 403

set radio-profile auto-tune channel-lockdown

Locks down the current channel settings on all radios in a radio profile.

The channel settings that are in effect when the command is entered are changed into statically configured channel assignments on the radios. RF Auto-Tuning of channels is then disabled in the radio profile.

Syntax ??? set radio-profile name auto-tune channel-lockdown

??name ??? Radio profile name.

Defaults ??? By default, when RF Auto-Tuning of channels is enabled, channels continue to be changed dynamically based on network conditions.

Access ??? Enabled.

History ???Introduced in MSS Version 5.0.

Usage ??? To save this command and the static channel configuration

commands created when you enter this command, save the configuration.

406 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

Examples ??? The following command locks down the channel settings

for radios in radio profile rp2:

WX# set radio-profile rp2 auto-tune channel-lockdown

success: change accepted

See Also

??set radio-profile auto-tune channel-config on page 402

??set radio-profile auto-tune channel-holddown on page 403

??set radio-profile auto-tune channel-interval on page 404

??set radio-profile auto-tune channel-config on page 402

set radio-profile auto-tune power-config

Enables or disables dynamic power tuning (RF Auto-Tuning) for the MAP radios in a radio profile.

Syntax ??? set radio-profile name auto-tune power-config {enable | disable}

??name ??? Radio profile name.

??enable ??? Configures radios to dynamically set their power levels

when the MAPs are started.

??disable ??? Configures radios to use their statically assigned power

levels, or the default power levels if unassigned, when the radios are started.

Defaults ??? Dynamic power assignment is disabled by default.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? When RF Auto-Tuning for power is disabled, MSS does not dynamically set the power levels when radios are first enabled and also does not tune power during operation with associated clients.

When RF Auto-Tuning for power is enabled, MSS does not allow you to manually change the power level.

set radio-profile auto-tune power-interval 407

Examples ??? The following command enables dynamic power tuning for radios in the rp2 radio profile:

WX4400# set radio-profile rp2 auto-tune power-config enable success: change accepted.

See Also

??set ap radio auto-tune max- retransmissions on page 385

??set ap radio auto-tune max-power on page 384

??set radio-profile auto-tune channel-config on page 402

??set radio-profile auto-tune power-interval on page 407

set radio-profile auto-tune power-interval

Sets the interval at which RF Auto-Tuning decides whether to change the power level on radios in a radio profile. At the end of each interval, MSS processes the results of the RF scans performed during the previous interval, and changes radio power levels if needed.

Syntax ??? set radio-profile name auto-tune power-interval seconds

??name ??? Radio profile name.

??seconds ??? Number of seconds MSS waits before changing radio

power levels to adjust to RF changes, if needed. You can specify from 1 to 65535 seconds.

Defaults ??? The default power tuning interval is 600 seconds.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? The following command sets the power interval for radios in radio profile rp2 to 240 seconds:

WX4400# set radio-profile rp2 auto-tune power-interval 240 success: change accepted.

408 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

See Also

??set ap radio auto-tune max- retransmissions on page 385

??set radio-profile auto-tune power-config on page 406

set radio-profile auto-tune power-lockdown

Locks down the current power settings on all radios in a radio profile. The power settings that are in effect when the command is entered are changed into statically configured power settings on the radios.

RF Auto-Tuning of power is then disabled in the radio profile.

Syntax ??? set radio-profile name auto-tune power-lockdown

??name???Radio profile name.

Defaults ??? By default, when RF Auto-Tuning of power is enabled, power settings continue change dynamically based on network conditions.

Access ??? Enabled.

History ???Introduced in MSS Version 5.0.

Usage ??? To save this command and the static power configuration commands created when you enter this command, save the configuration.

Examples ??? The following command locks down the power settings for radios in radio profile rp2:

WX1200# set radio-profile rp2 auto-tune power-lockdown success: change accepted.

??set radio-profile auto-tune channel-lockdown on page 405

??set radio-profile auto-tune power-config on page 406

??set radio-profile auto-tune power-interval on page 407

??set radio-profile auto-tune power-ramp-interval on page 409

??set radio-profile auto-tune power-ramp-interval on page 409

set radio-profile auto-tune power-ramp-interval 409

set radio-profile auto-tune power-ramp-interv al

Changes the interval at which power is increased or decreased, in 1 dBm increments, on radios in a radio profile until the optimum power level calculated by RF Auto-Tuning is reached.

Syntax ??? set radio-profile name auto-tune power-ramp-interval seconds

??name???Radio profile name.

??seconds???Number of seconds MSS waits before increasing or

decreasing radio power by another 1 dBm. You can specify from 1 to 65535.

Defaults ??? The default interval is 60 seconds.

Access ??? Enabled.

History ???Introduced in MSS Version 5.0.

Examples ??? The following command changes the power ramp interval for radios in radio profile rp2 to 120 seconds:

WX1200# set radio-profile rp2 auto-tune power-ramp-interval 120

success: change accepted.

??set radio-profile auto-tune power-config on page 406

??set radio-profile auto-tune power-interval on page 407

410 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? You must disable all radios that are using a radio profile before you can change parameters in the profile. Use the set radio-profile mode command.

Examples ??? The following command changes the beacon interval for radio profile rp1 to 200 ms:

WX4400# set radio-profile rp1 beacon-interval 200 success: change accepted.

See Also

set radio-profile Enables or disables countermeasures on the MAP radios managed by a countermeasures radio profile. Countermeasures are packets sent by a radio to prevent

clients from being able to use rogue access points.

CAUTION: Countermeasures affect wireless service on a radio. When a MAP radio is sending countermeasures, the radio is disabled for use by network traffic, until the radio finishes sending the countermeasures.

MAP radios can also issue countermeasures against interfering devices. An interfering device is not part of the 3Com network but also is not a rogue. No client connected to the device has been detected communicating with any network entity listed in the forwarding database (FDD) of any WX in the Mobility Domain. Although the interfering device is not connected to your network, the device might be causing RF interference with MAP radios.

Syntax ??? set radio-profile name countermeasures {all | rogue | configured | none}

??name ??? Radio profile name.

??all ??? Configures radios to attack rogues and interfering devices.

??rogue ??? Configures radios to attack rogues only.

set radio-profile countermeasures 411

??configured ??? Configures radios to attack only devices in the attack

list on the WX switch (on-demand countermeasures). When this option is specified, devices found to be rogues by other means, such as policy violations or by determining that the device is providing connectivity to the wired network, are not attacked.

??none ??? Disables countermeasures for this radio profile.

Defaults ??? Countermeasures are disabled by default.

Access ??? Enabled.

History ??? Command introduced in MSS Version 4.0. New option configured added to support on-demand countermeasures in MSS Version 4.1.

Examples ??? The following command enables countermeasures in radio profile radprof3 for rogues only:

WX1200# set radio-profile radprof3 countermeasures rogue success: change accepted.

The following command disables countermeasures in radio profile radprof3:

WX1200# clear radio-profile radprof3 countermeasures success: change accepted.

The following command causes radios managed by radio profile radprof3 to issue countermeasures against devices in the WX switch???s attack list:

WX1200# set radio-profile radprof3 countermeasures configured success: change accepted.

Note that when you issue this command, countermeasures are then issued only against devices in the WX attack list, not against other devices that were classified as rogues by other means.

See Also

412 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

set radio-profile Changes the number of times after every beacon that each MAP radio in dtim-interval a radio profile sends a delivery traffic indication map (DTIM). A MAP

sends the multicast and broadcast frames stored in its buffers to clients who request them in response to the DTIM.

The DTIM interval applies to both the beaconed SSID and the nonbeaconed SSID.

Syntax ??? set radio-profile name dtim-interval interval

??name ??? Radio profile name.

??interval ??? Number of times the DTIM is transmitted after every

beacon. You can enter a value from 1 through 31.

Defaults ??? By default, MAP access points send the DTIM once after each beacon.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? You must disable all radios that are using a radio profile before you can change parameters in the profile. Use the set radio-profile mode command.

The DTIM interval does not apply to unicast frames.

Examples ??? The following command changes the DTIM interval for radio profile rp1 to 2:

WX4400# set radio-profile rp1 dtim-interval 2 success: change accepted.

See Also

set radio-profile Changes the fragmentation threshold for the MAP radios in a radio frag-threshold profile. The fragmentation threshold is the threshold at which the

long-retry-count is applicable insted of the short-retry-count.

The long-retry-count specifies the number of times a radio can send a unicast frame that is equal to or longer than the frag-threshold without receiving an acknowledgment.

The short-retry-count specifies the number of times a radio can send a unicast frame that is shorter than the frag-threshold without receiving an acknowledgment.

Syntax ??? set radio-profile name frag-threshold threshold

??name ??? Radio profile name.

??threshold ??? Maximum frame length, in bytes. You can enter a value

from 256 through 2346.

Defaults ??? The default fragmentation threshold for MAP radios is 2346 bytes.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? You must disable all radios using a radio profile before you can change parameters in the profile. Use the set radio-profile mode command.

The frag-threshold does not specify the maximum length a frame is allowed to be without being broken into multiple frames before transmission. The MAPs do not support fragmentation upon transmission, only upon reception.

The frag-threshold does not change the RTS threshold, which specifies the maximum length of a frame before the radio uses the RTS/CTS method to send the frame. To change the RTS threshold, use the set radio-profile rts-threshold command instead.

Examples ??? The following command changes the fragmentation threshold for radio profile rp1 to 1500 bytes:

WX4400# set radio-profile rp1 frag-threshold 1500 success: change accepted.

414 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

See Also

??set service-profile long-retry-count on page 449

??set radio-profile rts-threshold on page 423

??set service-profile short-retry-count on page 456

set radio-profile Deprecated in MSS Version 4.2. In 4.2, this parameter is associated with long-retryservice profiles instead of radio profiles. See set service-profile

long-retry-count on page 449.

set radio-profile Changes the maximum receive threshold for the MAP radios in a radio max-rx-lifetime profile. The maximum receive threshold specifies the number of

milliseconds that a frame received by a radio can remain in buffer memory.

Syntax ??? set radio-profile name max-rx-lifetime time

??name ??? Radio profile name.

??time ??? Number of milliseconds. You can enter a value from 500

(0.5 second) through 250,000 (250 seconds).

Defaults ??? The default maximum receive threshold for MAP radios is 2000 ms (2 seconds).

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? You must disable all radios that are using a radio profile before you can change parameters in the profile. Use the set radio-profile mode command.

Examples ??? The following command changes the maximum receive threshold for radio profile rp1 to 4000 ms:

WX4400# set radio-profile rp1 max-rx-lifetime 4000 success: change accepted.

set radio-profile max-tx-lifetime 415

See Also

??set radio-profile max-tx-lifetime on page 415

set radio-profile Changes the maximum transmit threshold for the MAP radios in a radio max-tx-lifetime profile. The maximum transmit threshold specifies the number of

milliseconds that a frame scheduled to be transmitted by a radio can remain in buffer memory.

Syntax ??? set radio-profile name max-tx-lifetime time

??name ??? Radio profile name.

??time ??? Number of milliseconds. You can enter a value from 500

(0.5 second) through 250,000 (250 seconds).

Defaults ??? The default maximum transmit threshold for MAP radios is 2000 ms (2 seconds).

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? You must disable all radios that are using a radio profile before you can change parameters in the profile. Use the set radio-profile mode command.

Examples ??? The following command changes the maximum transmit threshold for radio profile rp1 to 4000 ms:

WX4400# set radio-profile rp1 max-tx-lifetime 4000 success: change accepted.

See Also

??set radio-profile max-rx-lifetime on page 414

set radio-profile mode 417

Table 72 Defaults for Radio Profile Parameters (continued)

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Version 4.2 made the following changes:

??Removed the following parameters that no longer apply:

??11g-only

??long-retry

??short-retry

??The wmm parameter name changed to qos-mode.

Usage ??? Use the command without any optional parameters to create new profile. If the radio profile does not already exist, MSS creates a new radio profile. Use the enable or disable option to enable or disable all the radios using a profile. To assign the profile to one or more radios, use the set ap radio radio-profile command.

418 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

To change a parameter in a radio profile, you must first disable all the radios in the profile. After you complete the change, you can reenable the radios.

To enable or disable specific radios without disabling all of them, use the set ap radio command.

Examples ??? The following command configures a new radio profile named rp1:

WX4400# set radio-profile rp1 success: change accepted.

The following command enables the radios that use radio profile rp1:

WX4400# set radio-profile rp1 mode enable

The following commands disable the radios that use radio profile rp1, change the beacon interval, then reenable the radios:

WX4400# set radio-profile rp1 mode disable

WX4400# set radio-profile rp1 beacon-interval 200

WX4400# set radio-profile rp1 mode enable

The following command enables the WPA IE on MAP radios in radio profile rp2:

WX4400# set radio-profile rp2 wpa-ie enable success: change accepted.

See Also

set radio-profile preamble-length 419

set radio-profile Changes the preamble length for which an 802.11b/g MAP radio preamble-length advertises support. This command does not apply to 802.11a.

Syntax ??? set radio-profile name

preamble-length {long | short}

??name ??? Radio profile name.

??long ??? Advertises support for long preambles.

??short ??? Advertises support for short preambles.

Defaults ??? The default is short.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? Changing the preamble length value affects only the support advertised by the radio. Regardless of the preamble length setting (short or long), an 802.11b/g radio accepts and can generate 802.11b/g frames with either short or long preambles.

If a client associated with an 802.11b/g radio uses long preambles for unicast traffic, the MAP still accepts frames with short preambles but does not transmit frames with short preambles. This change also occurs if the access point overhears a beacon from an 802.11b/g radio on another access point that indicates the radio has clients that require long preambles.

You must disable all radios that use a radio profile before you can change parameters in the profile. Use the set radio-profile mode command.

Examples ??? The following command configures 802.11b/g radios that use the radio profile rp_long to advertise support for long preambles instead of short preambles:

WX4400# set radio-profile rp_long preamble-length long success: change accepted.

See Also

set radio-profile rfid-mode 421

set radio-profile Enables MAP radios managed by a radio profile to function as location rfid-modereceivers in an AeroScout Visibility System. An AeroScout Visibility System

allows system administrators to track mobile assets using RFID tags.

When you enable RFID mode on a radio profile, radios in the profile can receive and process signals transmitted by RFID tags and relay them with related information to the AeroScout Engine. If the floor plan is modeled in 3WXM, you also can use 3WXM to display the locations of assets.

Syntax ??? set radio-profile name rfid-mode {enable | disable}

??name???Radio profile name.

??enable???Enables radios to function as asset location receivers.

??disable???Disables radios from functioning as asset location receivers.

Defaults ??? The default is disable.

Access ??? Enabled.

History ???Introduced in MSS Version 5.0.

Examples ??? The following command enables radios managed by radio profile rp1 to act as asset location receivers:

WX1200# set radio-profile rfid-mode enable success: change accepted.

See Also

??display ap counters on page 319

set radio-profile Configures MSS to enforce data rates, which means that a connecting rate-enforcement client must transmit at one of the mandatory or standard rates in order to

associate with the MAP.

Syntax ??? set radio-profile name rate-enforcement {enable | disable}

??name ??? Radio profile name.

??enable ??? Enables data rate enforcement for the radios in the radio

profile.

??disable ??? Disables data rate enforcement for the radios in the radio

profile.

422 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

Defaults ??? Data rate enforcement is disabled by default.

Access ??? Enabled.

History ??? Introduced in MSS Version 6.0.

Usage ??? Each type of radio (802.11a, 802.11b, and 802.11g) providing service to an SSID has a set of radio rates allowed for use when sending beacons, multicast frames, and unicast data. You can configure the rate set for each type of radio, specifying rates in three categories:

Mandatory - Valid 802.11 transmit rates that clients must support in order to associate with the MAP.

Disabled - Valid 802.11 transmit rates are disabled. MAPs do not transmit at the disabled rates.

Standard - Valid 802.11 transmit rates that are not disabled and are not mandatory.

By default, the rate set is not enforced, meaning that a client can associate with and transmit data to the MAP using a disabled data rate, although the MAP does not transmit data back to the client at the disabled rate.

You can use this command to enforce the data rates, which means that a connecting client must transmit at one of the mandatory or standard ates in order to associate with the MAP. When data rate enforcement is nabled, clients transmitting at the disabled rates are not allowed to associate with the MAP.

This command is useful if you want to completely prevent clients from transmitting at disabled data rates. For example, you can disable slower data rates so that clients transmitting at these rates do not consume bandwidth on the channel at the expense of clients transmitting at faster rates.

Examples ??? The following command enables data rate enforcement for radio profile rp1:

WX# set radio-profile rp1 rate-enforcement mode enable success: change accepted.

See Also

??set service-profile transmit-rates on page 468

set radio-profile Changes the RTS threshold for the MAP radios in a radio profile. The RTS rts-threshold threshold specifies the maximum length a frame can be before the radio uses the RTS/CTS method to send the frame. The RTS/CTS method clears the air of other traffic to avoid corruption of the frame due to a collision

with another frame.

Syntax ??? set radio-profile name rts-threshold threshold

??name ??? Radio profile name.

??threshold ??? Maximum frame length, in bytes. You can enter a value

from 256 through 3000.

Defaults ??? The default RTS threshold for a MAP radio is 2346 bytes.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? You must disable all radios that are using a radio profile before you can change parameters in the profile. Use the set radio-profile mode command.

Examples ??? The following command changes the RTS threshold for radio profile rp1 to 1500 bytes:

WX4400# set radio-profile rp1 rts-threshold 1500 success: change accepted.

See Also

424 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

set radio-profile Maps a service profile to a radio profile. All radios that use the radio service-profile profile also use the parameter settings, including SSID and encryption

settings, in the service profile.

Syntax ??? set radio-profile name service-profile name

??radio-profile name ??? Radio profile name of up to 16 alphanumeric

characters, with no spaces.

??service-profile name ??? Service profile name of up to 16

alphanumeric characters, with no spaces.

Defaults ??? A radio profile does not have a service profile associated with it by default. In this case, the radios in the radio profile use the default settings for parameters controlled by the service profile. Table 73 lists the parameters controlled by a service profile and their default values.

Table 73 Defaults for Service Profile Parameters

428 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

Table 73 Defaults for Service Profile Parameters (continued)

Uses dynamic WEP rather than static WEP.

If you configure a WEP key for static WEP, MSS continues to also support dynamic WEP.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? You must configure the service profile before you can map it to a radio profile. You can map the same service profile to more than one radio profile.

You must disable all radios that use a radio profile before you can change parameters in the profile. Use the set radio-profile mode command.

Examples ??? The following command maps service-profile wpa_clients to radio profile rp2:

WX4400# set radio-profile rp2 service-profile wpa_clients success: change accepted.

See Also

??set service-profile attr on page 431

??set service-profile auth-dot1x on page 433

short-retry-count on page 456.

??set service-profile beacon on page 436

430 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

set radio-profile Deprecated in MSS Version 4.2. In 4.2, this parameter is associated with short-retryservice profiles instead of radio profiles. See set service-profile

set radio-profile Enables Unscheduled Automatic Powersave Delivery (U-APSD) on MAP wmm-powersave radios managed by the radio profile. U-APSD enables WMM clients that

use powersave mode to more efficiently request buffered unicast packets from MAP radios.

When U-APSD is enabled, a client can retrieve buffered unicast packets for a traffic priority enabled for U-APSD by sending a QoS data or QoS-Null frame for that priority. U-APSD can be enabled for individual traffic priorities, for individual clients, based on the client???s request. A client enables U-APSD for a traffic priority by indicating this preference when (re)associating with the MAP radio.

A client can but is not required to request U-APSD for all four traffic priorities. The MAP radio still buffers packets for all traffic priorities even if the client does not request U-APSD for them. However, to retrieve buffered packets for priorities that are not using U-APSD, a client must send a separate PSpoll for each buffered packet.

Syntax ??? set radio-profile name wmm-powersave {enable | disable}

??name ??? Radio profile name.

??enable ??? Enable U-APSD.

??disable ??? Disables U-APSD.

Defaults ??? U-APSD is disabled by default..

Access ??? Enabled.

