background image

240

C

HAPTER

 8: AAA C

OMMANDS

Usage

 — You can configure different authentication methods for 

different groups of MAC addresses by “globbing.” (For details, see “User 
Globs, MAC Address Globs, and VLAN Globs” on page 26.)

If you specify multiple authentication methods in the 

set authentication

 

mac

 command, MSS applies them in the order in which they appear in 

the command, with these results:

If the first method responds with pass or fail, the evaluation is final. 

If the first method does not respond, MSS tries the second method, and so on. 

However, if 

local

 appears first, followed by a RADIUS server group, MSS 

ignores any failed searches in the local WX database and sends an 
authentication request to the RADIUS server group.

If the switch’s configuration contains a 

set authentication mac

 

command that matches the SSID the user is attempting to access and the 
user’s MAC address, MSS uses the method specified by the command. 
Otherwise, MSS uses local MAC authentication by default.

If the username does not match an authentication rule for the SSID the 
user is attempting to access, MSS uses the 

fallthru

 authentication type 

configured for the SSID, which can be 

last-resort

web

 (for WebAAA), 

or 

none

Examples

 — To use the local WX database to authenticate all users who 

access the 

mycorp2

 SSID by their MAC address, type the following 

command:

WX4400# 

set authentication ssid mycorp2 mac ** local

success: change accepted.

See Also

„

clear authentication mac

 on page 208

„

display aaa

 on page 219

„

set authentication admin

 on page 229

„

set authentication console

 on page 231

„

set authentication dot1x

 on page 233

„

set authentication last-resort

 on page 236

„

set authentication web

 on page 242

Summary of Contents for OfficeConnect WX1200

Page 1: ...http www 3com com Part No 10015086 Published April 2006 Wireless LAN Mobility System Wireless LAN Switch and Controller Command Reference WX4400 3CRWX440095A WX1200 3CRWX120695A WXR100 3CRWXR10095A...

Page 2: ...une 1987 whichever is applicable You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in or delivered to you in conjunction with this...

Page 3: ...MAC Address Notation 25 IP Address and Mask Notation 26 User Globs MAC Address Globs and VLAN Globs 26 Port Lists 28 Virtual LAN Identification 29 Command Line Editing 29 Keyboard Shortcuts 29 History...

Page 4: ...t 48 set auto config 48 set banner motd 51 set confirm 52 set length 53 set license 53 set prompt 54 set system contact 55 set system countrycode 56 set system idle timeout 58 set system ip address 59...

Page 5: ...preference 88 set port speed 89 set port trap 90 set port type ap 91 set port type wired auth 94 5 VLAN COMMANDS Commands by usage 97 clear fdb 98 clear security 12 restrict 99 clear security 12 restr...

Page 6: ...clear ip alias 128 clear ip dns domain 129 clear ip dns server 129 clear ip route 130 clear ip telnet 131 clear ntp server 131 clear ntp update interval 132 clear snmp community 133 clear snmp notify...

Page 7: ...e 160 set interface dhcp client 161 set interface dhcp server 162 set interface status 163 set ip alias 164 set ip dns 164 set ip dns domain 165 set ip dns server 166 set ip https server 167 set ip ro...

Page 8: ...console 205 clear authentication dot1x 206 clear authentication last resort 207 clear authentication mac 208 clear authentication proxy 209 clear authentication web 209 clear location policy 210 clear...

Page 9: ...tr 254 set mobility profile 255 set mobility profile mode 257 set user 258 set user attr 259 set user group 260 set usergroup 261 set web portal 262 9 MOBILITY DOMAIN COMMANDS Commands by Usage 265 cl...

Page 10: ...p dap etherstats 301 display ap dap group 303 display ap dap status 304 display auto tune attributes 309 display auto tune neighbors 311 display dap connection 313 display dap global 314 display dap u...

Page 11: ...o profile countermeasures 355 set radio profile dtim interval 357 set radio profile frag threshold 358 set radio profile long retry 359 set radio profile max rx lifetime 360 set radio profile max tx l...

Page 12: ...394 clear spantree portpri 395 clear spantree portvlancost 395 clear spantree portvlanpri 396 clear spantree statistics 397 display spantree 398 display spantree backbonefast 400 display spantree bloc...

Page 13: ...et igmp proxy report 438 set igmp qi 439 set igmp qri 440 set igmp querier 441 set igmp receiver 441 set igmp rv 442 14 SECURITY ACL COMMANDS Security ACL Commands by Usage 445 clear security acl 446...