History ???Introduced in MSS 5.0.

set service-profile attr 431

Usage ??? U-APSD is supported only for QoS mode WMM. If WMM is not enabled on the radio profile, use the set radio-profile qos-mode command to enable it.

Examples ??? The following command enables U-APSD on radio profile rp1:

WX2200# set radio-profile rp1 wmm-powersave enable success: change accepted.

See Also

??set radio-profile qos-mode on page 420

set service-profile Configures authorization attributes that are applied by default to users attraccessing the SSID managed by the service profile. These SSID default

attributes are applied in addition to any supplied by the RADIUS server or from the local database.

Syntax ??? set service-profile name attr attribute-name value

??name ??? Service profile name.

??attribute-name value ??? Name and value of an attribute you are

using to authorize SSID users for a particular service or session characteristic. For a list of authorization attributes and values that you can assign to network users, see Table 44 on page 262. All of the attributes listed in Table 44 can be used with this command except ssid.

Defaults ??? By default, a service profile does not have any authorization attributes set.

Access ??? Enabled.

History ???Introduced in MSS 4.1.

Usage ??? To change the value of a default attribute for a service profile, use the set service-profile attr command and specify a new value.

432 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

The SSID default attributes are applied in addition to any attributes supplied for the user by the RADIUS server or the local database. When the same attribute is specified both as an SSID default attribute and through AAA, then the attribute supplied by the RADIUS server or the local database takes precedence over the SSID default attribute. If a location policy is configured, the location policy rules also take precedence over SSID default attributes. The SSID default attributes serve as a fallback when neither the AAA process, nor a location policy, provides them.

For example, a service profile might be configured with the service-type attribute set to 2. If a user accessing the SSID is authenticated by a RADIUS server, and the RADIUS server returns the vlan-name attribute set to orange, then that user will have a total of two attributes set: service-type and vlan-name.

If the service profile is configured with the vlan-name attribute set to blue, and the RADIUS server returns the vlan-name attribute set to orange, then the attribute from the RADIUS server takes precedence; the user is placed in the orange VLAN.

You can display the attributes for each connected user and whether they are set through AAA or through SSID defaults by entering the display sessions network verbose command. You can display the configured SSID defaults by entering the display service-profile command.

Examples ??? The following command assigns users accessing the SSID managed by service profile sp2 to VLAN blue:

WX4400# set service-prof sp2 attr vlan-name blue success: change accepted.

The following command assigns users accessing the SSID managed by service profile sp2 to the Mobility Profile tulip.

WX4400# set service-prof sp2 attr mobility-profile tulip success: change accepted.

The following command limits the days and times when users accessing the SSID managed by service profile sp2 can access the network, to 5 p.m. to 2 a.m. every weekday, and all day Saturday and Sunday:

WX1200# set service-prof sp2 attr time-of-day

Wk1700-0200,Sa,Su success: change accepted.

set service-profile auth-dot1x 433

See Also

??display sessions network on page 620

set service-profile Disables or reenables 802.1X authentication of Wi-Fi Protected Access auth-dot1x(WPA) clients by MAP radios, when the WPA information element (IE) is

enabled in the service profile that is mapped to the radio profile that the radios are using.

Syntax ??? set service-profile

name auth-dot1x {enable | disable}

??name ??? Service profile name.

??enable ??? Enables 802.1X authentication of WPA clients.

??disable ??? Disables 802.1X authentication of WPA clients.

Defaults ??? When the WPA IE is enabled, 802.1X authentication of WPA clients is enabled by default. If the WPA IE is disabled, the auth-dot1x setting has no effect.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? This command does not disable dynamic WEP for non-WPA clients. To disable dynamic WEP for non-WPA clients, enable the WPA IE (if not already enabled) and disable the 40-bit WEP and 104-bit WEP cipher suites in the WPA IE, if they are not already disabled.

To use 802.1X authentication for WPA clients, you also must enable the

WPA IE.

If you disable 802.1X authentication of WPA clients, the only method available for authenticating the clients is preshared key (PSK) authentication. To use this, you must enable PSK support and configure a passphrase or key.

Examples ??? The following command disables 802.1X authentication for

WPA clients that use service profile wpa_clients:

WX4400# set service-profile wpa_clients auth-dot1x disable success: change accepted.

434 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

See Also

??set service-profile psk-phrase on page 453

Wireless LAN Switch and Controller Configuration Guide.)

set service-profile Specifies the authentication type for users who do not match an 802.1X or auth-fallthru MAC authentication rule for an SSID managed by the service profile. When a user tries to associate with an SSID, MSS checks the authentication rules

for that SSID for a userglob that matches the username. If the SSID does not have an authentication rule that matches the username, authentication for the user falls through to the fallthru method.

The fallthru method is a service profile parameter, and applies to all radios within the radio profiles that are mapped to the service profile.

Syntax ??? set service-profile name auth-fallthru {last-resort | none | web-portal}

??last-resort ??? Automatically authenticates the user and allows

access to the SSID requested by the user, without requiring a username and password.

??none ??? Denies authentication and prohibits the user from accessing

the SSID.

The fallthru authentication type none is different from the authentication method none you can specify for administrative access. The fallthru authentication type none denies access to a network user. In contrast, the authentication method none allows access to the WX switch by an administrator. (See ???set authentication admin??? on page 239 and ???set authentication console??? on page 241.)

??web-portal ??? Serves the user a web page from the WX switch???s

nonvolatile storage for secure login to the network.

Defaults ??? The default fallthru authentication type is web-auth.

If a username does not match a userglob in an authentication rule for the SSID requested by the user, the WX switch that is managing the radio the user is connected to redirects the user to a web page located on the WX switch. The user must type a valid username and password on the web page to access the SSID.

set service-profile auth-psk 435

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. Option for WebAAA fallthru authentication type changed from web-auth to web-portal in MSS Version 4.1.

Usage ??? The last-resort fallthru authentication type allows any user to access any SSID managed by the service profile. This method does not require the user to provide a username or password. Use the last-resort method only if none of the SSIDs managed by the service profile require secure access.

The web-auth authentication type requires additional configuration items. (See the ???Configuring AAA for Network Users??? chapter of the

Examples ??? The following command sets the fallthru authentication for

SSIDS managed by the service profile rnd_lab to none:

WX4400# set service-profile rnd_lab auth-fallthru none success: change accepted.

See Also

??set web-portal on page 278

??set service-profile web-portal-form on page 473

set service-profile Enables pre-shared key (PSK) authentication of Wi-Fi Protected Access auth-psk(WPA) clients by MAP radios in a radio profile, when the WPA information

element (IE) is enabled in the service profile.

Syntax ??? set service-profile name auth-psk {enable | disable}

??name ??? Service profile name.

??enable ??? Enables PSK authentication of WPA clients.

??disable ??? Disables PSK authentication of WPA clients.

Defaults ??? When the WPA IE is enabled, PSK authentication of WPA clients is enabled by default. If the WPA IE is disabled, the auth-psk setting has no effect.

438 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

Usage ??? WLAN mesh services can be used in a wireless bridge

configuration, implementing MAPs as bridge endpoints in a transparent Layer 2 bridge. A typical application of wireless bridging is to provide network connectivity between two buildings using a wireless link.

A Mesh Portal AP serving as a bridge endpoint can support up to five Mesh APs serving as bridge endpoints. A Mesh AP serving as a bridge endpoint picks up packets from its wired port and transfers them to the other bridge endpoint. A simple source/destination learning mechanism is used in order to avoid forwarding packets across the bridge unnecessarily.

When wireless bridging is enabled for a service profile, the MAPs with the applied service profile serve as bridge peers. When a Mesh AP associates with a Mesh Portal AP through this service profile, the Mesh Portal AP automatically configures the Mesh AP to operate in bridge mode.

Examples ??? The following command enables wireless bridging on service profile sp1:

WX# set service-profile sp1 bridging enable success: change accepted.

See Also

set service-profile Configures the Call Admission Control (CAC) mode. cac-mode

Syntax ??? set service-profile name cac-mode {none | session}

??name ??? Service profile name.

??none ??? CAC is not used.

??session ??? CAC is based on the number of active sessions.

Defaults ??? The default CAC mode is none.

Access ??? Enabled.

History ???Introduced in MSS Version 4.2.

set service-profile cac-session 439

Examples ??? The following command enables session-based CAC on service profile sp1:

WX4400# set service-profile sp1 cac-mode session success: change accepted.

See Also

??set service-profile cac-session on page 439

set service-profile Specifies the maximum number of active sessions a radio can have when cac-sessionsession-based CAC is enabled. When a MAP radio has reached the

maximum allowed number of active sessions, the radio refuses connections from additional clients.

Syntax ??? set service-profile name cac-session max-sessions

??name ??? Service profile name.

??max-sessions ??? Maximum number of active sessions allowed on the

radio.

Defaults ??? The default number of sessions allowed is 14.

Access ??? Enabled.

History ???Introduced in MSS Version 4.2.

Usage ??? This command applies only when the CAC mode is session. If the CAC mode is none, you can still change the maximum number of sessions, but the setting does not take effect until you change the CAC mode to session. To change the CAC mode, use the set service-profile cac-mode command.

Examples ??? The following command changes the maximum number of sessions for radios used by service profile sp1 to 10:

WX4400# set service-profile sp1 cac-session 10 success: change accepted.

See Also

??set service-profile cac-mode on page 438

444 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

To support non-WPA clients that use static WEP, you must configure static

WEP keys. Use the set service-profile wep key-index command.

Examples ??? The following command configures service profile sp2 to use 40-bit WEP encryption:

WX4400# set service-profile sp2 cipher-wep40 enable success: change accepted.

See Also

??set service-profile cipher-ccmp on page 440

??set service-profile cipher-wep104 on page 442

??set service-profile wep key-index on page 480

set service-profile Sets the Class-of-Service (CoS) level for static CoS. cos

Syntax ??? set service-profile name cos level

??name ??? Service profile name.

??level ??? CoS value assigned by the MAP to all traffic in the service

profile.

Defaults ??? The default static CoS level is 0.

Access ??? Enabled.

History ???Introduced in MSS Version 4.2.

Usage ??? This command applies only when static CoS is enabled. If static CoS is disabled, prioritization is based on the QoS mode configured in the radio profile, and on any ACLs that set CoS. (See the ???Configuring Quality of Service??? chapter of the Wireless LAN Switch and Controller Configuration Guide.) To enable static CoS, use the set service-profile static-cos command.

Examples ??? The following command changes the static CoS level to 7 (voice priority):

set service-profile dhcp-restrict 445

WX4400# set service-profile sp1 cos 7 success: change accepted.

See Also

??set service-profile static-cos on page 467

set service-profile Enables or disables DHCP Restrict on a service profile. DHCP Restrict filters dhcp-restrict the traffic from a newly associated client and allows DHCP traffic only,

until the client has been authenticated and authorized. All other traffic is captured by the WX and is not forwarded. After the client is successfully authorized, the traffic restriction is removed.

Syntax ??? set service-profile name dhcp-restrict {enable | disable}

??name ??? Service profile name.

??enable ??? Enables DHCP Restrict.

??disable ??? Disables DHCP Restrict.

Examples ??? DHCP Restrict is disabled by default.

Access ??? Enabled.

History ???Introduced in MSS Version 4.2.

Usage ??? To further reduce the overhead of DHCP traffic, use the set service-profile no-broadcast command to disable DHCP broadcast traffic from MAP radios to clients on the service profile???s SSID.

Examples ??? The following command enables DHCP Restrict on service profile sp1:

WX4400# set service-profile sp1 dhcp-restrict enable success: change accepted.

See Also

??set service-profile no-broadcast on page 451

??set service-profile proxy-arp on page 452

446 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

set service-profile Disables or reenables periodic keepalives from MAP radios to clients on a idle-client-probing service profile???s SSID. When idle-client probing is enabled, the MAP radio sends a unicast null-data frame to each client every 10 seconds. Normally,

a client that is still active sends an Ack in reply to the keepalive.

If a client does not send any data or respond to any keepalives before the user idle timeout expires, MSS changes the client session to the Disassociated state.

Syntax ??? set service-profile name idle-client-probing {enable | disable}

??name ??? Service profile name.

??enable ??? Enables keepalives.

??disable ??? Disables keepalives.

Defaults ??? Idle-client probing is enabled by default.

Access ??? Enabled.

History ???Introduced in MSS Version 4.2.

Usage ??? The length of time a client can remain idle (unresponsive to idle-client probes) is specified by the user-idle-timeout command.

Examples ??? The following command disables idle-client keepalives on service profile sp1:

WX4400# set service-profile sp1 idle-client-probing disable success: change accepted.

See Also

??set service-profile user-idle-timeout on page 471

set service-profile keep-initial-vlan 447

set service-profile Configures MAP radios managed by the radio profile to leave a roamed keep-initial-vlan user on the VLAN assigned by the switch where the user logged on.

When this option is disabled, a user???s VLAN is reassigned by each WX switch to which a user roams.

Syntax ??? set service-profile name keep-initial-vlan {enable | disable}

??name ??? Service profile name.

??enable ??? Enables radios to leave a roamed user on the same VLAN

instead of reassigning the VLAN.

??disable ??? Configures radios to reassign a roamed user???s VLAN.

Defaults ??? This option is disabled by default.

Access ??? Enabled.

History ???Introduced in MSS Version 5.0.

Usage ??? Even when this option is enabled, the WX switch to which a user roams (the roamed-to switch) can reassign the VLAN in any of the following cases:

??A location policy on the local switch reassigns the VLAN.

??The user is configured in the switch???s local database and the VLAN-Name attribute is set on the user or on a user group the user is in.

??The access rule on the roamed-to switch uses RADIUS, and the VLAN-Name attribute is set on the RADIUS server.

Examples ??? The following command enables the keep-initial-vlan option on service profile sp3:

WX1200# set service-profile sp3 keep-initial-vlan enable success: change accepted.

See Also

448 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

set service-profile load-balancing- exempt

Exempts a service profile from performing RF load balancing.

Syntax ??? set service-profile name load-balancing-exempt {enable | disable}

??name ??? Service profile name.

??enable ??? Exempts the specified service profile from RF load

balancing.

??disable ??? If a service profile has previously been exempted from RF

load balancing, restores RF load balancing for the service profile.

Defaults ??? By default, MAP radios automatically perform RF load balancing for all service profiles.

Access ??? Enabled.

History ??? Introduced in MSS Version 6.0.

Usage ??? Use this command to exempt a service profile from RF load

balancing. Exempting a service profile from RF load balancing means that even if an MAP radio is attempting to steer clients away, it does not reduce or conceal the availability of the SSID named in the exempted service profile. Even if a radio is withholding probe responses to manage its load, the radio does respond to probes for an exempt SSID. Also, if an MAP radio is withholding probe responses, and a client probes for any SSID, and the radio has at least one exempt SSID, the radio responds to the probe, but the response reveals only the exempt SSID(s).

Examples ??? The following command exempts service profile sp3 from RF load balancing:

WX# set service-profile sp3 load-balancing-exempt enable success: change accepted.

??set service-profile short-retry-count on page 456

set service-profile long-retry-count 449

set service-profile Changes the long retry threshold for a service profile. The long retry long-retry-count threshold specifies the number of times a radio can send a long unicast

frame without receiving an acknowledgment. A long unicast frame is a frame that is equal to or longer than the frag-threshold.

Syntax ??? set service-profile name long-retry-count threshold

??name ??? Service profile name.

??threshold ??? Number of times the radio can send the same long

unicast frame. You can enter a value from 1 through 15.

Defaults ??? The default long unicast retry threshold is 5 attempts.

Access ??? Enabled.

History ???Introduced in MSS Version 4.2.

Examples ??? The following command changes the long retry threshold for service profile sp1 to 8:

WX4400# set service-profile sp1 long-retry-count 8 success: change accepted.

450 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

set service-profile Creates a service profile for use with WLAN mesh services. mesh

Syntax ??? set service-profile name mesh mode {enable | disable}

??name ??? Service profile name.

??enable ??? Enables mesh services for the service profile.

??disable ??? Disables mesh services for the service profile.

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 6.0.

Usage ??? Use this command to configure mesh services for a service profile. Once configured, the service profile can then be mapped to a radio profile that manages a radio on the Mesh Portal MAP, which then allows a Mesh Portal AP to beacon a mesh services SSID to Mesh APs.

Examples ??? The following command enables mesh services for service profile sp1:

WX# set service-profile sp1 mesh mode enable success: change accepted.

See Also

set service-profile no-broadcast 451

set service-profile Disables or reenables the no-broadcast mode. The no-broadcast mode no-broadcast helps reduce traffic overhead on an SSID by having more SSID bandwidth

available for unicast traffic. The no-broadcast mode also helps VoIP handsets conserve power by reducing the amount of broadcast traffic sent to the phones.

When enabled, the no-broadcast mode prevents MAP radios from sending DHCP or ARP broadcasts to clients on the service profile???s SSID. Instead, a MAP radio handles this traffic as follows:

??ARP requests???If the SSID has clients with IP addresses that the WX does not already know, the WX allows the MAP radio to send the ARP request as a unicast to only those stations whose addresses the WX does not know. The MAP radio does not forward the ARP request as a broadcast and does not send the request as a unicast to stations whose addresses the WX already knows.

??DHCP Offers or Acks???If the destination MAC address belongs to a client on the SSID, the MAP radio sends the DHCP Offer or Ack as a unicast to that client only.

The no-broadcast mode does not affect other types of broadcast traffic and does not prevent clients from sending broadcasts.

Syntax ??? set service-profile name no-broadcast {enable | disable}

??name ??? Service profile name.

??enable ??? Enables the no-broadcast mode. MAP radios are not

allowed to send broadcast traffic to clients on the service profile???s SSID.

??disable ??? Disables the no-broadcast mode.

Defaults ??? The no-broadcast mode is disabled by default. (Broadcast traffic not disabled.)

Access ??? Enabled.

History ???Introduced in MSS Version 4.2.

Usage ??? To further reduce ARP traffic on a service profile, use the set service-profile proxy-arp command to enable Proxy ARP.

452 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

Examples ??? The following command enables the no-broadcast mode on service profile sp1:

WX4400# set service-profile sp1 no-broadcast enable success: change accepted.

See Also

??set service-profile dhcp-restrict on page 445

??set service-profile proxy-arp on page 452

set service-profile Enables proxy ARP. When proxy ARP is enabled, the WX replies to ARP proxy-arprequests for client IP address on behalf of the clients. This feature reduces

broadcast overhead on a service profile SSID by eliminating ARP broadcasts from MAP radios to the SSID???s clients.

If the ARP request is for a client with an IP address the WX does not already know, the WX allows MAP radios to send the ARP request to clients. If the no-broadcast mode is also enabled, the MAP radios send the ARP request as a unicast to only the clients whose addresses the WX does not know. However, if no-broadcast mode is disabled, the MAP radios sends the ARP request as a broadcast to all clients on the SSID.

Syntax ??? set service-profile name proxy-arp {enable | disable}

??name ??? Service profile name.

??enable ??? Enables proxy ARP.

??disable ??? Disables proxy ARP.

Defaults ??? Proxy ARP is disabled by default.

Access ??? Enabled.

History ???Introduced in MSS Version 4.2.

Usage ??? To further reduce broadcast traffic on a service profile, use the set service-profile no-broadcast command to disable DHCP and ARP request broadcasts.

set service-profile psk-phrase 453

Examples ??? The following command enables proxy ARP on service profile sp1:

WX4400# set service-profile sp1 proxy-arp enable

success: change accepted.

See Also

??set service-profile dhcp-restrict on page 445

??set service-profile no-broadcast on page 451

set service-profile Configures a passphrase for preshared key (PSK) authentication to use for psk-phraseauthenticating WPA clients, in a service profile. Radios use the PSK as a

pairwise master key (PMK) to derive unique pairwise session keys for individual WPA clients.

Syntax ??? set service-profile name psk-phrase passphrase

??name ??? Service profile name.

??passphrase ??? An ASCII string from 8 to 63 characters long. The

string can contain blanks if you use quotation marks at the beginning and end of the string.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? MSS converts the passphrase into a 256-bit binary number for system use and a raw hexadecimal key to store in the WX configuration. Neither the binary number nor the passphrase itself is ever displayed in the configuration.

To use PSK authentication, you must enable it and you also must enable the WPA IE.

454 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

Examples ??? The following command configures service profile sp3 to use passphrase ???1234567890123<>?=+&% The quick brown fox jumps over the lazy sl???:

WX4400# set service-profile sp3 psk-phrase "1234567890123<> ?=+&% The quick brown fox jumps over the lazy sl"

success: change accepted.

See Also

??set service-profile psk-raw on page 454

set service-profile Configures a raw hexadecimal preshared key (PSK) to use for psk-rawauthenticating WPA clients, in a service profile. Radios use the PSK as a

pairwise master key (PMK) to derive unique pairwise session keys for individual WPA clients.

Syntax ??? set service-profile name psk-raw hex

??name ??? Service profile name.

??hex ??? A 64-bit ASCII string representing a 32-digit hexadecimal

number. Enter the two-character ASCII form of each hexadecimal number.

Defaults ??? None.

Examples ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? MSS converts the hexadecimal number into a 256-bit binary number for system use. MSS also stores the hexadecimal key in the WX configuration. The binary number is never displayed in the configuration.

To use PSK authentication, you must enable it and you also must enable

WPA IE.

set service-profile rsn-ie 455

Examples ??? The following command configures service profile sp3 to use a raw PSK with PSK clients:

WX4400# set service-profile sp3 psk-raw c25d3fe4483e867 d1df96eaacdf8b02451fa0836162e758100f5f6b87965e59d

success: change accepted.

See Also

??set service-profile psk-phrase on page 453

set service-profile Enables the Robust Security Network (RSN) Information Element (IE). rsn-ie

The RSN IE advertises the RSN authentication methods and cipher suites supported by radios in the radio profile mapped to the service profile.

Syntax ??? set service-profile name rsn-ie {enable | disable}

??name ??? Service profile name.

??enable ??? Enables the RSN IE.

??disable ??? Disables the RSN IE.

Defaults ??? The RSN IE is disabled by default.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? The following command enables the RSN IE in service profile sprsn:

WX4400# set service-profile sprsn rsn-ie enable success: change accepted.

See Also

??set service-profile cipher-ccmp on page 440

456 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

set service-profile Enables shared-key authentication, in a service profile. shared-key-auth

Use this command only if advised to do so by 3Com. This command does not enable preshared key (PSK) authentication for Wi-Fi Protected Access (WPA). To enable PSK encryption for WPA, use the

set service-profile auth-psk command.

Syntax ??? set service-profile name shared-key-auth {enable | disable}

??name ??? Service profile name.

??enable ??? Enables shared-key authentication.

??disable ??? Disables shared-key authentication.

Defaults ??? Shared-key authentication is disabled by default.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? The following command enables shared-key authentication in service profile sp4:

WX4400# set service-profile sp4 shared-key-auth enable success: change accepted.

See Also

set service-profile Changes the short retry threshold for a service profile. The short retry short-retry-count threshold specifies the number of times a radio can send a short unicast

frame without receiving an acknowledgment. A short unicast frame is a frame that is shorter than the frag-threshold.

Syntax ??? set service-profile name short-retry-count

threshold

??name ??? Service profile name.

set service-profile soda agent-directory 457

??threshold ??? Number of times a radio can send the same short

unicast frame. You can enter a value from 1 through 15.

Defaults ??? The default short unicast retry threshold is 5 attempts.

Examples ??? Enabled.

History ???Introduced in MSS Version 4.2.

Examples ??? The following command changes the short retry threshold for service profile sp1 to 3:

WX4400# set service-profile sp1 short-retry-count 3 success: change accepted.

See Also

??set service-profile long-retry-count on page 449

??set radio-profile frag-threshold on page 413

set service-profile Specifies the directory on the WX where the SODA agent files for a sodaservice profile are located.

agent-directory

Syntax ??? set service-profile name soda agent-directory

See Also

??install soda agent on page 673

??uninstall soda agent on page 688

set service-profile Specifies whether a client is allowed access to the network after it has soda enforce-checks downloaded and run the SODA agent security checks.

Syntax ??? set service-profile name soda enforce-checks {enable | disable}

??name ??? Service profile name.

??enable ??? SODA agent checks are performed before the client is

allowed access to the network.

??disable ??? Allows the client access to the network immediately after

the SODA agent is downloaded, without waiting for the checks to be run.

Defaults ??? By default, SODA agent checks are performed before the client is allowed access to the network.

Access ??? Enabled

History ???Introduced in MSS Version 4.2.

Usage ??? When the SODA agent is enabled in a service profile, by default the SODA agent checks are downloaded to a client and run before the client is allowed on the network. You can use this command to disable the enforcement of the SODA security checks, so that the client is allowed access to the network immediately after the SODA agent is downloaded, rather than waiting for the security checks to be run.

set service-profile soda failure-page 459

When the enforce checks option is enabled, upon successful completion of the SODA agent checks, the client performs an HTTP Get operation to load the success page. Upon loading the success page, the client is granted access to the network.

In order for the client to load the success page, you must make sure the SODA agent is configured (through SODA Manager) with the correct URL of the success page, so that the WX can serve the page to the client.

Similarly, you must make sure the SODA agent is configured with the correct URLs of the failure and logout pages, so that when the client requests these pages, the WX can serve those pages as well.

Examples ??? The following command allows network access to clients after they have downloaded the SODA agent, but without requiring that the SODA agent checks be completed:

WX4400# set service-profile sp1 soda enforce-checks disable success: change accepted.

See Also

??set service-profile soda mode on page 462

set service-profile Specifies a page on the WX that loads when a client fails the security soda failure-page checks performed by the SODA agent.

Syntax ??? set service-profile name soda failure-page page

??name ??? Service profile name.

??page ??? Page that is loaded if the client fails the security checks

performed by the SODA agent.

Defaults ??? By default, the WX dynamically generates a page indicating that the SODA agent checks have failed.

Access ??? Enabled.

History ???Introduced in MSS Version 4.2.

460 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

Usage ??? Use this command to specify a custom page to be loaded by the client when the SODA agent checks fail. After this page is loaded, the specified remediation ACL takes effect, or if there is no remediation ACL configured, then the client is disconnected from the network.

This functionality occurs only when the enforce checks option is enabled for the service profile. The enforce checks option is enabled by default.

The page is assumed to reside in the root directory on the WX. You can optionally specify a different directory where the page resides.

Examples ??? The following command specifies failure.html as the page to load when a client fails the SODA agent checks:

WX4400# set service-profile sp1 soda failure-page failure.html

success: change accepted.

The following command specifies failure.html, in the soda-files directory, as the page to load when a client fails the SODA agent checks:

WX4400# set service-profile sp1 soda failure-page soda-files/failure.html

success: change accepted.

See Also

??set service-profile soda enforce-checks on page 458

??set service-profile soda remediation-acl on page 463

set service-profile Specifies a page on the WX that is loaded when a client logs out of the soda logout-page network by closing the SODA virtual desktop.

Syntax ??? set service-profile name soda logout-page page

??name ??? Service profile name.

??page ??? Page that is loaded when the client closes the SODA virtual

desktop.

Defaults ??? None.

Access ??? Enabled.

set service-profile soda logout-page 461

History ???Introduced in MSS Version 4.2.

Usage ??? When a client closes the SODA virtual desktop, the client is automatically disconnected from the network. You can use this command to specify a page that loads when the client closes the SODA virtual desktop.

The client can request this page at any time, to ensure that the client???s session has been terminated. You can add the IP address of the WX switch to the DNS server as a well-known name, and you can advertise the URL of the page to users as a logout page.

The page is assumed to reside in the root directory on the WX switch. You can optionally specify a different directory where the page resides.

For the logout page to load properly, you must enable the HTTPS server on the WX switch, so that clients can access the page using HTTPS. To do this, use the set ip https server enable command.

Examples ??? The following command specifies logout.html as the page to load when a client closes the SODA virtual desktop:

WX4400# set service-profile sp1 soda logout-page logout.html success: change accepted.

The following command specifies logout.html, in the soda-files directory, as the page to load when a client closes the SODA virtual desktop:

WX4400# set service-profile sp1 soda logout-page soda-files/logout.html

success: change accepted.

See Also

464 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

set service-profile Specifies a page on the WX that loads when a client passes the security soda success-page checks performed by the SODA agent.

Syntax ??? set service-profile name soda success-page page

??name ??? Service profile name.

??page ??? Page that is loaded if the client passes the security checks

performed by the SODA agent.

Defaults ??? By default, the WX switch generates a page indicating that the client passed the SODA agent checks.

Access ??? Enabled.

History ???Introduced in MSS Version 4.2.

Usage ??? Use this command to specify a custom page loaded by the client when it passes the checks performed by the SODA agent. After this page is loaded, the client is placed in its assigned VLAN and granted access to the network.

The page is assumed to reside in the root directory on the WX. You can optionally specify a different directory where the page resides.

This functionality occurs only when the enforce checks option is enabled for the service profile. The enforce checks option is enabled by default.

Examples ??? The following command specifies success.html, which resides in the root directory on the WX, as the page to load when a client passes the SODA agent checks:

WX4400# set service-profile sp1 soda success-page success.html

success: change accepted.

The following command specifies success.html, which resides in the soda-files directory on the WX switch, as the page to load when a client passes the SODA agent checks:

WX4400# set service-profile sp1 soda success-page soda-files/success.html

success: change accepted.

set service-profile ssid-name 465

See Also

??set service-profile soda enforce-checks on page 458

??set service-profile soda mode on page 462

set service-profile Configures the SSID name in a service profile. ssid-name

Syntax ??? set service-profile name ssid-name ssid-name

??name ??? Service profile name.

??ssid-name ??? Name of up to 32 alphanumeric characters. You can

include blank spaces in the name, if you delimit the name with single or double quotation marks. You must use the same type of quotation mark (either single or double) on both ends of the string.

Defaults ??? The default SSID name is private.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. Support added for blank spaces in the SSID name in MSS Version 4.0.

Examples ??? The following command applies the name guest to the

SSID managed by service profile clear_wlan:

WX4400# set service-profile clear_wlan ssid-name guest success: change accepted.

See Also

??set service-profile ssid-type on page 466

466 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

See Also

??set service-profile ssid-name on page 465

set service-profile Changes the length of time that MAP radios use countermeasures if two tkip-mc-time message integrity code (MIC) failures occur within 60 seconds. When

countermeasures are in effect, MAP radios dissociate all TKIP and WPA WEP clients and refuse all association and reassociation requests until the countermeasures end.

Syntax ??? set service-profile name tkip-mc-time wait-time

??name ??? Service profile name.

??wait-time ??? Number of milliseconds (ms) countermeasures remain in

effect. You can specify from 0 to 60,000.

Defaults ??? The default countermeasures wait time is 60,000 ms (60 seconds).

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? Countermeasures apply only to TKIP and WEP clients. This includes WPA WEP clients and non-WPA WEP clients. CCMP clients are not affected.

The TKIP cipher suite must be enabled. The WPA IE also must be enabled.

Examples ??? The following command changes the countermeasures wait time for service profile sp3 to 30,000 ms (30 seconds):

WX4400# set service-profile sp3 tkip-mc-time 30000 success: change accepted.

See Also

set service-profile Enables or disables static CoS on a service profile. Static CoS assigns the static-cossame CoS level to all traffic on the service profile???s SSID, regardless of

802.1p or DSCP markings in the packets themselves, and regardless of any ACLs that mark CoS. This option provides a simple way to configure an SSID for priority traffic such as VoIP traffic.

When static CoS is enabled, the standard MSS prioritization mechanism is not used. Instead, the MAP sets CoS as follows:

??For traffic from the MAP to clients, the MAP places the traffic into the forwarding queue that corresponds to the CoS level configured on the service profile. For example, if the static CoS level is set to 7, the MAP radio places client traffic in its Voice queue.

??For traffic from clients to the network, the MAP marks the DSCP value in the IP headers of the tunnel packets used to carry the user data from the MAP to the WX switch.

Syntax ??? set service-profile name static-cos {enable | disable}

??name ??? Service profile name.

??enable ??? Enables static CoS on the service profile.

??disable ??? Disables static CoS on the service profile.

468 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

Defaults ??? Static CoS is disabled by default.

Access ??? Enabled.

History ???Introduced in MSS Version 4.2.

Usage ??? The CoS level is specified by the set service-profile cos command.

Examples ??? The following command enables static CoS on service profile sp1:

WX4400# set service-profile sp1 static-cos enable success: change accepted.

See Also

??set service-profile cos on page 444

set service-profile Changes the data rates supported by MAP radios for a service-profile transmit-rates SSID.

Syntax ??? set service-profile name transmit-rates {11a | 11b | 11g} mandatory rate-list [disabled rate-list] [beacon-rate rate] [multicast-rate {rate | auto}]

??name ??? Service profile name.

??11a | 11b | 11g ??? Radio type.

??mandatory rate-list ??? Set of data transmission rates that clients are required to support in order to associate with an SSID on a MAP radio. A client must support at least one of the mandatory rates.

These rates are advertised in the basic rate set of 802.11 beacons, probe responses, and reassociation response frames sent by MAP radios.

Data frames and management frames sent by MAP radios use one of the specified mandatory rates.

The valid rates depend on the radio type:

??11a???6.0, 9.0, 12.0, 18.0, 24.0, 36.0, 48.0, 54.0

??11b???1.0, 2.0, 5.5, 11.0

??11g???1.0, 2.0, 5.5, 6.0, 9.0, 11.0, 12.0, 18.0, 24.0, 36.0, 48.0, 54.0

Use a comma to separate multiple rates; for example: 6.0,9.0,12.0

??disabled rate-list ??? Data transmission rates that MAP radios do

not use to transmit data. This setting applies only to data sent by the MAP radios. The radios still accepts frames from clients at disabled data rates.

The valid rates depend on the radio type and are the same as the valid rates for mandatory.

??beacon-rate rate ??? Data rate of beacon frames sent by MAP

radios. This rate is also used for probe-response frames.

The valid rates depend on the radio type and are the same as the valid rates for mandatory. However, you cannot set the beacon rate to a disabled rate.

??multicast-rate {rate | auto} ??? Data rate of multicast frames

sent by MAP radios.

??rate???Sets the multicast rate to a specific rate. The valid rates

depend on the radio type and are the same as the valid rates for mandatory. However, you cannot set the multicast rate to a disabled rate.

??auto???Sets the multicast rate to the highest rate that can reach all

clients connected to the MAP radio.

Defaults ??? This command has the following defaults:

??mandatory:

??11a???6.0,12.0,24.0

??11b???1.0,2.0

??11g???1.0,2.0,5.5,11.0

??disabled???None. All rates applicable to the radio type are supported by default.

470CHAPTER 11: MANAGED ACCESS POINT COMMANDS

??beacon-rate:

??11a???6.0

??11b???2.0

??11g???2.0

??multicast-rate???auto for all radio types.

Access ??? Enabled.

History ???Introduced in MSS Version 4.2.

Usage ??? If you disable a rate, you cannot use the rate as a mandatory rate or the beacon or multicast rate. All rates that are applicable to the radio type and that are not disabled are supported by the radio.

Examples ??? The following command sets 802.11a mandatory rates for service profile sp1 to 6 Mbps and 9 Mbps, disables rates 48 Mbps and 54 Mbps, and changes the beacon rate to 9 Mbps:

WX4400# set service-profile sp1 transmit-rates 11a mandatory 6.0,9.0 disabled 48.0,54.0 beacon-rate 9.0

success: change accepted.

See Also

Syntax ??? set service-profile name user-client-dscp {enable | disable}

??name ??? Service profile name.

??enabled ??? Enables mapping QoS level from the DSCP level.

??disabled ??? Disables mapping QoS level from the DSCP level.

Defaults ??? Disabled.

Access ??? Enabled.

History ??? Introduced in MSS Version 6.0.

set service-profile user-idle-timeout 471

History ???If this command is enabled in the service profile, the 802.11 QoS level is ignored, and MSS classifies QoS level of IP packets based on their DSCP value.

Examples ??? The following command enables mapping the QoS level of IP packets based on their DSCP value for service profile sp1:

WX# set service-profile sp1 use-client-dscp enable success: change accepted.

See Also

??display qos on page 133

set service-profile Changes the number of seconds MSS leaves a session up for a client that user-idle-timeout is not sending data and is not responding to keepalives (idle-client

probes). If the timer expires, the client session is changed to the Dissociated state.

The timer is reset to 0 each time a client sends data or responds to an idle-client probe. If the idle-client probe is disabled, the timer is reset each time the client sends data.

Syntax ??? set service-profile name user-idle-timeout seconds

??name ??? Service profile name.

??seconds ??? Number of seconds a client is allowed to remain idle

before MSS changes the session to the Dissociated state. You can specify from 20 to 86400 seconds.

To disable the timer, specify 0.

Defaults ??? The default user idle timeout is 180 seconds (3 minutes).

Access ??? Enabled.

History ???Introduced in MSS Version 4.2.

Examples ??? The following command increases the user idle timeout to 360 seconds (6 minutes):

472 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

WX4400# set service-profile sp1 user-idle-timeout 360 success: change accepted.

See Also

??set service-profile idle-client-probing on page 446

??set service-profile web-portal-session-timeout on page 477

set service-profile Changes the ACL name MSS uses to filter Web-Portal user traffic during web-portal-acl authentication.

Use this command if you create a custom Web-Portal ACL to allow more than just DHCP traffic during authentication. For example, if you configure an ACL that allows a Web-Portal user to access a credit card server, use this command to use the custom ACL for Web-Portal users that associate with the service profile SSID.

Syntax ??? set service-profile name web-portal-acl aclname

??name???Service profile name.

??aclname???Name of the ACL to use for filtering Web-Portal user traffic

during authentication.

Defaults ??? By default, a service profile web-portal-acl option is not set. However, when you change the service profile auth-fallthru option to web-portal, MSS sets the web-portal-acl option to portalacl. (MSS automatically creates the portalacl ACL the first time you set any service profile auth-fallthru option to web-portal.)

Access ??? Enabled.

History ???Introduced in MSS Version 5.0.

Usage ??? The first time you set the service profile auth-fallthru option to web-portal, MSS sets the web-portal-acl option to portalacl. The value remains portalacl even if you change the auth-fallthru option again. To change the web-portal-acl value, you must use the set service-profile web-portal-acl command.

set service-profile web-portal-form 473

The Web-Portal ACL applies only to users who log on using Web Portal, and applies only during authentication. After a Web Portal user is authenticated, the Web Portal ACL no longer applies. ACLs and other user attributes assigned to the username are applied instead.

Examples ??? The following command changes the Web-Portal ACL name to on service profile sp3 to creditsrvr:

WX1200# set service-profile sp3 web-portal-acl creditsrvr success: change accepted.

set service-profile Specifies a custom login page that loads for WebAAA users requesting web-portal-form the SSID managed by the service profile.

Syntax ??? set service-profile name web-portal-form url

??name ??? Service profile name.

??url ??? WX subdirectory name and HTML page name of the login

page. Specify the full path. For example, corpa-ssid/corpa.html.

Defaults ??? The 3Com Web login page is served by default.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. Option name changed from web-aaa-form to web-portal-form, to reflect change to portal-based implementation in MSS Version 4.0.

Usage ??? 3Com recommends that you create a subdirectory for the custom page and place all the page???s files in that subdirectory. Do not place the custom page in the root directory of the switch???s user file area.

If the custom login page includes gif or jpg images, their path names are interpreted relative to the directory from which the page is served.

474 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

To use WebAAA, the fallthru authentication type in the service profile that manages the SSID must be set to web. To use WebAAA for a wired authentication port, edit the port configuration with the set port type wired-auth command.

Examples ??? The following commands create a subdirectory named corpa-ssid, copy a custom login page named corpa-login.html and a jpg image named corpa-logo.jpg into that subdirectory, and set the Web login page for service profile to corpa-login.html:

WX4400# mkdir corpa-ssid success: change accepted.