Page 14: ...mands by Usage 485 clear radius 486 clear radius client system ip 487 clear radius proxy client 488 clear radius proxy port 488 clear radius server 489 clear server group 489 set radius 490 set radius...

Page 15: ...t1x timeout auth server 515 set dot1x timeout supplicant 516 set dot1x tx period 516 set dot1x wep rekey 517 set dot1x wep rekey period 518 18 SESSION MANAGEMENT COMMANDS Commands by Usage 519 clear s...

Page 16: ...fdetect black list 555 set rf detect countermeasures 556 set rfdetect countermeasures mac 557 set rfdetect ignore 558 set rfdetect log 559 set rfdetect signature 560 set rfdetect ssid list 560 set rfd...

Page 17: ...trace authorization 593 set trace dot1x 594 set trace sm 595 22 SNOOP COMMANDS Commands by Usage 597 clear snoop 598 clear snoop map 598 set snoop 599 set snoop map 602 set snoop mode 603 display snoo...

Page 18: ...cp 626 diag 627 dir 627 display 628 fver 630 help 631 ls 632 next 633 reset 634 test 635 version 636 A OBTAINING SUPPORT FOR YOUR PRODUCT Register Your Product 637 Purchase Value Added Services 637 Tr...

Page 19: ...release notes are shipped with your product and the information there differs from the information in this guide follow the instructions in the release notes Most user guides and release notes are ava...

Page 20: ...n 3WXM for advanced configuration and management Table 2 Text Conventions Convention Description Monospace text Sets off command syntax or sample commands and system responses Bold text Highlights com...

Page 21: ...r installing a WX wireless switch in a Mobility System WLAN Wireless LAN Switch and Controller Configuration Guide This guide provides instructions for configuring and managing the system through the...

Page 22: ...note that we can only respond to comments and questions about 3Com product documentation at this e mail address Questions related to Technical Support or sales should be directed in the first instanc...

Page 23: ...d 3Com Wireless LAN Managed Access Point MAP hardware There is a command line interface CLI on the WX switch that you can use to configure and manage the WX and its attached access points You configur...

Page 24: ...trative user by typing enable and supplying a suitable password MSS displays the following prompt WXmmmm For information about changing the CLI prompt on a wireless LAN switch see set prompt on page 5...

Page 25: ...example do not configure two separate VLANs with the names red and RED The CLI does not support the use of special characters including the following in any named elements such as SSIDs and VLANs ampe...

Page 26: ...y the wildcard mask in dotted decimal notation For example the address 10 0 0 0 and mask 0 255 255 255 match all IP addresses that begin with 10 in the first octet User Globs MAC Address Globs and VLA...

Page 27: ...of a MAC address allows you to apply commands to MAC addresses based on an organizationally unique identity OUI Table 3 User Globs User Glob User s Designated jose example com User jose at example com...

Page 28: ...AA commands determines the order in which MSS matches the user MAC address or VLAN to a glob To verify the order view the output of the display aaa or display config command MSS checks globs that appe...

Page 29: ...the VLAN within the WX Command Line Editing MSS editing functions are similar to those of many other network operating systems Keyboard Shortcuts The following table lists the keyboard shortcuts for...

Page 30: ...nterface display interfaces ip display ip information Single Asterisk Wildcard Character You can use the single asterisk wildcard character in globbing For details see User Globs MAC Address Globs and...

Page 31: ...help for more information logout Exit from the Admin session monitor Monitor use monitor help for more information ping Send echo packets to hosts quit Exit from the Admin session reset Reset use res...

Page 32: ...e following command name appears at the top of a command description and in the index set ap dap name The set ap dap name command has the following complete syntax set ap port list dap dap num name na...

Page 33: ...his chapter based on their use disable Changes the CLI session from enabled mode to restricted access Syntax disable Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The fol...

Page 34: ...our or another administrator must have configured the enable password to this WX switch with the set enablepass command Examples The following command plus the enable password provides enabled access...

Page 35: ...of up to 32 alphanumeric characters with no spaces and reenter it at the Retype new password prompt CAUTION Be sure to use a password that you will remember If you lose the enable password the only wa...

Page 36: ...36 CHAPTER 2 ACCESS COMMANDS...

Page 37: ...nfiguration quickstart on page 48 Auto Config set auto config on page 48 Display clear banner motd on page 38 quickstart on page 48 display banner motd on page 41 set confirm on page 52 set length on...

Page 38: ...WX4400 clear banner motd success change accepted As an alternative to clearing the banner you can overwrite the existing banner with an empty banner by typing the following command set banner motd Se...

Page 39: ...shed See Also history on page 47 clear prompt Resets the system prompt to its previously configured value If the prompt was not configured previously this command resets the prompt to its default Synt...