WX4400# copy tftp://10.1.1.1/corpa-login.html corpa-ssid/corpa-login.html success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec]

WX4400# copy tftp://10.1.1.1/corpa-logo.jpg corpa-ssid/corpa-logo.jpg success: received 1202 bytes in 0.402 seconds [ 2112 bytes/sec] WX4400# dir corpa-ssid

===============================================================================

file:

WX4400# set service-profile corpa-service web-aaa-form corpa-ssid/ corpa-login.html

success: change accepted.

See Also

??copy on page 667

??mkdir on page 681

??set port type wired-auth on page 100

??set web-portal on page 278

set service-profile web-portal-logout logout-url 475

set service-profile web-portal-logout logout-url

Specifies the URL that is requested when the user clicks the button to terminate his or her session in the Mobility Domain.

Syntax ??? set service-profile profile-name web-portal-logout logout-url url

??name ??? Service profile name.

??url ??? Specifies the URL for the Web Portal logout feature. The URL

should be of the form https://host/logout.html.

Defaults ??? By default, the logout URL uses the IP address of the WX as the host part of the URL. The host can be either an IP address or a hostname.

Access ??? Enabled.

History ??? Introduced in MSS Version 6.0.

Usage ??? Specifying the URL for the Web Portal logout feature is useful if you want to standardize the URL across your network. For example, you can configure the logout URL on all of the WX switches in the Mobility Domain as wifizone.3Com.com/logout.html, where wifizone.3Com.com resolves to one of the WX switches in the Mobility Domain, ideally the seed.

To log out of the network, the user can click the ???End Session??? button in the pop-under window, or request the logout URL directly.

Standardizing the logout URL serves as a backup means for the user to log out in case the pop-under window is closed inadvertently. Note that if a user requests the logout URL, he or she must enter a username and password in order to identify the session on the WX. (This is not necessary when the user clicks the ???End Session??? button in the pop-under window.) Both the username and password are required to identify the session. If there is more than one session with the same username, then requesting the logout URL does not end any session.

476 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

Examples ??? The following command configures the Web Portal logout

URL as: wifizone.3Com.com/logout.html for service profile sp1.

WX# set service-profile sp1 web-portal-logout logout-url https://wifizone.3Com.com/logout.html

success: change accepted.

See Also

??set service-profile web-portal-logout mode on page 476

set service-profile web-portal-logout mode

Enables the Web Portal logout functionality, so that a user can manually terminate his or her session.

Syntax ??? set service-profile profile-name web-portal-logout mode {enable | disable}

??name ??? Service profile name.

??enabled ??? Enables the Web Portal logout functionality.

??disabled ??? Disables the Web Portal logout functionality.

Defaults ??? Disabled.

Access ??? Enabled.

History ??? Introduced in MSS Version 6.0.

Usage ??? When Web Portal logout functionality is enabled, after a Web Portal WebAAA user is successfully authenticated and redirected to the requested page, a pop-under window appears behind the user browser. The window contains a button labeled ???End Session???. When the user clicks this button, a URL is requested that terminates the user session in the Mobility Domain.

This feature allows Web Portal users a way to manually log out of the network, instead of waiting to be logged out automatically when the Web Portal WebAAA session timeout period expires.

set service-profile web-portal-session-timeout 477

Examples ??? The following command enables the Web Portal logout

functionality for service profile sp1.

WX# set service-profile sp1 web-portal-logout mode enable success: change accepted.

See Also

??set service-profile web-portal-logout logout-url on page 475

set service-profile web-portal-session- timeout

Changes the number of seconds MSS allows Web Portal WebAAA sessions to remain in the Deassociated state before being terminated automatically.

Syntax ??? set service-profile name web-portal-session-timeout

seconds

??name ??? Service profile name.

??seconds ??? Number of seconds MSS allows Web Portal WebAAA

sessions to remain in the Deassociated state before being terminated automatically. You can specify from 5 to 2800 seconds.

Defaults ??? The default Web Portal WebAAA session timeout is 5 seconds.

Access ??? Enabled.

History ???Introduced in MSS Version 4.2.

Usage ??? When a client that has connected through Web Portal WebAAA enters standby or hibernation mode, the client may be idle for longer than the User idle-timeout period. When the User idle-timeout period expires, MSS places the client Web Portal WebAAA session in the Deassociated state. The Web Portal WebAAA session can remain in the Deassociated state for a configurable amount of time before being terminated automatically. This configurable amount of time is called the Web Portal WebAAA session timeout period. You can use this command to set the number of seconds in the Web Portal WebAAA session timeout period.

478 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

Note that the Web Portal WebAAA session timeout period applies only to Web Portal WebAAA sessions already authenticated with a username and password. For all other Web Portal WebAAA sessions, the default Web Portal WebAAA session timeout period of 5 seconds is used.

Examples ??? The following command allows Web Portal WebAAA sessions to remain in the Deassociated state 180 seconds before being terminated automatically.

WX4400# set service-profile sp1 web-portal-session-timeout

180

success: change accepted.

See Also

??set service-profile user-idle-timeout on page 471

set service-profile wep active-multicast- index

Specifies the static Wired-Equivalent Privacy (WEP) key (one of four) to use for encrypting multicast frames.

Syntax ??? set service-profile

name wep active-multicast-index num

??name ??? Service profile name.

??num ??? WEP key number. You can enter a value from 1 through 4.

Defaults ??? If WEP encryption is enabled and WEP keys are defined, MAP radios use WEP key 1 to encrypt multicast frames, by default.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? Before using this command, you must configure values for the WEP keys you plan to use. Use the set service-profile wep key-index command.

Examples ??? The following command configures service profile sp2 to use WEP key 2 for encrypting multicast traffic:

WX4400# set service-profile sp2 wep active-multicast-index 2 success: change accepted.

set service-profile wep active-unicast- index 479

See Also

??set service-profile wep active-unicast- index on page 479

??set service-profile wep key-index on page 480

set service-profile wep active-unicast- index

Specifies the static Wired-Equivalent Privacy (WEP) key (one of four) to use for encrypting unicast frames.

Syntax ??? set service-profile name wep active-unicast-index num

??name ??? Service profile name.

??num ??? WEP key number. You can enter a value from 1 through 4.

Defaults ??? If WEP encryption is enabled and WEP keys are defined, MAP radios use WEP key 1 to encrypt unicast frames, by default.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? Before using this command, you must configure values for the WEP keys you plan to use. Use the set service-profile wep key-index command.

Examples ??? The following command configures service profile sp2 to use WEP key 4 for encrypting unicast traffic:

WX4400# set service-profile sp2 wep active-unicast-index 4 success: change accepted.

See Also

??set service-profile wep active-multicast- index on page 478

??set service-profile wep key-index on page 480

480 CHAPTER 11: MANAGED ACCESS POINT COMMANDS

Defaults ??? By default, no static WEP keys are defined.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? MSS automatically enables static WEP when you define a WEP key. MSS continues to support dynamic WEP.

If you plan to use static WEP, do not map more than 8 service profiles that contain static WEP keys to the same radio profile.

Examples ??? The following command configures WEP key index 1 for service profile sp2 to aabbccddee:

WX4400# set service-profile sp2 wep key-index 1 key aabbccddee

success: change accepted.

See Also

??set service-profile wep active-multicast- index on page 478

??set service-profile wep active-unicast- index on page 479

set service-profile wpa-ie 481

set service-profile Enables the WPA information element (IE) in wireless frames. The WPA IE wpa-ieadvertises the WPA authentication methods and cipher suites supported

by radios in the radio profile mapped to the service profile.

Syntax ??? set service-profile name wpa-ie {enable | disable}

??name ??? Service profile name.

??enable ??? Enables the WPA IE.

??disable ??? Disables the WPA IE.

Defaults ??? The WPA IE is disabled by default.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? When the WPA IE is enabled, the default authentication method is 802.1X. There is no default cipher suite. You must enable the cipher suites you want the radios to support.

Examples ??? The following command enables the WPA IE in service profile sp2:

WX4400# set service-profile sp2 wpa-ie enable success: change accepted.

See Also

??set service-profile auth-dot1x on page 433

??set service-profile cipher-ccmp on page 440

??set service-profile cipher-wep104 on page 442

??set service-profile cipher-wep40 on page 443

484 CHAPTER 12: STP COMMANDS

Table 74 STP Commands by Usage (continued)

Syntax ??? clear spantree portcost port-list

??port-list ??? List of ports. The port cost is reset on the specified ports.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? This command resets the cost in all VLANs. To reset the cost for only specific VLANs, use the clear spantree portvlancost command.

Examples ??? The following command resets the STP port cost on ports 5 and 6 to the default value:

WX1200# clear spantree portcost 5-6 success: change accepted.

??display spantree portvlancost on page 494

??set spantree portcost on page 505

??set spantree portvlancost on page 508

488 CHAPTER 12: STP COMMANDS

display spantree Displays STP configuration and port-state information.

Syntax ??? display spantree [port-list | vlan vlan-id][active]

??port-list ??? List of ports. If you do not specify any ports, MSS

displays STP information for all ports.

??vlan vlan-id ??? VLAN name or number. If you do not specify a VLAN,

MSS displays STP information for all VLANs.

??active ??? Displays information for only the active (forwarding) ports.

Defaults ??? None.

Access ??? All.

History ??? Introduced in MSS Version 3.0. Version 4.2 added a value STP Off for STP-State and Port-State fields. This state indicates that STP is disabled on the port. The Disabled state is still used, but only to indicate that the port is not forwarding traffic.

Examples ??? The following command displays STP information for VLAN default:

------------------------------------------------------------------------------

display spantree portfast 493

Syntax ??? display spantree portfast [port-list]

??port-list ??? List of ports. If you do not specify any ports, MSS

displays uplink fast convergence information for all ports.

Defaults ??? None.

Access ??? All.

History ???Introduced in MSS Version 3.0.

Examples ??? The following command shows uplink fast convergence information for all ports:

WX1200# display spantree portfast

Table 76 describes the fields in this display.

Table 76 Output for display spantree portfast

See Also

??set spantree portfast on page 506

494 CHAPTER 12: STP COMMANDS

Syntax ??? display spantree portvlancost port-list

??port-list ??? List of ports.

Defaults ??? None.

Access ??? All.

History ???Introduced in MSS Version 3.0.

Examples ??? The following command shows the STP port cost of port 1:

WX4400# display spantree portvlancost 1 port 1 VLAN 1 have path cost 19

See Also

??clear spantree portcost on page 484

??clear spantree portvlancost on page 485

??set spantree portcost on page 505

??set spantree portvlancost on page 508

display spantree Displays STP statistics for one or more WX network ports. statistics

Syntax ??? display spantree statistics

[port-list [vlan vlan-id]]

??port-list ??? List of ports. If you do not specify any ports, MSS

displays STP statistics for all ports.

??vlan vlan-id ??? VLAN name or number. If you do not specify a VLAN,

MSS displays STP statistics for all VLANs.

Defaults ??? None.

Access ??? All.

History ???Introduced in MSS Version 3.0.

500 CHAPTER 12: STP COMMANDS

Table 77 Output for display spantree statistics (continued)

See Also

??clear spantree statistics on page 487

display spantree Shows uplink fast convergence information for one VLAN or all VLANs. uplinkfast

Syntax ??? display spantree uplinkfast [vlan vlan-id]

??vlan vlan-id ??? VLAN name or number. If you do not specify a VLAN,

MSS displays STP statistics for all VLANs.

Defaults ??? None.

Access ??? All.

History ???Introduced in MSS Version 3.0.

Examples ??? The following command shows uplink fast convergence information for all VLANs:

WX4400# display spantree uplinkfast

VLAN port list

------------------------------------------------------------------------

1 1(fwd),2,3

Table 78 describes the fields in this display.

Syntax ??? set spantree {enable | disable } [{all | vlan vlan-id | port port-list vlan-id}]

?? enable ??? Enables STP.

?? disable ??? Disables STP.

?? all ??? Enables or disables STP on all VLANs.

?? vlan vlan-id ??? VLAN name or number. MSS enables or disables STP on only the specified VLAN, on all ports within the VLAN.

?? port port-list vlan-id ??? Port number or list and the VLAN the ports are in. MSS enables or disables STP on only the specified ports, within the specified VLAN.

Defaults ??? Disabled.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? The following command enables STP on all VLANs configured on a WX switch:

WX4400# set spantree enable success: change accepted.

The following command disables STP on VLAN burgundy:

WX4400# set spantree disable vlan burgundy success: change accepted.

502 CHAPTER 12: STP COMMANDS

Syntax ??? set spantree backbonefast {enable | disable}

??enable ??? Enables backbone fast convergence.

??disable ??? Disables backbone fast convergence.

Defaults ??? STP backbone fast path convergence is disabled by default.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? If you plan to use the backbone fast convergence feature, you must enable it on all the bridges in the spanning tree.

Examples ??? The following command enables backbone fast convergence:

WX4400# set spantree backbonefast enable success: change accepted.

set spantree fwddelay 503

See Also

set spantree hello Changes the interval between STP hello messages sent by a wireless LAN switch when operating as the root bridge, on one or all of its configured VLANs.

Syntax ??? set spantree hello interval {all | vlan vlan-id}

??interval ??? Interval value. You can specify from 1 through 10

seconds.

??all ??? Changes the interval on all VLANs.

??vlan vlan-id ??? VLAN name or number. MSS changes the interval on

only the specified VLAN.

Defaults ??? The default hello timer interval is 2 seconds.

504 CHAPTER 12: STP COMMANDS

??aging-time ??? Maximum age value. You can specify from 6 through

40 seconds.

??all ??? Changes the maximum age on all VLANs.

??vlan vlan-id ??? VLAN name or number. MSS changes the maximum

age on only the specified VLAN.

Defaults ??? The default maximum age for root bridge hello packets is 20 seconds.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? The following command changes the maximum acceptable age for root bridge hello packets on all VLANs to 15 seconds:

WX4400# set spantree maxage 15 all success: change accepted.

See Also

??clear spantree portpri on page 485

set spantree portpri 507

set spantree portpri Changes the STP priority of a network port or ports for selection as part of the path to the STP root bridge in the default VLAN on a wireless LAN switch.

Syntax ??? set spantree portpri port-list priority value

??port-list ??? List of ports. MSS changes the priority on the specified

ports.

??priority value ??? Priority value. You can specify a value from 0

(highest priority) through 255 (lowest priority).

Defaults ??? The default STP priority for all network ports is 128.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? This command applies only to the default VLAN (VLAN 1). To change the priority of a port in another VLAN, use the set spantree portvlanpri command.

Examples ??? The following command sets the priority of ports 3 and 4 to 48:

WX1200# set spantree portpri 3-4 priority 48 success: change accepted.

See Also

??clear spantree portvlanpri on page 486

??set spantree portvlanpri on page 509

520 CHAPTER 13: IGMP SNOOPING COMMANDS

History ??? Introduced in MSS Version 3.0.

Examples ??? The following command displays querier information for

VLAN orange:

WX1200# display igmp querier vlan orange

The following command shows the information MSS displays when the querier is the WX itself:

WX1200# display igmp querier vlan default

Querier for vlan default:

I am the querier for vlan default, time to next query is 20

The output indicates how many seconds remain before the pseudo-querier on the WX switch broadcasts the next general query report to IP address 224.0.0.1, the multicast all-systems group.

If IGMP snooping does not detect a querier, the output indicates this finding, as shown in the following example:

WX1200# display igmp querier vlan red

Querier for vlan red:

There is no querier present on vlan red

This condition does not necessarily indicate a problem. For example, election of the querier might be in progress.

Table 83 describes the fields in this display. Table 82 on page 519 describes the fields in the display when a querier other than the WX is present.

Table 83 Output for display igmp mrouter

Field Description

Querier for vlan VLAN containing the querier. Information is listed separately for each VLAN.

set igmp mrouter 527

set igmp mrouter Adds or removes a port in a WX???s list of ports on which it forwards traffic to multicast routers. Static multicast ports are immediately added to or removed from the list of router ports and do not age out.

Syntax ??? set igmp mrouter port port-list {enable | disable}

??port port-list ??? Port list. MSS adds or removes the specified ports

in the list of static multicast router ports.

??enable ??? Adds the port to the list of static multicast router ports.

??disable ??? Removes the port from the list of static multicast router

ports.

Defaults ??? By default, no ports are static multicast router ports.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Usage ??? You cannot add MAP access ports or wired authentication ports as static multicast ports. However, MSS can dynamically add these port types to the list of multicast ports based on multicast traffic.

Examples ??? The following command adds port 6 as a static multicast router port:

WX1200# set igmp mrouter port 6 enable success: change accepted.

The following command removes port 6 from the static multicast router port list:

WX1200# set igmp mrouter port 6 disable success: change accepted.

See Also

??display igmp statistics on page 523

528 CHAPTER 13: IGMP SNOOPING COMMANDS

Syntax ??? set igmp mrsol {enable | disable} [vlan vlan-id]

??enable ??? Enables multicast router solicitation.

??disable ??? Disables multicast router solicitation.

??vlan vlan-id ??? VLAN name or number. If you do not specify a

VLAN, multicast router solicitation is disabled or enabled on all VLANs.

Defaults ??? Multicast router solicitation is disabled on all VLANs by default.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Examples ??? The following command enables multicast router solicitation on VLAN orange:

WX1200# set igmp mrsol enable vlan orange success: change accepted

See Also

??set igmp mrsol mrsi on page 528

set igmp mrsol mrsi Changes the interval between multicast router solicitations by a WX on one VLAN or all VLANs.

Syntax ??? set igmp mrsol mrsi seconds [vlan vlan-id]

??seconds ??? Number of seconds between multicast router solicitations.

You can specify a value from 1 through 65,535.

??vlan vlan-id ??? VLAN name or number. If you do not specify a

VLAN, MSS changes the multicast router solicitation interval for all

VLANs.

Defaults ??? The interval between multicast router solicitations is 30 seconds by default.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

set igmp oqi 529

Examples ??? The following example changes the multicast router solicitation interval to 60 seconds:

WX1200# set igmp mrsol mrsi 60 success: change accepted.

See Also

??set igmp mrsol on page 528.

Syntax ??? set igmp oqi seconds [vlan vlan-id]

??oqi seconds ??? Number of seconds that the WX waits for a general

query to arrive before electing itself the querier. You can specify a value from 1 through 65,535.

??vlan vlan-id ??? VLAN name or number. If you do not specify a

VLAN, the timer change applies to all VLANs.

Defaults ??? The default other-querier-present interval is 255 seconds (4.25 minutes).

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Usage ??? A WX cannot become the querier unless the pseudo-querier feature is enabled on the WX switch. When the feature is enabled, the WX becomes the querier for a subnet so long as the WX does not receive a query message from a router with a lower IP address than the IP address of the WX in that subnet. To enable the pseudo-querier feature, use set igmp querier.

Examples ??? The following command changes the other-querier-present interval on VLAN orange to 200 seconds:

WX1200# set igmp oqi 200 vlan orange success: change accepted.

set igmp qi 531

Syntax ??? set igmp qi seconds [vlan vlan-id]

??qi seconds ??? Number of seconds that elapse between general

queries sent by the WX when the WX switch is the querier for the subnet. You can specify a value from 1 through 65,535.

??vlan vlan-id ??? VLAN name or number. If you do not specify a

VLAN, the timer change applies to all VLANs.

Defaults ??? The default query interval is 125 seconds.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Usage ??? The query interval is applicable only when the WX is querier for the subnet. For the WX switch to become the querier, the pseudo-querier feature must be enabled on the WX and the WX must have the lowest IP address among all the WX switches eligible to become a querier. To enable the pseudo-querier feature, use the set igmp querier command.

Examples ??? The following command changes the query interval on

VLAN orange to 100 seconds:

WX1200# set igmp qi 100 vlan orange success: change accepted.

See Also

??set igmp lmqi on page 526

??set igmp oqi on page 529

??set igmp qri on page 532

??set igmp querier on page 533

??set igmp mrouter on page 527

??set igmp rv on page 534

532 CHAPTER 13: IGMP SNOOPING COMMANDS

Defaults ??? The default query response interval is 100 tenths of a second (10 seconds).