Page 40: ...n remain idle to the default value 3600 seconds ip address Resets the IP address of the WX switch to null location Resets the location of the WX switch to null name Resets the name of the WX switch to...

Page 41: ...snapshot of the status of the wireless LAN switch which includes details about the boot image the version ports and other configuration values This command also displays the last 100 log messages Synt...

Page 42: ...d on the WX switch Syntax display license Defaults None Access All Examples To view the WX switch license type the following command WX4400 display license Serial Number M8XE4IBB8DB10 License Number 2...

Page 43: ...he previous time the display load command was run type the following command WX4400 display load System Load overall 2 delta 5 The overall field shows the CPU load as a percentage from the time the WX...

Page 44: ...r Over Ethernet 29 000 Table 7 describes the fields of display system output Table 7 display system output Field Description Product Name Switch model number System Name System name factory default or...

Page 45: ...o the system log every 5 minutes until this condition is corrected Fan 1 is located nearest the front of the chassis and fan 3 is located nearest the back Temperature Status of temperature sensors at...

Page 46: ...n if you have enabled access To show a list of CLI commands available at the enabled access level type the following command at the enabled access level WX4400 help Commands clear Clear use clear help...

Page 47: ...ng Send echo packets to hosts quit Exit from the Admin session reset Reset use reset help for more information rollback Remove changes to the edited ACL table save Save the running configuration to pe...

Page 48: ...auto config Enables a WX switch to contact a 3WXM server for its configuration Syntax set auto config enable disable enable Enables the switch to contact a 3WXM server to request a configuration disab...

Page 49: ...WXR100 insert a paperclip or similar object into the WXR100 s factory reset hole to press the switch The factory reset switch must be held for about 3 seconds while the factory reset LED the right LED...

Page 50: ...option WX 1200 set auto config enable success change accepted 4 Create a self signed administrative certificate to enable the WX to communicate with the 3WXM server WX 1200 crypto generate key admin...

Page 51: ...that begins and ends the message text Up to 2000 alphanumeric characters including tabs and carriage returns but not the delimiting character The maximum number of characters is approximately 24 lines...

Page 52: ...ssages off Disables confirmation messages Defaults Configuration messages are enabled Access Enabled History Introduced in MSS Version 3 0 Usage This command remains in effect for the duration of the...

Page 53: ...sion 3 0 Usage Use this command if the output of a CLI command is greater than the number of lines allowed by default for a terminal type Examples To set the number of lines displayed to 100 type the...

Page 54: ...076E 93E9 62DA 54D8 Activation key WXA 3E04 4CC2 430D B508 Feature 24 additional ports Expires Never 48 ports are enabled success license was installed The additional ports refers to the number of ad...

Page 55: ...example sets the prompt from WX4400 to happy_days WX4400 set prompt happy_days success change accepted happy_days See Also clear prompt on page 39 display config on page 574 set system name on page 60...

Page 56: ...s to enforce on the WX switch Syntax set system countrycode code code Two letter code for the country of operation for the WX switch You can specify one of the codes listed in Table 8 Table 8 Country...

Page 57: ...set ap commands to configure a MAP Japan JP Liechtenstein LI Luxembourg LU Malaysia MY Mexico MX Netherlands NL New Zealand NZ Norway NO Poland PL Portugal PT Saudi Arabia SA Singapore SG Slovakia SK...

Page 58: ...conds a CLI management session can remain idle before MSS terminates the session You can specify from 0 to 86400 seconds one day If you specify 0 the idle timeout is disabled Defaults 3600 seconds one...

Page 59: ...ess Enabled History Introduced in MSS Version 3 0 Examples The following command sets the IP address of the WX switch to 192 168 253 1 WX4400 set system ip address 192 168 253 1 success change accepte...

Page 60: ...a prompt Syntax set system name string string Alphanumeric string up to 256 characters long with no blank spaces Use a unique name for each WX switch Defaults By default the system name and command pr...

Page 61: ...set system name 61 See Also clear system on page 40 display system on page 43 set prompt on page 54 set system contact on page 55 set system location on page 59...

Page 62: ...62 CHAPTER 3 SYSTEM SERVICE COMMANDS...

Page 63: ...dap on page 81 set port type wired auth on page 94 clear port type on page 68 clear dap on page 64 Name set port name on page 86 clear port name on page 66 State set port on page 83 reset port on pag...

Page 64: ...in MSS Version 3 0 Examples The following command clears Distributed MAP 1 WX4400 clear dap 1 This will clear specified DAP devices Would you like to continue y n n y See Also set dap on page 81 set...