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Usage ??? The query response interval is applicable only when the WX is querier for the subnet. For the WX to become the querier, the pseudo-querier feature must be enabled on the WX and the WX must have the lowest IP address among all the WX switches eligible to become a querier. To enable the pseudo-querier feature, use set igmp querier.

Examples ??? The following command changes the query response interval on VLAN orange to 50 tenths of a second (5 seconds):

WX1200# set igmp qri 50 vlan orange success: change accepted.

See Also

??set igmp lmqi on page 526

??set igmp oqi on page 529

??set igmp qi on page 531

??set igmp querier on page 533

??set igmp rv on page 534

set igmp querier 533

set igmp querier Enables or disables the IGMP pseudo-querier on a WX, on one VLAN or all VLANs.

Syntax ??? set igmp querier {enable | disable} [vlan vlan-id]

??enable ??? Enables the pseudo-querier.

??disable ??? Disables the pseudo-querier.

??vlan vlan-id ??? VLAN name or number. If you do not specify a

VLAN, the pseudo-querier is enabled or disabled on all VLANs.

Defaults ??? The pseudo-querier is disabled on all VLANs by default.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Usage ??? 3Com recommends that you use the pseudo-querier only when the VLAN contains local multicast traffic sources and no multicast router is servicing the subnet.

Examples ??? The following example enables the pseudo-querier on the orange VLAN:

WX1200# set igmp querier enable vlan orange success: change accepted.

See Also

??display igmp querier on page 519

set igmp receiver Adds or removes a network port in the list of ports on which a WX forwards traffic to multicast receivers. Static multicast receiver ports are immediately added to or removed from the list of receiver ports and do not age out.

Syntax ??? set igmp receiver port port-list {enable | disable}

??port port-list ??? Network port list. MSS adds the specified ports to

the list of static multicast receiver ports.

??enable ??? Adds the port to the list of static multicast receiver ports.

??disable ??? Removes the port from the list of static multicast receiver

ports.

538 CHAPTER 14: SECURITY ACL COMMANDS

clear security acl Clears a specified security ACL, an access control entry (ACE), or all security ACLs, from the edit buffer. When used with the command commit security acl, clears the ACE from the running configuration.

Syntax ??? clear security acl {acl-name | all} [editbuffer-index]

??acl-name ??? Name of an existing security ACL to clear. ACL names

start with a letter and are case-insensitive.

??all ??? Clears all security ACLs.

??editbuffer-index ??? Number that indicates which access control

entry (ACE) in the security ACL to clear. If you do not specify an ACE, all ACEs are cleared from the ACL.

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Usage ??? This command deletes security ACLs only in the edit buffer. You must use the commit security acl command with this command to delete the ACL or ACE from the running configuration and nonvolatile storage.

The clear security acl command deletes a security ACL, but does not stop its current filtering function if the ACL is mapped to any virtual LANs (VLANs), ports, or virtual ports, or if the ACL is applied in a Filter-Id attribute to an authenticated user or group of users with current sessions.

Examples ??? The following commands display the current security ACL configuration, clear acl_133 in the edit buffer, commit the deletion to the running configuration, and redisplay the ACL configuration to display that it no longer contains acl_133:

clear security acl map 539

WX4400# display security acl info all

ACL information for all

set security acl ip acl_133 (hits #1 0)

---------------------------------------------------------

1. deny IP source IP 192.168.1.6 0.0.0.0 destination IP any set security acl ip acl_134 (hits #3 0)

---------------------------------------------------------

1. permit IP source IP 192.168.0.1 0.0.0.0 destination IP any enable-hits set security acl ip acl_135 (hits #2 0)

---------------------------------------------------------

1. deny IP source IP 192.168.1.1 0.0.0.0 destination IP any enable-hits WX4400# clear security acl acl_133

WX4400# commit security acl acl_133 configuration accepted

WX4400# display security acl info all

ACL information for all

set security acl ip acl_134 (hits #3 0)

---------------------------------------------------------

1. permit IP source IP 192.168.0.1 0.0.0.0 destination IP any enable-hits set security acl ip acl_135 (hits #2 0)

---------------------------------------------------------

1. deny IP source IP 192.168.1.1 0.0.0.0 destination IP any enable-hits

See Also

??clear security acl map on page 539

clear security acl Deletes the mapping between a security ACL and a virtual LAN (VLAN), mapone or more physical ports, or a virtual port. Or deletes all ACL maps to

VLANs, ports, and virtual ports on a WX switch.

Security ACLs are applied to users or groups dynamically via the Filter-Id attribute. To delete a security ACL from a user or group in the local WX database, use the command clear user attr, clear mac-user

attr, clear usergroup attr, or clear mac-usergroup attr. To delete a security ACL from a user or group on an external RADIUS server, see the documentation for your RADIUS server.

540 CHAPTER 14: SECURITY ACL COMMANDS

Syntax ??? clear security acl map {acl-name | all} {vlan vlan-id |

port port-list [tag tag-value] | ap ap-num} {in | out}

??acl-name ??? Name of an existing security ACL to clear. ACL names

start with a letter and are case-insensitive.

??all ??? Removes security ACL mapping from all physical ports, virtual

ports, and VLANs on a WX switch.

??vlan vlan-id ??? VLAN name or number. MSS removes the security

ACL from the specified VLAN.

??port port-list ??? Port list. MSS removes the security ACL from the

specified WX physical port or ports.

??tag tag-value ??? Tag value that identifies a virtual port in a VLAN.

Specify a value from 1 through 4095. MSS removes the security ACL from the specified virtual port.

??ap ap-num ??? One or more MAPs, based on their connection IDs.

Specify a single connection ID, or specify a comma-separated list of connection IDs, a hyphen-separated range, or any combination, with no spaces. MSS removes the security ACL from the specified MAPs.

??in ??? Removes the security ACL from traffic coming into the WX

switch.

??out ??? Removes the security ACL from traffic going out of the WX

switch.

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Usage ??? To clear a security ACL map, type the name of the ACL with the VLAN, physical port or ports, virtual port tag, or Distributed MAP and the direction of the packets to stop filtering. This command deletes the ACL mapping, but not the ACL.

Examples ??? To clear the mapping of security ACL acljoe from port 4 for incoming packets, type the following command:

WX4400# clear security acl map acljoe port 4 in clear mapping accepted

commit security acl 541

To clear all physical ports, virtual ports, and VLANs on a WX switch of the ACLs mapped for incoming and outgoing traffic, type the following command:

WX4400# clear security acl map all success: change accepted.

See Also

??display security acl map on page 546

??set security acl map on page 557

commit security acl Saves a security ACL, or all security ACLs, in the edit buffer to the running configuration and nonvolatile storage on the WX switch. Or, when used with the clear security acl command, commit security acl deletes a security ACL, or all security ACLs, from the running configuration and nonvolatile storage.

Syntax ??? commit security acl {acl-name | all}

??acl-name ??? Name of an existing security ACL to commit. ACL names

must start with a letter and are case-insensitive.

??all ??? Commits all security ACLs in the edit buffer.

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Usage ??? Use the commit security acl command to save security ACLs into, or delete them from, the permanent configuration. Until you commit the creation or deletion of a security ACL, it is stored in an edit buffer and is not enforced. After you commit a security ACL, it is removed from the edit buffer.

A single commit security acl all command commits the creation and/or deletion of whatever display security acl info all editbuffer shows to be currently stored in the edit buffer.

542 CHAPTER 14: SECURITY ACL COMMANDS

Examples ??? The following commands commit all the security ACLs in the edit buffer to the configuration, display a summary of the committed ACLs, and show that the edit buffer has been cleared:

WX4400# display security acl info all editbuffer acl editbuffer information for all

See Also

??display security acl on page 542

??rollback security acl on page 551

display security acl Displays a summary of the security ACS that are mapped.

Syntax ??? display security acl

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Usage ??? This command lists only the ACLs that have been mapped to something (a user, or VLAN, or port, and so on). To list all committed ACLs, use the display security acl info command. To list ACLs that have not yet been committed, use the display security acl editbuffer command.

Examples ??? To display a summary of the mapped security ACLs on a on a WX switch, type the following command:

544 CHAPTER 14: SECURITY ACL COMMANDS

To view details about these uncommitted ACLs, type the following command.

WX4400# display security acl info all editbuffer

ACL edit-buffer information for all

set security acl ip acl-111 (ACEs 3, add 3, del 0, modified 2)

----------------------------------------------------

1.permit IP source IP 192.168.254.12 0.0.0.0 destination IP

any

2.permit IP source IP 192.168.253.11 0.0.0.0 destination IP

any

3.deny SRC source IP 192.168.253.1 0.0.0.255

set security acl ip acl-a (ACEs 1, add 1, del 0, modified 0)

----------------------------------------------------

1. permit SRC source IP 192.168.1.1 0.0.0.0

See Also

??display security acl on page 542

display security acl Displays the number of packets filtered by security ACLs (???hits???) on the hitsWX switch. Each time a packet is filtered by a security ACL, the hit

counter increments.

Syntax ??? display security acl hits

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Usage ??? For MSS to count hits for a security ACL, you must specify hits in the set security acl commands that define ACE rules for the ACL.

display security acl info 545

Examples ??? To display the security ACL hits on a WX switch, type the following command:

WX4400# display security acl hits

display security acl Displays the contents of a specified security ACL or all security ACLs that infoare committed ??? saved in the running configuration and nonvolatile

storage ??? or the contents of security ACLs in the edit buffer before they are committed.

Syntax ??? display security acl info {acl-name | all] [editbuffer]

??acl-name ??? Name of an existing security ACL to display. ACL names

must start with a letter and are case-insensitive.

??all ??? Displays the contents of all security ACLs.

??editbuffer ??? Displays the contents of the specified security ACL or

all security ACLs that are stored in the edit buffer after being created with set security acl. If you do not use this parameter, only committed ACLs are shown.

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0. The acl-name | all option is no longer required; display security acl info is valid and displays the same information as security acl info all in MSS Version 4.1.

546 CHAPTER 14: SECURITY ACL COMMANDS

Examples ??? To display the contents of all security ACLs committed on a

WX switch, type the following command:

WX4400# display security acl info

ACL information for all

set security acl ip acl_123 (hits #5 462)

---------------------------------------------------------

1.permit IP source IP 192.168.1.11 0.0.0.255 destination IP any enable-hits

2.deny IP source IP 192.168.2.11 0.0.0.0 destination IP any

set security acl ip acl_134 (hits #3 0)

---------------------------------------------------------

1. permit IP source IP 192.168.0.1 0.0.0.0 destination IP any enable-hits set security acl ip acl_135 (hits #2 0)

---------------------------------------------------------

1. deny IP source IP 192.168.1.1 0.0.0.0 destination IP any enable-hits

The following command displays the contents of acl_123 in the edit buffer, including the committed ACE rules 1 and 2 and the uncommitted rule 3:

WX4400# display security acl info acl_123 editbuffer

ACL edit-buffer information for acl_123

set security acl ip acl_123 (ACEs 3, add 3, del 0, modified 0)

---------------------------------------------------------

1.permit IP source IP 192.168.1.11 0.0.0.255 destination IP any enable-hits

2.deny IP source IP 192.168.2.11 0.0.0.0 destination IP any

3.deny SRC source IP 192.168.1.234 255.255.255.255 enable-hits

See Also

Syntax ??? display security acl map acl-name

??acl-name ??? Name of an existing security ACL for which to show

static mapping. ACL names must start with a letter and are case-insensitive.

Defaults ??? None.

rollback security acl 551

Table 87 Output of display security acl resource-usage (continued)

rollback security acl Clears changes made to the security ACL edit buffer since it was last saved. The ACL is rolled back to its state after the last commit security acl command was entered. All uncommitted ACLs in the edit buffer are cleared.

Syntax ??? rollback security acl {acl-name | all}

??acl-name ??? Name of an existing security ACL to roll back. ACL names

must start with a letter and are case-insensitive.

??all ??? Rolls back all security ACLs in the edit buffer, clearing all

uncommitted ACEs.

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

552 CHAPTER 14: SECURITY ACL COMMANDS

Examples ??? The following commands show the edit buffer before a rollback, clear any changes in the edit buffer to security acl_122, and show the edit buffer after the rollback:

WX4400# display security acl info all editbuffer

ACL edit-buffer information for all

set security acl ip acl_122 (ACEs 3, add 3, del 0, modified 0)

---------------------------------------------------------

1.permit IP source IP 20.0.1.11 0.0.0.255 destination IP any enable-hits

2.deny IP source IP 20.0.2.11 0.0.0.0 destination IP any

3.deny SRC source IP 192.168.1.234 255.255.255.255 enable-hits

WX4400# rollback security acl acl_122

WX4400# display security acl info all editbuffer

ACL edit-buffer information for all

set security acl 553

By ICMP packets

Syntax ??? set security acl ip acl-name {permit [cos cos] | deny} icmp {source-ip-addr mask destination-ip-addr mask [type icmp-type] [code icmp-code] [precedence precedence ] [tos tos] [before editbuffer-index | modify editbuffer-index] [hits]

By TCP packets

Syntax ??? set security acl ip acl-name {permit [cos cos] |deny} tcp {source-ip-addr mask [operator port [port2]] destination-ip-addr mask [operator port [port2]]} [precedence precedence] [tos tos] [established] [before editbuffer-index | modify editbuffer-index] [hits]

By UDP packets

Syntax ??? set security acl ip acl-name {permit [cos cos] | deny} udp {source-ip-addr mask [operator port [port2]] destination-ip-addr mask [operator port [port2]]} [precedence precedence] [tos tos] [before editbuffer-index | modify editbuffer-index] [hits]

??acl-name ??? Security ACL name. ACL names must be unique within

the WX switch, must start with a letter, and are case-insensitive. Specify an ACL name of up to 32 of the following characters:

??Letters a through z and A through Z

??Numbers 0 through 9

??Hyphen (-), underscore (_), and period (.)

3Com recommends that you do not use the same name with different capitalizations for ACLs. For example, do not configure two separate ACLs with the names acl_123 and ACL_123.

In an ACL name, do not include the term all, default-action, map, help, or editbuffer.

??permit ??? Allows traffic that matches the conditions in the ACE.

??cos cos ??? For permitted packets, a class-of-service (CoS) level for

packet handling. Specify a value from 0 through 7:

??1 or 2???Background. Packets are queued in MAP forwarding queue 4.

554CHAPTER 14: SECURITY ACL COMMANDS

??0 or 3???Best effort. Packets are queued in MAP forwarding queue 3.

??4 or 5???Video. Packets are queued in MAP forwarding queue 2.

Use CoS level 4 or 5 for voice over IP (VoIP) packets other than SpectraLink Voice Priority (SVP).

??6 or 7???Voice. Packets are queued in MAP forwarding queue 1.

In MSS Version 3.0, use 6 or 7 only for VoIP phones that use SVP, not for other types of traffic.

??deny ??? Blocks traffic that matches the conditions in the ACE.

??protocol ??? IP protocol by which to filter packets:

??ip

??tcp

??udp

??icmp

??A protocol number between 0 and 255.

(For a complete list of IP protocol names and numbers, see www.iana.org/assignments/protocol-numbers.)

??source-ip-addr mask ??? IP address and wildcard mask of the

network or host from which the packet is being sent. Specify both address and mask in dotted decimal notation. For more information, see ???Wildcard Masks??? on page 30.

??operator port [port2] ??? Operand and port number(s) for matching

TCP or UDP packets to the number of the source or destination port on source-ip-addr or destination-ip-addr. Specify one of the following operands and the associated port:

??eq ??? Packets are filtered for only port number.

??gt ??? Packets are filtered for all ports that are greater than port

number.

??lt ??? Packets are filtered for all ports that are less than port

number.

??neq ??? Packets are filtered for all ports except port number.

??range ??? Packets are filtered for ports in the range between port

and port2. To specify a port range, enter two port numbers. Enter the lower port number first, followed by the higher port number.

set security acl 555

(For a complete list of TCP and UDP port numbers, see www.iana.org/assignments/port-numbers.)

??destination-ip-addr mask ??? IP address and wildcard mask of the

network or host to which the packet is being sent. Specify both address and mask in dotted decimal notation. For more information, see ???Wildcard Masks??? on page 30.

??type icmp-type ??? Filters ICMP messages by type. Specify a value

from 0 through 255. (For a list of ICMP message type and code numbers, see www.iana.org/assignments/icmp-parameters.)

??code icmp-code ??? For ICMP messages filtered by type, additionally

filters ICMP messages by code. Specify a value from 0 through 255. (For a list of ICMP message type and code numbers, see www.iana.org/assignments/icmp-parameters.)

??precedence precedence ??? Filters packets by precedence level.

Specify a value from 0 through 7:

??0 ??? routine precedence

??1 ??? priority precedence

??2 ??? immediate precedence

??3 ??? flash precedence

??4 ??? flash override precedence

??5 ??? critical precedence

??6 ??? internetwork control precedence

??7 ??? network control precedence

??tos tos ??? Filters packets by type of service (TOS) level. Specify one of

the following values, or any sum of these values up to 15. For example, a tos value of 9 filters packets with the TOS levels minimum delay (8) and minimum monetary cost (1).

??8 ??? minimum delay

??4 ??? maximum throughput

??2 ??? maximum reliability

??1 ??? minimum monetary cost

??0 ??? normal

??established ??? For TCP packets only, applies the ACE only to

established TCP sessions and not to new TCP sessions.

556CHAPTER 14: SECURITY ACL COMMANDS

??before editbuffer-index ??? Inserts the new ACE in front of another

ACE in the security ACL. Specify the number of the existing ACE in the edit buffer. Index numbers start at 1. (To display the edit buffer, use display security acl editbuffer.)

??modify editbuffer-index ??? Replaces an ACE in the security ACL with the new ACE. Specify the number of the existing ACE in the edit buffer. Index numbers start at 1. (To display the edit buffer, use display security acl editbuffer.)

??hits ??? Tracks the number of packets that are filtered based on a security ACL, for all mappings.

Defaults ??? Permitted packets are assigned to class-of-service (CoS) class 0 by default.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Usage ??? The WX switch does not apply security ACLs until you activate them with the commit security acl command and map them to a VLAN, port, or virtual port, or to a user. If the WX switch is reset or restarted, any ACLs in the edit buffer are lost.

You cannot perform ACL functions that include permitting, denying, or marking with a Class of Service (CoS) level on packets with a multicast or broadcast destination address.

The order of security ACEs in a security ACL is important. Once an ACL is active, its ACEs are checked according to their order in the ACL. If an ACE criterion is met, its action takes place and any ACEs that follow are ignored.

ACEs are listed in the order in which you create them, unless you move them. To position security ACEs within a security ACL, use before editbuffer-index and modify editbuffer-index.

Examples ??? The following command adds an ACE to security acl_123 that permits packets from IP address 192.168.1.11/24 and counts the hits:

WX4400# set security acl ip acl_123 permit 192.168.1.11 0.0.0.255 hits

set security acl map 557

The following command adds an ACE to acl_123 that denies packets from IP address 192.168.2.11:

WX4400# set security acl ip acl_123 deny 192.168.2.11 0.0.0.0

The following command creates acl_125 by defining an ACE that denies TCP packets from source IP address 192.168.0.1 to destination IP address 192.168.0.2 for established sessions only, and counts the hits:

WX4400# set security acl ip acl_125 deny tcp 192.168.0.1 0.0.0.0 192.168.0.2 0.0.0.0 established hits

The following command adds an ACE to acl_125 that denies TCP packets from source IP address 192.168.1.1 to destination IP address 192.168.1.2, on destination port 80 only, and counts the hits:

WX4400# set security acl ip acl_125 deny tcp 192.168.1.1 0.0.0.0 192.168.1.2 0.0.0.0 eq 80 hits

Finally, the following command commits the security ACLs in the edit buffer to the configuration:

WX4400# commit security acl all configuration accepted

See Also

??display security acl on page 542

set security acl map Assigns a committed security ACL to a VLAN, physical port or ports, virtual port, or Distributed MAP on the WX switch.