Page 65: ...00 clear port counters success cleared port counters See Also display port counters on page 69 monitor port counters on page 76 clear port group Removes a port group Syntax clear port group name name...

Page 66: ...ss Enabled History Introduced in MSS Version 4 0 Usage This command applies only to the WX4400 This command does not affect a link that is already active on the port Examples The following command dis...

Page 67: ...clears the preference on all the specified ports Defaults When both the copper and fiber interfaces of a gigabit Ethernet port are connected the GBIC fiber interface is the active link The RJ 45 coppe...

Page 68: ...ion settings specific to the port type are removed For example if you clear a MAP access point port all MAP specific settings are removed Table 10 lists the default network port settings that MSS appl...

Page 69: ...rstats transmit etherstats port port list octets Shows octet statistics packets Shows packet statistics receive errors Shows errors in received packets transmit errors Shows errors in transmitted pack...

Page 70: ...ows port group information Syntax display port group all name group name all Shows information for all port groups name group name Shows information for the specified port group Defaults None Access A...

Page 71: ...Access All History Introduced in MSS Version 3 0 Examples The following command displays PoE information for all ports on a WX1200 switch WX1200 display port poe Link Port PoE PoE Port Name Status Typ...

Page 72: ...ngs on all four ports of a WX4400 switch WX4400 display port preference Link status Link status of the port up The port is connected down The port is not connected Port type Port type MAP The port is...

Page 73: ...ports Syntax display port status port list port list List of physical ports If you do not specify a port list information is displayed for all ports Defaults None Access All History Introduced in MSS...

Page 74: ...up down auto network 10 100BaseTx Table 14 describes the fields in this display Table 14 Output for display port status Field Description Port Port number Name Port name If the port does not have a na...

Page 75: ...rt list port list List of physical ports MSS displays the enabled interface types for all the specified ports Defaults None Access All History Introduced in MSS Version 4 0 Usage This command applies...

Page 76: ...ays octet statistics first packets Displays packet statistics first receive errors Displays errors in received packets first transmit errors Displays errors in transmitted packets first collisions Dis...

Page 77: ...that statistic type You can use one statistic option with the command Use the keys listed in Table 16 to control the monitor display For error reporting the cyclic redundancy check CRC errors include...

Page 78: ...tus Rx Unicast Rx NonUnicast Tx Unicast Tx NonUnicast 1 Up 54620 62144 68318 62556 Table 17 describes the port statistics displayed by each statistics option The Port and Status fields are displayed f...

Page 79: ...c includes frames with misalignment errors Rx Error Total number of frames received in which the Physical layer PHY detected an error Rx Short Number of frames received by the port that were fewer tha...

Page 80: ...at were from 65 through 127 bytes long Rx 255 Number of packets received that were from 128 through 255 bytes long Rx 511 Number of packets received that were from 256 through 511 bytes long Rx 1023 N...

Page 81: ...ollowing command resets port 5 WX1200 reset port 5 See Also set port on page 83 set dap Configures a Distributed MAP for a MAP access point that is indirectly connected to the WX switch through an int...

Page 82: ...a 11b 802 11b 11g 802 11g This option applies only to single radio models Defaults The default values are the same as the defaults for the set port type ap command Access Enabled History Introduced in...

Page 83: ...ist of physical ports MSS disables or reenables all the specified ports Defaults All ports are enabled Access Enabled History Introduced in MSS Version 3 0 Usage A port that is administratively disabl...

Page 84: ...us and you can use 10 100 Ethernet ports and gigabit Ethernet ports in the same port group After you add a port to a port group you cannot configure port parameters on the individual port Instead chan...

Page 85: ...erface Defaults The GBIC fiber interface is enabled and the copper interface is disabled by default Access Enabled History Introduced in MSS Version 4 0 Usage This command applies only to the WX4400 I...

Page 86: ...s that you do not use numbers as port names Examples The following command sets the name of port 7 to adminpool WX1200 set port 7 name adminpool success change accepted See Also clear port name on pag...

Page 87: ...port Use the WX switch s PoE to power 3Com MAP access points only If you enable PoE on ports connected to other devices damage can result Syntax set port poe port list enable disable port list List of...

Page 88: ...1 set port type wired auth on page 94 set port preference Configures a gigabit Ethernet port on a WX4400 to use the RJ 45 copper interface when available as the active link instead of the fiber interf...

Page 89: ...port to 10 Mbps and sets the operating mode to full duplex 100 Sets the port speed of a 10 100 Ethernet port to 100 Mbps and sets the operating mode to full duplex 1000 Sets the port speed of a gigab...