To assign a security ACL to a user or group in the local WX database, use the command set user attr, set mac-user attr, set usergroup attr, or set mac-usergroup attr with the Filter-Id attribute. To assign a security ACL to a user or group with Filter-Id on a RADIUS server, see the documentation for your RADIUS server.

558 CHAPTER 14: SECURITY ACL COMMANDS

Syntax ??? set security acl map acl-name {vlan vlan-id | port port-list [tag tag-list] | ap ap-num} {in | out}

??acl-name ??? Name of an existing security ACL to map. ACL names

start with a letter and are case-insensitive.

??vlan vlan-id ??? VLAN name or number. MSS assigns the security

ACL to the specified VLAN.

??port port-list ??? Port list. MSS assigns the security ACL to the

specified physical WX port or ports.

??tag tag-list ??? One or more values that identify a virtual port in a

VLAN. Specify a single tag value from 1 through 4095. Or specify a comma-separated list of values, a hyphen-separated range, or any combination, with no spaces. MSS assigns the security ACL to the specified virtual port or ports.

??ap ap-num ??? One or more MAPs, based on their connection IDs.

Specify a single connection ID, or specify a comma-separated list of connection IDs, a hyphen-separated range, or any combination, with no spaces. MSS assigns the security ACL to the specified MAPs.

??in ??? Assigns the security ACL to traffic coming into the WX switch.

??out ??? Assigns the security ACL to traffic coming from the WX switch.

Defaults ??? None.

Access ??? Enabled.

History ??? Introduced in MSS Version 3.0.

Usage ??? Before you can map a security ACL, you must use the commit security acl command to save the ACL in the running configuration and nonvolatile storage.

For best results, map only one input security ACL and one output security ACL to each VLAN, physical port, virtual port, or Distributed MAP to filter a flow of packets. If more than one security ACL filters the same traffic, MSS applies only the first ACL match and ignores any other matches.

Examples ??? The following command maps security ACL acl_133 to port 4 for incoming packets:

WX4400 set security acl map acl_133 port 4 in success: change accepted.

560 CHAPTER 14: SECURITY ACL COMMANDS

Examples ??? The first command sets MSS to sample ACL hits every 15 seconds. The second and third commands display the results. The results show that 916 packets matching security acl_153 were sent since the ACL was mapped.

WX4400# set security acl hit-sample-rate 15

WX4400# display security acl info acl_153

ACL information for acl_153

set security acl ip acl_153 (hits #3 916)

---------------------------------------------------------

1. permit IP source IP 20.1.1.1 0.0.0.0 destination IP any enable-hits

WX4400# display security acl hits

See Also

??display security acl hits on page 544

??crypto generate request on page 566

A digital certificate is a form of electronic identification for computers. The WX requires digital certificates to authenticate its communications to 3WXM and Web Manager, to WebAAA clients, and to Extensible Authentication Protocol (EAP) clients for which the WX performs all EAP processing. Certificates can be generated on the WX or obtained from a certificate authority (CA). Keys contained within the certificates allow the WX, its servers, and its wireless clients to exchange information secured by encryption.

If the switch does not already have certificates, MSS automatically generates the missing ones the first time you boot using MSS Version 4.2 or later. You do not need to install certificates unless you want to replace the ones automatically generated by MSS. (For more information, see the ???Certificates Automatically Generated by MSS??? section in the ???Managing Keys and Certificates??? chapter of the Wireless LAN Switch and Controller Configuration Guide.)

Before installing a new certificate, verify with the display timedate and display timezone commands that the WX is set to the correct date, time, and time zone. Otherwise, certificates might not be installed correctly.

562 CHAPTER 15: CRYPTOGRAPHY COMMANDS

crypto ca-certificate Installs a certificate authority???s own PKCS #7 certificate into the WX certificate and key storage area.

Syntax ??? crypto ca-certificate {admin | eap | web}

PEM-formatted certificate

?? admin ??? Stores the certificate authority???s certificate that signed the administrative certificate for the WX switch.

The administrative certificate authenticates the WX to 3Com wireless switch manager (3XWM) or Web View.

?? eap ??? Stores the certificate authority???s certificate that signed the Extensible Authentication Protocol (EAP) certificate for the WX switch.

The EAP certificate authenticates the WX to 802.1X supplicants (clients).

??web ??? Stores the certificate authority???s certificate that signed the

WebAAA certificate for the WX switch.

The Web certificate authenticates the WX to clients who use

WebAAA.

crypto ca-certificate 563

??PEM-formatted certificate ??? ASCII text representation of the

certificate authority PKCS #7 certificate, consisting of up to

5120 characters that you have obtained from the certificate authority.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. Webaaa option renamed to web in MSS Version 4.1.

Usage ??? The Privacy-Enhanced Mail protocol (PEM) format is used for representing a PKCS #7 certificate in ASCII text. PEM uses base64 encoding to convert the certificate to ASCII text, then puts the encoded text between the following delimiters:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

To use this command, you must already have obtained a copy of the certificate authority???s certificate as a PKCS #7 object file. Then do the following:

1Open the PKCS #7 object file with an ASCII text editor such as Notepad or vi.

2Enter the crypto ca-certificate command on the CLI command line.

3When MSS prompts you for the PEM-formatted certificate, paste the PKCS #7 object file onto the command line.

Examples ??? The following command adds the certificate authority???s certificate to WX certificate and key storage:

WX4400# crypto ca-certificate admin

Enter PEM-encoded certificate

-----BEGIN CERTIFICATE-----

MIIDwDCCA2qgAwIBAgIQL2jvuu4PO5FAQCyewU3ojANBgkqhkiG9wOBAQUFADCB

mzerMClaweVQQTTooewi\wpoer0QWNFNkj90044mbdrl1277SWQ8G7DiwYUtrqoQplKJvxz

.....

Lm8wmVYxP56M;CUAm908C2foYgOY40=

-----END CERTIFICATE-----

564 CHAPTER 15: CRYPTOGRAPHY COMMANDS

crypto certificate Installs one of the WX switch???s PKCS #7 certificates into the certificate and key storage area on the WX switch. The certificate, which is issued and signed by a certificate authority, authenticates the WX switch either to 3WXM or Web Manager, or to 802.1X supplicants (clients).

Syntax ??? crypto certificate {admin | eap | web}

PEM-formatted certificate

??admin ??? Stores the certificate authority???s administrative certificate,

which authenticates the WX switch to 3WXM or Web Manager.

??eap ??? Stores the certificate authority???s Extensible Authentication

Protocol (EAP) certificate, which authenticates the WX switch to 802.1X supplicants (clients).

??web ??? Stores the certificate authority???s WebAAA certificate, which

authenticates the WX to clients who use WebAAA.

??PEM-formatted certificate ??? ASCII text representation of the

PKCS #7 certificate, consisting of up to 5120 characters, that you have obtained from the certificate authority.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. Webaaa option renamed to web in MSS Version 4.1.

Usage ??? To use this command, you must already have generated a certificate request with the crypto generate request command, sent the request to the certificate authority, and obtained a signed copy of the WX switch certificate as a PKCS #7 object file. Then do the following:

1Open the PKCS #7 object file with an ASCII text editor such as Notepad or vi.

2Enter the crypto certificate command on the CLI command line.

3When MSS prompts you for the PEM-formatted certificate, paste the PKCS #7 object file onto the command line.

The WX switch verifies the validity of the public key associated with this certificate before installing it, to prevent a mismatch between the WX switch???s private key and the public key in the installed certificate.

crypto generate key 565

Examples ??? The following command installs a certificate:

WX4400# crypto certificate admin

Enter PEM-encoded certificate

-----BEGIN CERTIFICATE-----

MIIBdTCP3wIBADA2MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQOExGjAYBgNVBAMU

EXR1Y2hwdWJzQHRycHouY29tMIGfMAOGCSqGSIb3DQEBAQAA4GNADCBiQKBgQC4

.....

2L8Q9tk+G2As84QYLm8wmVY>xP56M;CUAm908C2foYgOY40=

-----END CERTIFICATE-----

See Also

??crypto generate self-signed on page 568

crypto generate key Generates an RSA public-private encryption key pair that is required for a Certificate Signing Request (CSR) or a self-signed certificate. For SSH, the command generates an SSH authentication key.

Syntax ??? crypto generate key {admin | domain | eap | ssh | web} {128 |512 | 1024 | 2048}

??admin ??? Generates an administrative key pair for authenticating the

WX switch to 3WXM or Web Manager.

??domain ??? Generates a key pair for securing the management traffic

between WX switches.

??eap ??? Generates an EAP key pair for authenticating the WX switch to

802.1X supplicants (clients).

??ssh ??? Generates a key pair for authenticating the WX switch to

Secure Shell (SSH) clients.

??web ??? Generates an administrative key pair for authenticating the WX

switch to WebAAA clients.

??512 | 1024 | 2048 ??? Length of the key pair in bits.

The minimum key size for SSH is 1024.

Defaults ??? None.

Access ??? Enabled.

566 CHAPTER 15: CRYPTOGRAPHY COMMANDS

History ???Introduced in MSS Version 3.0. Webaaa option renamed to web in MSS Version 4.1.

Usage ??? You can overwrite a key by generating another key of the same type.

SSH requires an SSH authentication key, but you can allow MSS to generate it automatically. The first time an SSH client attempts to access the SSH server on a WX switch, the switch automatically generates a 1024-byte SSH key. If you want to use a 2048-byte key instead, use the crypto generate key ssh 2048 command to generate one.

Examples ??? To generate an administrative key for use with 3WXM, type the following command:

WX4400# crypto generate key admin 1024 key pair generated

See Also

??display crypto key ssh on page 576

crypto generate Generates a Certificate Signing Request (CSR). This command outputs a requestPEM-formatted PKCS #10 text string that you can cut and paste to

another location for delivery to a certificate authority.

This command generates either an administrative CSR for use with 3WXM and Web View, or an EAP CSR for use with 802.1X clients.

Syntax ??? crypto generate request {admin | eap | web}

??admin ??? Generates a request for an administrative certificate to

authenticate the WX switch to 3WXM or Web Manager.

??eap ??? Generates a request for an EAP certificate to authenticate the

WX switch to 802.1X supplicants (clients).

??web ??? Generates a request for a WebAAA certificate to authenticate

the WX switch to WebAAA clients.

After you type the command, you are prompted for the following variables:

??Country Name string ??? (Optional) Specify the abbreviation for the

country in which the WX switch is operating, in 2 alphanumeric characters with no spaces.

crypto generate request 567

??State Name string ??? (Optional) Specify the name of the state, in up

to 64 alphanumeric characters. Spaces are allowed.

??Locality Name string ??? (Optional) Specify the name of the locality,

in up to 80 alphanumeric characters with no spaces.

??Organizational Name string ??? (Optional) Specify the name of the

organization, in up to 80 alphanumeric characters with no spaces.

??Organizational Unit string ??? (Optional) Specify the name of the

organizational unit, in up to 80 alphanumeric characters with no spaces.

??Common Name string ??? Specify a unique name for the WX switch, in

up to 80 alphanumeric characters with no spaces. Use a fully qualified name if such names are supported on your network. This field is required.

??Email Address string ??? (Optional) Specify your email address, in

up to 80 alphanumeric characters with no spaces.

??Unstructured Name string ??? (Optional) Specify any name, in up to

80 alphanumeric characters with no spaces.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. Webaaa option renamed to web in MSS Version 4.1. Maximum string length for State Name increased from two to 64 alphanumeric characters.

Usage ??? To use this command, you must already have generated a public-private encryption key pair with the crypto generate key command.

Enter crypto generate request admin, crypto generate request eap, or crypto generate request web and press Enter. When you are prompted, type the identifying values in the fields, or press Enter if the field is optional. You must enter a common name for the WX switch.

This command outputs a PKCS #10 text string in Privacy-Enhanced Mail protocol (PEM) format that you paste to another location for submission to the certificate authority. You then send the request to the certificate authority to obtain a signed copy of the WX switch certificate as a PKCS #7 object file.

568 CHAPTER 15: CRYPTOGRAPHY COMMANDS

Examples ??? To request an administrative certificate from a certificate authority, type the following command:

WX4400# crypto generate request admin

Country Name: US

State Name: CA

Locality Name: Pleasanton

Organizational Name: MyCorp

Organizational Unit: ENG

Common Name: ENG

Email Address: admin@example.com

Unstructured Name: admin CSR for admin is

-----BEGIN CERTIFICATE REQUEST-----

MIIBuzCCASQCAQAwezELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAmNhMQswCQYDVQQH

EwJjYTELMAkGA1UEChMCY2ExCzAJBgNVBAsTAmNhMQswCQYDVQQDEwJjYTEYMBYG

CSqGSIb3DQEJARYJY2FAY2EuY29tMREwDwYJKoZIhvcNAQkCEwJjYTCBnzANBgkq

hkiG9w0BAQEFAAOBjQAwgYkCgYEA1zatpYStOjHMa0QJmWHeZPPFGQ9kBEimJKPG

bznFjAC780GcZtnJPGqnMnOKj/4NdknonT6NdCd2fBdGbuEFGNMNgZMYKGcV2JIu

M32SvpSEOEnMYuidkEzqLQol621vh67RM1KTMECM6uCBBROq6XNypIHn1gtrrpL/

LhyGTWUCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAHK5z2kfjBbV/F0b0MyC5S7K

htsw7T4SwmCij55qfUHxsRelggYcw6vJtr57jJ7wFfsMd8C50NcbJLF1nYC9OKkB

hW+5gDPAOZdOnnr591XKz3Zzyvyrktv00rcld8Fo2RtTQ3AOT9cUZqJVelO85GXJ

-----END CERTIFICATE REQUEST-----

See Also

??crypto certificate on page 564

??crypto generate key on page 565

crypto generate Generates a self-signed certificate for either an administrative certificate self-signedfor use with 3WXM or an EAP certificate for use with 802.1X wireless

users.

Syntax ??? crypto generate self-signed {admin | eap | web}

??admin ??? Generates an administrative certificate to authenticate the

WX switch to 3WXM or Web Manager.

??eap ??? Generates an EAP certificate to authenticate the WX switch to

802.1X supplicants (clients).

??web ??? Generates a WebAAA certificate to authenticate the WX

switch to WebAAA clients.

crypto generate self-signed 569

After you type the command, you are prompted for the following variables:

??Country Name string ??? (Optional) Specify the abbreviation for the

country in which the WX switch is operating, in 2 alphanumeric characters with no spaces.

??State Name string ??? (Optional) Specify the abbreviation for the

name of the state, in 2 alphanumeric characters with no spaces.

??Locality Name string ??? (Optional) Specify the name of the locality,

in up to 80 alphanumeric characters with no spaces.

??Organizational Name string ??? (Optional) Specify the name of the

organization, in up to 80 alphanumeric characters with no spaces.

??Organizational Unit string ??? (Optional) Specify the name of the

organizational unit, in up to 80 alphanumeric characters with no spaces.

??Common Name string ??? Specify a unique name for the WX switch, in

up to 80 alphanumeric characters with no spaces. Use a fully qualified name if such names are supported on your network. This field is required.

Note: If you are generating a WebAAA (web) certificate, use a common name that looks like a domain name (two or more strings connected by dots, with no spaces). For example, use common.name instead of common name. The string is not required to be an actual domain name. It simply needs to be formatted like one.

??Email Address string ??? (Optional) Specify your email address, in up

to 80 alphanumeric characters with no spaces.

??Unstructured Name string ??? (Optional) Specify any name, in up to

80 alphanumeric characters with no spaces.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. Webaaa option renamed to web in MSS Version 4.1.

Usage ??? To use this command, you must already have generated a public-private encryption key pair with the crypto generate key command.

crypto otp 571

Note: On an WX switch that handles communications to and from Microsoft Windows clients, use a one-time password of 31 characters or fewer.

The following characters cannot be used as part of the one-time password of a PKCS #12 file:

??Quotation marks (??? ???)

??Question mark (?)

??Ampersand (&)

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. Webaaa option renamed to web in MSS Version 4.1.

Usage ??? The password allows the public-private key pair and certificate to be installed together from the same PKCS #12 object file. MSS erases the one-time password after processing the crypto pkcs12 command or when you reboot the WX switch.

3Com recommends that you create a password that is memorable to you but is not subject to easy guesses or a dictionary attack. For best results, create a password of alphanumeric uppercase and lowercase characters.

Examples ??? The following command creates the one-time password hap9iN#ss for installing an EAP certificate and key pair:

WX4400# crypto generate otp eap hap9iN#ss

OTP set

See Also

??crypto pkcs12 on page 572

display crypto ca-certificate 573

Examples ??? The following commands copy a PKCS #12 object file for an EAP certificate and key pair???and optionally the certificate authority???s own certificate???from a TFTP server to nonvolatile storage on the WX switch, create the one-time password hap9iN#ss, and unpack the

PKCS #12 file:

WX4400# copy tftp://192.168.253.1/2048full.p12 2048full.p12 success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec]

WX4400# crypto otp eap hap9iN#ss

OTP set

WX4400# crypto pkcs12 eap 2048full.p12

Unwrapped from PKCS12 file: keypair

device certificate CA certificate

certificate that signed the administrative certificate for the WX switch.

The administrative certificate authenticates the WX to 3WXM or Web

View.

?? eap ??? Displays information about the certificate authority???s certificate that signed the Extensible Authentication Protocol (EAP) certificate for the WX switch.

The EAP certificate authenticates the WX switch to 802.1X supplicants (clients).

?? web ??? Displays information about the certificate authority???s certificate that signed the WebAAA certificate for the WX switch.

The WebAAA certificate authenticates the WX switch to WebAAA clients.

Defaults ??? None.

574 CHAPTER 15: CRYPTOGRAPHY COMMANDS

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. Webaaa option renamed to web in MSS Version 4.1.

Examples ??? To display information about the certificate of a certificate authority, type the following command:

WX4400# display crypto ca-certificate

Table 89 describes the fields in the display.

Table 89 display crypto ca-certificate Output

Syntax ??? display crypto certificate {admin | eap | web}

?? admin ??? Displays information about the administrative certificate that authenticates the WX switch to 3WXM or Web Manager.

?? eap ??? Displays information about the EAP certificate that authenticates the WX switch to 802.1X supplicants (clients).

?? web ??? Displays information about the WebAAA certificate that authenticates the WX switch to WebAAA clients.

576 CHAPTER 15: CRYPTOGRAPHY COMMANDS

display crypto key Displays domain key information. domain

Syntax ??? display crypto key domain

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? To display domain key information, type the following command:

WX4400# display crypto key domain

display crypto key Displays SSH authentication key information. This command displays the sshchecksum (also called a fingerprint) of the public SSH authentication key.

When you connect to the WX switch with an SSH client, you can compare the SSH key checksum displayed by the WX switch with the one displayed by the client to verify that you really are connected to the WX switch and not another device. Generally, SSH clients remember the encryption key after the first connection, so you need to check the key only once.

Syntax ??? display crypto key ssh

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? To display SSH key information, type the following command:

WX4400# display crypto key ssh ec:6f:56:7f:d1:fd:c0:28:93:ae:a4:f9:7c:f5:13:04

578 CHAPTER 16: RADIUS AND SERVER GROUP COMMANDS

Defaults ??? Global RADIUS parameters have the following default values:

??deadtime???0 (zero) minutes (The WX switch does not designate unresponsive RADIUS servers as unavailable.)

??key???No key

??retransmit???3 (the total number of attempts, including the first attempt)

??timeout???5 seconds

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? To override the globally set values on a particular RADIUS server, use the set radius server command.

Examples ??? To reset all global RADIUS parameters to their factory defaults, type the following commands:

WX4400# clear radius deadtime success: change accepted. WX4400# clear radius key success: change accepted. WX4400# clear radius retransmit success: change accepted.

clear radius client system-ip 579

WX4400# clear radius timeout success: change accepted.

See Also

??set radius server on page 587

??set radius on page 582

clear radius client Removes the WX switch???s system IP address from use as the permanent system-ipsource address in RADIUS client requests from the switch to its RADIUS

server(s).

Syntax ??? clear radius client system-ip

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? The clear radius client system-ip command causes the WX switch to use the IP address of the interface through which it sends a RADIUS client request as the source IP address. The WX switch selects a source interface address based on information in its routing table as the source address for RADIUS packets leaving the switch.

Examples ??? To clear the system IP address as the permanent source address for RADIUS client requests, type the following command:

WX4400# clear radius client system-ip success: change accepted.

See Also

??set radius client system-ip on page 584

580 CHAPTER 16: RADIUS AND SERVER GROUP COMMANDS

clear radius proxy Removes RADIUS proxy client entries for third-party APs. client

Syntax ??? clear radius proxy client all

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS 4.0.

Examples ??? The following command clears all RADIUS proxy client entries from the switch:

WX4400# clear radius proxy client all success: change accepted.

See Also

??set radius proxy client on page 585

clear radius proxy Removes RADIUS proxy ports configured for third-party APs. port

Syntax ??? clear radius proxy port all

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS 4.0.

Examples ??? The following command clears all RADIUS proxy port entries from the switch:

WX4400# clear radius proxy port all success: change accepted.

See Also

??set radius proxy port on page 586

clear radius server 581

clear radius server Removes the named RADIUS server from the WX configuration.

Syntax ??? clear radius server server-name

??server-name ??? Name of a RADIUS server configured to perform

remote AAA services for the WX switch.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? The following command removes the RADIUS server rs42 from a list of remote AAA servers:

WX4400# clear radius server rs42 success: change accepted.

See Also

??set radius server on page 587

clear server group Removes a RADIUS server group from the configuration, or disables load balancing for the group.

Syntax ??? clear server group group-name [load-balance]

??group-name ??? Name of a RADIUS server group configured to perform

remote AAA services for WX switches.

??load-balance ??? Ability of group members to share demand for

services among servers.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? Deleting a server group removes the server group from the configuration. However, the members of the server group remain.

set radius 583

MSS encrypts the display form of the string in display config and display aaa output.

??retransmit number ??? Number of transmission attempts the WX

switch makes before declaring an unresponsive RADIUS server unavailable. You can specify from 1 to 100 retries.

??timeout seconds ??? Number of seconds the WX switch waits for the

RADIUS server to respond before retransmitting. You can specify from 1 to 65,535.

Defaults ??? Global RADIUS parameters have the following default values:

??deadtime ??? 0 (zero) minutes (The WX switch does not designate unresponsive RADIUS servers as unavailable.)

??encrypted-key???No key

??key ??? No key

??retransmit ??? 3 (the total number of attempts, including the first attempt)

??timeout ??? 5 seconds

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. The encrypted-key option was added in Version 4.2.

Usage ??? You can specify only one parameter per command line.

Examples ??? The following commands sets the dead time to 5 minutes, the RADIUS key to goody, the number of retransmissions to 1, and the timeout to 21 seconds on all RADIUS servers connected to the WX switch:

WX1200# set radius deadtime 5 success: change accepted. WX1200# set radius key goody success: change accepted. WX1200# set radius retransmit 1 success: change accepted. WX1200# set radius timeout 21 success: change accepted.

set radius proxy client 585

set radius proxy Adds a RADIUS proxy entry for a third-party AP. The proxy entry specifies clientthe IP address of the AP and the UDP ports on which the WX switch

listens for RADIUS traffic from the AP.

Syntax ??? set radius proxy client address ip-address

[acct-port acct-udp-port-number] [port udp-port-number] key

string

??address ip-address ??? IP address of the third-party AP. Enter the

address in dotted decimal notation.

??port udp-port-number ??? UDP port on which the WX switch listens

for RADIUS access-requests from the AP.

??acct-port acct-udp-port-number ??? UDP port on which the WX

switch listens for RADIUS stop-accounting records from the AP.

??key string ??? Password (shared secret key) the WX switch uses to

authenticate and encrypt RADIUS communication.

Defaults ??? The default UDP port number for access-requests is 1812.

The default UDP port number for stop-accounting records is 1813.

Access ??? Enabled.

History ???Introduced in MSS 4.0.

Usage ??? AAA for third-party AP users has additional configuration requirements. See the ???Configuring AAA for Users of Third-Party APs??? section in the ???Configuring AAA for Network Users??? chapter of the

Wireless LAN Switch and Controller Configuration Guide.

Examples ??? The following command configures a RADIUS proxy entry for a third-party AP RADIUS client at 10.20.20.9, sending RADIUS traffic to the default UDP ports 1812 and 1813 on the WX:

WX4400# set radius proxy client address 10.20.20.9 key radkey1 success: change accepted.

See Also

??clear radius proxy client on page 580

??set authentication proxy on page 253

??set radius proxy port on page 586

586 CHAPTER 16: RADIUS AND SERVER GROUP COMMANDS

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS 4.0.

Wireless LAN Switch and Controller Configuration Guide.

Enter a separate command for each SSID, and its tag value, you want the

WX to support.

Examples ??? The following command maps SSID mycorp to packets received on port 3 or 4, using 802.1Q tag value 104:

WX4400# set radius proxy port 3-4 tag 104 ssid mycorp success: change accepted.

See Also

?? clear radius proxy port on page 580

?? set authentication proxy on page 253

?? set radius proxy client on page 585

set radius server 587

set radius server Configures RADIUS servers and their parameters. By default, the WX switch automatically sets all these values except the password (key).

Syntax ??? set radius server server-name

[address ip-address] port-number] [timeout minutes] [key string] password]

[auth-port port-number] [acct-port seconds] [retransmit number] [deadtime encrypted-key string] [author-password

server-name ??? Unique name for this RADIUS server. Enter an alphanumeric string of up to 32 characters, with no blanks.

address ip-address ??? IP address of the RADIUS server. Enter the address in dotted decimal notation.

auth-port port-number ??? UDP port that the WX switch uses for authentication and authorization.

acct-port port-number ??? UDP port that the WX switch uses for accounting.

timeout seconds ??? Number of seconds the WX switch waits for the RADIUS server to respond before retransmitting. You can specify from 1 to 65,535 seconds.

??retransmit number ??? Number of transmission attempts made

before declaring an unresponsive RADIUS server unavailable. You can specify from 1 to 100 retries.

??deadtime minutes ??? Number of minutes the WX switch waits after

declaring an unresponsive RADIUS server unavailable before retrying that RADIUS server. Specify between 0 (zero) and 1440 minutes

(24 hours). A zero value causes the switch to identify unresponsive servers as available.

??key string ??? Password (shared secret key) the WX switch uses to

authenticate to the RADIUS server. You must provide the same password that is defined on the RADIUS server. The password can be 1 to 64 characters long, with no spaces or tabs.

??Use the key option to enter the string in its unencrypted form. MSS encrypts the displayed form of the string in display config and display aaa output.

??To enter the string in its encrypted form instead, use the encrypted-key option. MSS does not encrypt the string you enter, and instead displays the string exactly as you enter it.

588CHAPTER 16: RADIUS AND SERVER GROUP COMMANDS

??author-password password ??? Password used for authorization to a

RADIUS server for MAC users. Specify a password of up to 64 alphanumeric characters with no spaces or tabs.

Defaults ??? Default values are listed below:

??auth-port ??? UDP port 1812

??acct-port ??? UDP port 1813

??timeout ??? 5 seconds

??retransmit ??? 3 (the total number of attempts, including the first attempt)

??deadtime ??? 0 (zero) minutes (The WX switch does not designate unresponsive RADIUS servers as unavailable.)

??key ??? No key

??encrypted-key ??? No key

??author-password ??? When using RADIUS for authentication, a MAC user???s MAC address is also used as the default authorization password for that user, and no global authorization password is set. A last-resort user???s default authorization password is 3Com.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. The encrypted-key option was added in Version 4.2.

Usage ??? For a given RADIUS server, the first instance of this command must set both the server name and the IP address and can include any or all of the other optional parameters. Subsequent instances of this command can be used to set optional parameters for a given RADIUS server.

To configure the server as a remote authenticator for the WX switch, you must add it to a server group with the set server group command.

Do not use the same name for a RADIUS server and a RADIUS server group.

set server group 589

Examples ??? To set a RADIUS server named RS42 with IP address 198.162.1.1 to use the default accounting and authorization ports with a timeout interval of 30 seconds, two transmit attempts, 5 minutes of dead time, and a key string of keys4u, type the following command:

WX1200# set radius server RS42 address 198.162.1.1 timeout 30 retransmit 2 deadtime 5 key keys4U

See Also

??set server group on page 589

??set radius on page 582

set server group Configures a group of one to four RADIUS servers.

Syntax ??? set server group group-name members server-name1

[server-name2] [server-name3] [server-name4]

??group-name ??? Server group name of up to 32 characters, with no

spaces or tabs.

??members server-name1, server-name2, server-name3, server-name4 ??? The names of one or more configured RADIUS

servers. You can enter up to four server names.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? You must assign all group members simultaneously, as shown in the example. To enable load balancing, use set server group load-balance enable.

598 CHAPTER 17: 802.1X MANAGEMENT COMMANDS

clear dot1x timeout Resets to the default setting the number of seconds that must elapse auth-server before the WX times out a request to a RADIUS server.

Syntax ??? clear dot1x timeout auth-server

Defaults ??? The default is 30 seconds.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? To reset the default timeout for requests to an authentication server, type the following command:

WX4400# clear dot1x timeout auth-server success: change accepted.

See Also

??set dot1x timeout auth-server on page 609

clear dot1x timeout Resets to the default setting the number of seconds that must elapse supplicantbefore the WX switch times out an authentication session with a

supplicant (client).

Syntax ??? clear dot1x timeout supplicant

Defaults ??? The default for the authentication timeout sessions is 30 seconds.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? Type the following command to reset the timeout period for an authentication session:

WX4400# clear dot1x timeout supplicant success: change accepted.

See Also

??set dot1x timeout supplicant on page 610

604 CHAPTER 17: 802.1X MANAGEMENT COMMANDS

Usage ??? Normally, the Bonded Auth period needs to be set only if the network has Bonded Auth clients that use dynamic WEP, or use WEP-40 or WEP-104 encryption with WPA or RSN. These clients can be affected by the 802.1X reauthentication parameter or the RADIUS Session-Timeout parameter.

3Com recommends that you try 60 seconds, and change the period to a longer value only if clients are unable to authenticate within 60 seconds.

The bonded authentication period applies only to 802.1X authentication rules that contain the bonded option.

Examples ??? To set the bonded authentication period to 60 seconds, type the following command:

WX4400# set dot1x bonded-period 60 success: change accepted.

See Also

??clear dot1x bonded-period on page 594

set dot1x key-tx Enables or disables the transmission of encryption key information to the supplicant (client) in EAP over LAN (EAPoL) key messages, after authentication is successful.

Syntax ??? set dot1x key-tx {enable | disable}

??enable ??? Enables transmission of encryption key information to

clients.

??disable ??? Disables transmission of encryption key information to

clients.

Defaults ??? Key transmission is enabled by default.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

set dot1x max-req 605

Examples ??? Type the following command to enable key transmission:

WX4400# set dot1x key-tx enable success: dot1x key transmission enabled.

See Also

set dot1x max-req Sets the maximum number of times the WX retransmits an EAP request to a supplicant (client) before ending the authentication session.

Syntax ??? set dot1x max-req number-of-retransmissions

??number-of-retransmissions ??? Specify a value between 0 and 10.

Defaults ??? The default number of EAP retransmissions is 2.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? To support SSIDs that have both 802.1X and static WEP clients, MSS sends a maximum of two ID requests, even if this parameter is set to a higher value. Setting the parameter to a higher value does affect all other types of EAP messages.

Examples ??? Type the following command to set the maximum number of EAP request retransmissions to three attempts:

WX4400# set dot1x max-req 3 success: dot1x max request set to 3.

See Also

??clear dot1x max-req on page 595

??set dot1x wep-rekey-period on page 612

set dot1x quiet-period 607

Syntax ??? set dot1x quiet-period seconds

??seconds ??? Specify a value between 0 and 65,535.

Defaults ??? The default is 60 seconds.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? Type the following command to set the quiet period to 90 seconds:

WX4400# set dot1x quiet-period 90 success: dot1x quiet period set to 90.

See Also

??clear dot1x quiet-period on page 596

set dot1x reauth Determines whether the WX switch allows the reauthentication of supplicants (clients).

Syntax ??? set dot1x reauth {enable | disable}

??enable ??? Permits reauthentication.

??disable ??? Denies reauthentication.

Defaults ??? Reauthentication is enabled by default.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? Type the following command to enable reauthentication of supplicants (clients):

WX4400# set dot1x reauth enable success: dot1x reauthentication enabled.

608 CHAPTER 17: 802.1X MANAGEMENT COMMANDS

See Also

??set dot1x reauth-max on page 608

??set dot1x reauth-period on page 609

Syntax ??? set dot1x reauth-max number-of-attempts

??number-of-attempts ??? Specify a value between 1 and 10.

Defaults ??? The default number of reauthentication attempts is 2.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? If the number of reauthentications for a wired authentication client is greater than the maximum number of reauthentications allowed, MSS sends an EAP failure packet to the client and removes the client from the network. However, MSS does not remove a wireless client from the network under these circumstances.

Examples ??? Type the following command to set the number of authentication attempts to 8:

WX4400# set dot1x reauth-max 8 success: dot1x max reauth set to 8.

See Also

??clear dot1x reauth-max on page 597

set dot1x reauth-period 609

Syntax ??? set dot1x reauth-period seconds

??seconds ??? Specify a value between 60 (1 minute) and 1,641,600

(19 days).

Defaults ??? The default is 3600 seconds (1 hour).

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? Type the following command to set the number of seconds to 100 before reauthentication is attempted:

WX4400# set dot1x reauth-period 100

success: dot1x auth-server timeout set to 100.

See Also

??clear dot1x reauth-period on page 597

Syntax ??? set dot1x timeout auth-server seconds

??seconds ??? Specify a value between 1 and 65,535.

Defaults ??? The default is 30 seconds.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? Type the following command to set the authentication server timeout to 60 seconds:

WX4400# set dot1x timeout auth-server 60 success: dot1x auth-server timeout set to 60.

610 CHAPTER 17: 802.1X MANAGEMENT COMMANDS

See Also

??clear dot1x timeout auth-server on page 598

Syntax ??? set dot1x timeout supplicant seconds

??seconds ??? Specify a value between 1 and 65,535.

Defaults ??? The default is 30 seconds.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? Type the following command to set the number of seconds for authentication session timeout to 300:

WX4400# set dot1x timeout supplicant 300 success: dot1x supplicant timeout set to 300.

See Also

??clear dot1x timeout auth-server on page 598

set dot1x tx-period Sets the number of seconds that must elapse before the WX switch retransmits an EAPoL packet.

Syntax ??? set dot1x tx-period seconds

??seconds ??? Specify a value between 1 and 65,535.

Defaults ??? The default is 5 seconds.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

set dot1x wep-rekey 611

Examples ??? Type the following command to set the number of seconds before the WX switch retransmits an EAPoL packet to 300:

WX4400# set dot1x tx-period 300 success: dot1x tx-period set to 300.

See Also

??clear dot1x tx-period on page 599

Syntax ??? set dot1X wep-rekey {enable | disable}

??enable ??? Causes the broadcast and multicast keys for WEP to be

rotated at an interval set by the set dot1x wep-rekey-period for each radio, associated VLAN, and encryption type. The WX generates the new broadcast and multicast keys and pushes the keys to the clients via EAPoL key messages.

??disable ??? WEP broadcast and multicast keys are never rotated.

Defaults ??? WEP key rotation is enabled, by default.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? Reauthentication is not required for WEP key rotation to take place. Broadcast and multicast keys are always rotated at the same time, so all members of a given radio, VLAN, or encryption type receive the new keys at the same time.

Examples ??? Type the following command to disable WEP key rotation:

WX4400# set dot1x wep-rekey disable success: wep rekeying disabled

See Also

??set dot1x wep-rekey-period on page 612

614CHAPTER 18: SESSION MANAGEMENT COMMANDS

??telnet client [session-id] ??? Clears all Telnet client sessions from

the CLI to remote devices, or clears an individual session identified by session ID.

??mesh-ap [session-id] ??? Clears all Mesh AP sessions, or clears an

individual Mesh AP session identified by session ID.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? To clear all administrator sessions type the following command:

WX4400# clear sessions admin

This will terminate manager sessions, do you wish to continue? (y|n) [n]y

To clear all administrative sessions through the console, type the following command:

WX4400# clear sessions console

This will terminate manager sessions, do you wish to continue? (y|n) [n]y

To clear all administrative Telnet sessions, type the following command:

WX4400# clear sessions telnet

This will terminate manager sessions, do you wish to continue? (y|n) [n]y

To clear Telnet client session 0, type the following command:

WX4400# clear sessions telnet client 0

See Also

??display sessions on page 616

display sessions 617

??telnet ??? Displays sessions for all users with administrative access to

the WX switch through a Telnet connection.

??telnet client ??? Displays Telnet sessions from the CLI to remote

devices.

Defaults ??? None.

Access ??? All, except for display sessions telnet client, which has enabled access.

History ???Introduced in MSS Version 3.0.

Examples ??? To view information about sessions of administrative users, type the following command:

3 admin sessions

To view information about console users??? sessions, type the following command:

1 console session

To view information about Telnet users sessions, type the following command:

620 CHAPTER 18: SESSION MANAGEMENT COMMANDS

display sessions Displays summary or verbose information about all network sessions, or networknetwork sessions for a specified username or set of usernames, MAC

address or set of MAC addresses, VLAN or set of VLANs, or session ID.

Syntax ??? display sessions network

[user user-glob | mac-addr mac-addr-glob | ssid ssid-name vlan vlan-glob | session-id session-id | wired] [verbose]

??user user-glob ??? Displays all network sessions for a single user or

set of users.

??mac-addr mac-addr-glob ??? Displays all network sessions for a MAC

address. Specify a MAC address in hexadecimal numbers separated by colons (:).

Or use the wildcard character (*) to specify a set of MAC addresses. (For details, see ???MAC Address Globs??? on page 31.)

??ssid ssid-name ??? Displays all network sessions for an SSID.

??vlan vlan-glob ??? Displays all network sessions on a single VLAN or a

set of VLANs.

Specify a VLAN name, use the double-asterisk wildcard character (**) to specify all VLAN names, or use the single-asterisk wildcard character (*) to specify a set of VLAN names up to or following the first delimiter character, either an at sign (@) or a period (.). (For details, see ???VLAN Globs??? on page 32.)

??session-id local-session-id ??? Displays the specified network

session. To find local session IDs, use the display sessions command. The verbose option is not available with this form of the display sessions network command.

??wired ??? Displays all network sessions on wired authentication ports.

??verbose ??? Provides detailed output for all network sessions or ones

displayed by username, MAC address, or VLAN name.

display sessions network 621

Defaults ??? None.

Access ??? All.

History ???Introduced in MSS Version 3.0. Output added to the display network sessions verbose command to indicate the user???s authorization attributes and whether they were supplied through AAA or through configured SSID defaults in a service profile in MSS Version 4.1.

Usage ??? MSS displays information about network sessions in three types of displays. See the following tables for field descriptions.

??Summary display ??? See Table 98 on page 623.

??Verbose display ??? See Table 99 on page 624.

??display sessions network session-id display ??? See Table 100 on page 626.

Examples ??? To display summary information for all network sessions, type display sessions network. For example:

The following command displays summary information about the sessions for MAC address 00:05:5d:7e:98:1a:

display sessions network 623

Start-Date=05/04/11-10:00 (AAA)

1 sessions total

(Table 99 on page 624 describes the additional fields of the verbose output of display sessions network commands.)

The following command displays information about network session 27:

WX1200# display sessions network session-id 27

Global Id: SESS-27-000430-835586-58dfe5a

State: ACTIVE

Port/Radio: 3/1

MAC Address: 00:00:2d:6f:44:77

User Name: EXAMPLE Natasha

IP Address: 10.10.40.17

Vlan Name: vlan-eng

Tag: 1

Session Timeout: 1800

Authentication Method: PEAP, using server 10.10.70.20

Session statistics as updated from AP:

Unicast packets in: 653

Unicast bytes in: 46211

Unicast packets out: 450

Unicast bytes out: 50478

Multicast packets in: 317

Multicast bytes in: 10144

Number of packets with encryption errors: 0

Number of bytes with encryption errors: 0

Last packet data rate: 2

Last packet signal strength: -67 dBm

Last packet data S/N ratio: 55

Table 98 describes the output of this command. For descriptions of the fields of display sessions network session-id output, see Table 100 on page 626.

Table 98 display sessions network (summary) Output

634 CHAPTER 19: RF DETECTION COMMANDS

??session-id ??? Tests the RF link between the WX and the client with

the specified local session ID.

Defaults ??? None.

Access ??? Enabled.

History ??? Version 4.2 Command introduced. Version 6.0 Name of command changed from test rflink to rfping.

Usage ??? Use this command to send test packets to a specified client. The output of the command indicates the number of test packets received and acknowledged by the client, as well as the client??s signal strength and signal-to-noise ratio.

Examples ??? The following command tests the RF link between the WX

switch and the client with MAC address 00:0e:9b:bf:ad:13:

Table 83 describes the fields in this display.

Table 102 rfping Output

display rfdetect mobility-domain 645

Usage ??? This command is valid only on the seed switch of the Mobility Domain. To display rogue information for an individual switch, use the display rfdetect data command on that switch.

Only rogues are listed. To display all devices detected, including 3Com radios, use the display rfdetect data command.

Examples ??? The following example displays information about the

BSSIDs detected in the Mobility Domain managed by the seed switch:

The lines in this display are compiled from data from multiple listeners (MAP radios). If an item has the value unresolved, not all listeners agree on the value for that item. Generally, an unresolved state occurs only when a MAP or a Mobility Domain is still coming up, and lasts only briefly.

The following command displays detailed information for rogues using

SSID 3com-webaaa.

WX1200# display rfdetect mobility-domain ssid 3Com-webaaa

BSSID: 00:0a:5e:4b:4a:ca Vendor: 3Com SSID: 3Com-webaaa

Type: intfr Adhoc: no Crypto-types: clear

WX-IPaddress: 10.8.121.102 Port/Radio/Ch: 3/1/11 Mac: 00:0b:0e:00:0a:6a

Device-type: interfering Adhoc: no Crypto-types: clear

RSSI: -85 SSID: 3Com-webaaa

BSSID: 00:0b:0e:00:7a:8a Vendor: 3Com SSID: 3com-webaaa

Type: intfr Adhoc: no Crypto-types: clear

646 CHAPTER 19: RF DETECTION COMMANDS

WX-IPaddress: 10.8.121.102 Port/Radio/Ch: 3/1/1 Mac: 00:0b:0e:00:0a:6a

Device-type: interfering Adhoc: no Crypto-types: clear

RSSI: -75 SSID: 3Com-webaaa

WX-IPaddress: 10.3.8.103 Port/Radio/Ch: ap 1/1/1 Mac: 00:0b:0e:76:56:82

Device-type: interfering Adhoc: no Crypto-types: clear

RSSI: -76 SSID: 3Com-webaaa

Two types of information are shown. The lines that are not indented show the BSSID, vendor, and information about the SSID. The indented lines that follow this information indicate the listeners (MAP radios) that detected the SSID. Each set of indented lines is for a separate MAP listener.

In this example, two BSSIDs are mapped to the SSID. Separate sets of information is shown for each of the BSSIDs, and information about the listeners for each BSSID are shown.

The following command displays detailed information for a BSSID.

WX1200# display rfdetect mobility-domain bssid 00:0b:0e:00:04:d1

BSSID: 00:0b:0e:00:04:d1 Vendor: Cisco SSID: notmycorp

Type: rogue Adhoc: no Crypto-types: clear

WX-IPaddress: 10.8.121.102 Port/Radio/Ch: 3/2/56 Mac: 00:0b:0e:00:0a:6b

Device-type: rogue Adhoc: no Crypto-types: clear

RSSI: -72 SSID: notmycorp

WX-IPaddress: 10.3.8.103 Port/Radio/Ch: ap 1/1/157 Mac: 00:0b:0e:76:56:82

Device-type: rogue Adhoc: no Crypto-types: clear

RSSI: -72 SSID: notmycorp

set rfdetect countermeasures mac 655

Syntax ??? set rfdetect countermeasures {enable | disable}

??enable ??? Enables countermeasures.

??disable ??? Disables countermeasures.

Defaults ??? Countermeasures are disabled by default.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? This command is valid only on the seed switch of the Mobility Domain.

Examples ??? The following command enables countermeasures for the Mobility Domain managed by this seed switch:

WX1200# set rfdetect countermeasures enable success: countermeasures are now enabled.

??display rfdetect ignore on page 644

??set rfdetect countermeasures mac on page 655

set rfdetect countermeasures mac

Starts countermeasures against a specific rogue.

Syntax ??? set rfdetect countermeasures mac mac-addr

??mac-addr ??? Basic service set identifier (BSSID) of the rogue. Enter the

BSSID in MAC address format, using a colon between each octet (for example: aa:bb:cc:dd:ee:ff).

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? Use this command to immediately begin countermeasures against a specific rogue in the rogue list. The MAC address you specify must be in the list of rogues generated by RF detection scans. MSS can issue countermeasures only against a device that is in the rogue list.

656 CHAPTER 19: RF DETECTION COMMANDS

You can start countermeasures against more than one BSSID by typing additional set rfdetect countermeasures mac commands.

After you type the first set rfdetect countermeasures mac command, MSS does not issue countermeasures against any devices except the ones you specify using this command. To resume normal countermeasures operation, where MSS automatically issues countermeasures against detected rogues, use the clear rfdetect countermeasures mac all command.

This command is valid only on the seed switch of the Mobility Domain. The countermeasures take effect only if countermeasures are enabled for the Mobility Domain, using the set rfdetect countermeasures enable command.

This command does not become part of the configuration file when you save the configuration and therefore is not reloaded if the switch is restarted.

Examples ??? The following command begins countermeasures against rogue BSSID aa:bb:cc:11:22:33:

WX1200# set rfdetect countermeasures mac aa:bb:cc:11:22:33 success: set rfdetect countermeasures mac aa:bb:cc:11:22:33

??display rfdetect ignore on page 644

??set rf detect countermeasures on page 654

set rfdetect ignore Configures a list of known devices to ignore during an RF scan. MSS does not generate log messages or traps for the devices in the ignore list.

Syntax ??? set rfdetect ignore mac-addr

??mac-addr ??? BSSID (MAC address) of the device to ignore.

Defaults ??? MSS reports all unknown BSSIDs detected during an RF scan.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

set rfdetect signature key 659

Examples ??? The following command enables MAP signatures on a WX switch:

WX1200# set rfdetect signature enable success: signature is now enabled.

set rfdetect signature key

Creates an encrypted RF fingerprint key to use as a signature for a MAP.

Syntax ??? set rfdetect signature key encrypted <key_value>

??key ??? 16 bytes separated by colons generated by the user. For

example, a1:b2:c3:d4:e5:f6:g7:h8 can be a key value.

??encrypted ??? Encrypts the signature key.

Defaults ??? Disabled by default.

Access ??? Enabled

History ???Introduced in 5.0

set rfdetect ssid-list Adds an SSID to the permitted SSID list.The permitted SSID list specifies the SSIDs that are allowed on the network. If MSS detects packets for an SSID that is not on the list, the AP that sent the packets is classified as a rogue. MSS issues countermeasures against the rogue if they are enabled.

Syntax ??? set rfdetect ssid-list ssid-name

??ssid-name ??? SSID name you want to add to the permitted SSID list.

Defaults ??? The permitted SSID list is empty by default and all SSIDs are allowed. However, after you add an entry to the list, MSS allows traffic only for the SSIDs that are on the list.

Access ??? Enabled.

History ???Introduced in MSS Version 4.0.

Usage ??? The permitted SSID list applies only to the WX switch on which the list is configured. WX switches do not share permitted SSID lists.

RSSI

-------

-68

Packets Rcvd

------------

SNR RTT (micro-secs)

----- ----------------

26 976

662 CHAPTER 19: RF DETECTION COMMANDS

Examples ??? The following command tests the RF link between the WX switch and the client with MAC address 00:0e:9b:bf:ad:13:

WX4400# test rflink mac 00:0e:9b:bf:ad:13

RF-Link Test to 00:0e:9b:bf:ad:13 : Session-Id: 2

Packets Sent

------------

Table 110 describes the fields in this display.

Table 110 test rflink Output

See Also

??display rfdetect data on page 642

??display rfdetect visible on page 650

backup 665

Archive files created by the all option are larger than files created by the critical option. The file size depends on the files in the user area, and the file can be quite large if the user area contains image files.

The backup command places the boot configuration file into the archive. (The boot configuration file is the Configured boot configuration in the display boot command???s output.) If the running configuration contains changes that have not been saved, these changes are not in the boot configuration file and are not archived. To make sure the archive contains the configuration that is currently running on the switch, use the

save config command to save the running configuration to the boot configuration file, before using the backup command.

Examples ??? The following command creates an archive of the system-critical files and copies the archive directly to a TFTP server. The filename in this example includes a TFTP server IP address, so the archive is not stored locally on the switch.

WX1200# backup system tftp:/10.10.20.9/sysa_bak critical

success: sent 28263 bytes in 0.324 seconds [ 87231 bytes/sec]

Table 112 describes the fields.

Table 112 Output for backup

Field Description

[tftp:/ip Name of the archive file to create. You can store the file locally in the -addr/]fil switch???s nonvolatile storage or on a TFTP server.

ename

See Also

??restore on page 684

copy 667

Syntax ??? copy source-url destination-url

??source-url ??? Name and location of the file to copy. The uniform

resource locator (URL) can be one of the following:

??[subdirname/]filename

??file:[subdirname/]filename

??tftp://ip-addr/[subdirname/]filename

??tmp:filename

For the filename, specify between 1 and 128 alphanumeric characters, with no spaces. Enter the IP address in dotted decimal notation.

The subdirname/ option specifies a subdirectory.

??destination-url ??? Name of the copy and the location where to

place the copy. The URL can be one of the following:

??[subdirname/]filename

??file:[subdirname/]filename

??tftp://ip-addr/[subdirname/]filename

If you are copying a system image file into nonvolatile storage, the filename must include the boot partition name. You can specify one of the following:

??boot0:/filename

??boot1:/filename

668 CHAPTER 20: FILE MANAGEMENT COMMANDS

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? The filename and file:filename URLs are equivalent. You can use either URL to refer to a file in an WX switch???s nonvolatile memory. The tftp://ip-addr/filename URL refers to a file on a TFTP server. If DNS is configured on the WX switch, you can specify a TFTP server???s hostname as an alternative to specifying the IP address.

The tmp:filename URL specifies a file in temporary storage. You can copy a file out of temporary storage but you cannot copy a file into temporary storage. Temporary storage is reserved for use by MSS.

If you are copying a system image file into nonvolatile storage, the filename must be preceded by the boot partition name, which can be boot0 or boot1. Enter the filename as boot0:/filename or boot1:/filename. You must specify the boot partition that was not used to load the currently running image.

The maximum supported file size for TFTP is 32 MB.

Examples ??? The following command copies a file called floorwx from nonvolatile storage to a TFTP server:

WX4400# copy floorwx tftp://10.1.1.1/floorwx

success: sent 365 bytes in 0.401 seconds [ 910 bytes/sec]

The following command copies a file called closetwx from a TFTP server to nonvolatile storage:

WX4400# copy tftp://10.1.1.1/closetwx closetwx success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec]

The following command copies system image WXA03001.Rel from a TFTP server to boot partition 1 in nonvolatile storage:

WX4400# copy tftp://10.1.1.107/WXA03001.Rel boot1:WXA03001.Rel

............................................................

................................................success: received 9163214 bytes in 105.939 seconds [ 86495 bytes/sec]

delete 669

The following commands rename test-config to new-config by copying it from one name to the other in the same location, then deleting test-config:

WX4400# copy test-config new-config

WX4400# delete test-config

success: file deleted.

The following command copies file corpa-login.html from a TFTP server into subdirectory corpa in a WX switch???s nonvolatile storage:

WX4400# copy tftp://10.1.1.1/corpa-login.html corpa/corpa-login.html success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec]

Syntax ??? delete url

??url ??? Filename. Specify between 1 and 128 alphanumeric characters,

with no spaces.

If the file is in a subdirectory, specify the subdirectory name, followed by a forward slash, in front of the filename. For example: subdir_a/file_a.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? You might want to copy the file to a TFTP server as a backup before deleting the file.

670 CHAPTER 20: FILE MANAGEMENT COMMANDS

Examples ??? The following commands copy file testconfig to a TFTP server and delete the file from nonvolatile storage:

WX4400# copy testconfig tftp://10.1.1.1/testconfig success: sent 365 bytes in 0.401 seconds [ 910 bytes/sec] WX4400# delete testconfig

success: file deleted.

The following commands delete file dang_doc from subdirectory dang:

WX4400# delete dang/dang_doc success: file deleted.

See Also

??copy on page 667

Syntax ??? dir [subdirname] [file:] | [core:] | [boot0:] | [boot1:]

??subdirname ??? Subdirectory name. If you specify a subdirectory name,

the command lists the files in that subdirectory. Otherwise, the command lists the files in the root directory and also lists the subdirectories.

??file ??? Limits dir output to the contents of the user files area.

??core: ??? Limits dir output to the contents of the /tmp/core

subdirectory.

??boot0: ??? Limits dir output to the contents of the boot0 partition.

??boot1: ??? Limits dir output to the contents of the boot1 partition

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0. Core; file; boot0 and boot1 options added, to limit the output to the specified category, in MSS Version 4.0.

672 CHAPTER 20: FILE MANAGEMENT COMMANDS

The following command limits the output to the contents of the user files area:

WX4400# dir file:

===============================================================================

The following command limits the output to the contents of the /tmp/core subdirectory:

WX4400# dir core:

===============================================================================

The following command limits the output to the contents of the boot0 partition:

WX4400# dir boot0:

===============================================================================

file:

Table 113 describes the fields in the dir output.

install soda agent 673

Table 113 Output for dir

Field Description

Filename Filename or subdirectory name.

See Also

??copy on page 667

??delete on page 669

install soda agent Installs Sygate On-Demand (SODA) agent files in a directory on the WX switch.

Syntax ??? install soda agent agent-file agent directory

See Also

??load config on page 679

Syntax ??? display version [details]

??details ??? Includes additional software build information and

information about the MAP access points configured on the WX switch.

Defaults ??? None

Access ??? All.

History ???Introduced in MSS Version 3.0.

680 CHAPTER 20: FILE MANAGEMENT COMMANDS

Defaults ??? The default file location is nonvolatile storage.

The current version supports loading a configuration file only from the switch???s nonvolatile storage. You cannot load a configuration file directly from a TFTP server.

If you do not specify a filename, MSS uses the same configuration filename that was used for the previous configuration load. For example, if the WX switch used configuration for the most recent configuration load, MSS uses configuration again unless you specify a different filename. To display the filename of the configuration file MSS loaded during the last reboot, use the display boot command.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? This command completely replaces the running configuration with the configuration in the file.

Examples ??? The following command reloads the configuration from the most recently loaded configuration file:

WX4400# load config

Reloading configuration may result in lost of connectivity, do you wish to continue? (y/n) [n]y

success: Configuration reloaded

The following command loads configuration file testconfig1:

WX4400# load config testconfig1

Reloading configuration may result in lost of connectivity, do you wish to continue? (y/n) [n]y

success: Configuration reloaded

See Also

??display boot on page 674

??display config on page 675

reset system 683

Syntax ??? reset system [force]

??force ??? Immediately restarts the system and reboots, without

comparing the running configuration to the configuration file.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? If you do not use the force option, the command first compares the running configuration to the configuration file. If the running configuration and configuration file do not match, MSS does not restart the WX switch but instead displays a message advising you to either save the configuration changes or use the force option.

Examples ??? The following command restarts an WX switch that does not have any unsaved configuration changes:

WX4400# reset system

This will reset the entire system. Are you sure (y/n)y

The following commands attempt to restart an WX switch with a running configuration that has unsaved changes, and then force the switch to restart:

WX4400# reset system

error: Cannot reset, due to unsaved configuration changes. Use "reset system force" to override.

WX4400# reset system force

...... rebooting ......

See Also

??display boot on page 674

??display version on page 677

rmdir 685

See Also

??backup on page 664

Syntax ??? rmdir [subdirname]

??subdirname ??? Subdirectory name. Specify between 1 and 32

alphanumeric characters, with no spaces.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Usage ??? MSS does not allow the subdirectory to be removed unless it is empty. Delete all files from the subdirectory before attempting to remove it.

Examples ??? The following example removes subdirectory corp2:

WX4400# rmdir corp2 success: change accepted.

See Also

??display log buffer on page 712

??mkdir on page 681

Syntax ??? save config [filename]

??filename ??? Name of the configuration file. Specify between 1 and

128 alphanumeric characters, with no spaces.

To save the file in a subdirectory, specify the subdirectory name, followed by a forward slash, in front of the filename. For example: backup_configs/config_c.

Defaults ??? By default, MSS saves the running configuration as the configuration filename used during the last reboot.

Syntax ???

692 CHAPTER 21: TRACE COMMANDS

See Also

??set log on page 716

clear trace {trace-area | all}

??trace-area ??? Ends a particular trace process. Specify one of the

following keywords to end the traces documented in this chapter:

??authorization ??? Ends an authorization trace

??dot1x ??? Ends an 802.1X trace

??authentication ??? Ends an authentication trace

??sm ??? Ends a session manager trace

??all ??? Ends all trace processes.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? To clear all trace processes, type the following command:

WX4400# clear trace all success: clear trace all

display trace 693

To clear the session manager trace, type the following command:

WX4400# clear trace sm success: clear trace sm

See Also

??set trace authentication on page 694

??set trace authorization on page 695

??set trace dot1x on page 696

??set trace sm on page 697

Syntax ??? display trace [all]

??all ??? Displays all possible trace options and their configuration.

Defaults ??? None.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? To view the traces currently running, type the following command:

See Also

??set trace authentication on page 694

??set trace authorization on page 695

??set trace dot1x on page 696

??set trace sm on page 697

696 CHAPTER 21: TRACE COMMANDS

See Also

Syntax ??? set trace dot1x [mac-addr mac-address] [port port-num] [user username] [level level]

??mac-addr mac-address ??? Traces a MAC address. Specify a MAC

address, using colons to separate the octets (for example, 00:11:22:aa:bb:cc).

??port port-num ??? Traces on a WX port number.

??user username ??? Traces a user. Specify a username of up to

80 alphanumeric characters with no spaces.

??level level ??? Determines the quantity of information included in

the output. You can set the level with an integer from 1 to 10, where level 10 provides the most information. Levels 1 through 5 provide user-readable information. If you do not specify a level, level 5 is the default.

Defaults ??? The default trace level is 5.

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? The following command starts a trace for the 802.1X sessions for MAC address 00:01:02:03:04:05:

WX4400# set trace dot1x mac-addr 00:01:02:03:04:05: success: change accepted.

See Also

set trace sm 697

Syntax ??? set trace sm [mac-addr mac-address] [port port-num]

[user username] [level level]

??mac-addr mac-address ??? Traces a MAC address. Specify a MAC

address, using colons to separate the octets (for example, 00:11:22:aa:bb:cc).

??port port-num ??? Traces on a WX port number.

??user username ??? Traces a user. Specify a username of up to

80 alphanumeric characters, with no spaces.

??level level ??? Determines the quantity of information included in

Defaults ??? The default trace level is 5.a

Access ??? Enabled.

History ???Introduced in MSS Version 3.0.

Examples ??? Type the following command to trace session manager activity for MAC address 00:01:02:03:04:05:

WX4400# set trace sm mac-addr 00:01:02:03:04:05: success: change accepted.

See Also