Page 90: ...ion 3 0 Usage The set port trap command overrides the global setting of the set snmp trap command The set port type command does not affect the global trap information displayed by the display snmp co...

Page 91: ...through an intermediate Layer 2 or Layer 3 network use the set dap command to configure a Distributed MAP Before changing the port type from ap to wired auth or from wired auth to ap you must reset th...

Page 92: ...s and model MP 262 requires an external antenna for the 802 11b g radio The following models have internal antennas but also have connectors for optional use of external antennas instead AP2750 AP3750...

Page 93: ...like to continue y n n y The following command sets ports 1 through 3 and port 5 for MAP access point model AP8250 and enables PoE on the ports WX1200 set port type ap 1 3 5 model ap8250 poe enable T...

Page 94: ...port type from ap to wired auth or from wired auth to ap you must reset the port with the clear port type command Syntax set port type wired auth port list tag tag list max sessions num auth fall thr...

Page 95: ...tly attached to the wired authentication port or are attached through a hub that does not block forwarding of packets from the client to the PAE group address 01 80 c2 00 00 03 Wired authentication wo...

Page 96: ...tication wired authentication works if the clients are directly attached or indirectly attached Examples The following command sets port 2 for a wired authentication user WX1200 set port type wired au...

Page 97: ...117 clear security 12 restrict on page 99 display vlan config on page 111 Roaming and Tunnels display roaming station on page 106 display roaming vlan on page 108 display security 12 restrict on page...

Page 98: ...c entries that match destination ports in the port list You are not required to specify a VLAN name or number with this option vlan vlan id VLAN name or number required for removing permanent and stat...

Page 99: ...at Layer 2 Syntax clear security 12 restrict vlan vlan id permit mac mac addr mac addr all vlan id VLAN name or number permit mac List of MAC addresses MSS no longer allows clients mac addr in the VLA...

Page 100: ...tax clear security 12 restrict counters vlan vlan id all vlan id VLAN name or number all Clears Layer 2 forwarding restriction counters for all VLANs Defaults If you do not specify a VLAN or all count...

Page 101: ...value Tag number that identifies a virtual port MSS removes only the specified virtual port from the specified physical ports Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage I...

Page 102: ...e 27 vlan vlan id Name or number of a VLAN for which to display entries perm Displays permanent entries A permanent entry does not age out and remains in the database even after a reboot reset or powe...

Page 103: ...f 3 ALL 1 00 0b 0e 02 76 f5 1 ALL Total Matching FDB Entries Displayed 3 The top line of the display identifies the characters to distinguish among the entry types The following command displays all e...

Page 104: ...time 300 sec Because the forwarding database aging timeout period can be configured only on an individual VLAN basis the command lists the aging timeout period for each VLAN separately CoS Type of en...

Page 105: ...tries A static entry does not age out but is removed from the database after a reboot reset or power cycle dynamic Lists the number of dynamic entries A dynamic entry is automatically removed through...

Page 106: ...1 Usage The output displays roaming stations within the previous 1 second Examples To display all stations roaming to the WX switch type the following command WX4400 display roaming station User Name...

Page 107: ...in the process of accepting a reassociation request from the roaming peer WX switch for a station currently roaming to the peer switch TChck This WX switch is in the process of accepting a reassociat...

Page 108: ...cs 192 168 14 2 5 vlan eng 192 168 14 4 5 vlan fin 192 168 14 2 5 vlan it 192 168 14 4 5 vlan it 192 168 14 2 5 vlan pm 192 168 14 2 5 vlan sm 192 168 14 2 5 vlan tp 192 168 14 4 5 vlan tp 192 168 14...

Page 109: ...VLANs VLAN Name En Drops Permit MAC Hits 1 default Y 0 00 0b 0e 02 53 3e 5947 00 30 b6 3e 5c a8 9 2 vlan 2 Y 0 04 04 04 04 04 04 0 Table 24 describes the fields in the display Table 24 Output for dis...

Page 110: ...ype the following command WX4400 display tunnel VLAN Local Address Remote Address State Port LVID RVID vlan eng 192 168 14 2 192 168 14 4 DORMANT 1024 4096 130 Table 25 describes the fields in the dis...

Page 111: ...isplays information for VLAN burgundy WX1200 display vlan config burgundy Admin VLAN Tunl Port VLAN Name Status State Affin Port Tag State 2 burgundy Up Up 5 2 none Up 3 none Up 4 none Up 6 none Up 40...

Page 112: ...nnel affinity value assigned to the VLAN Port Member port of the VLAN The port can be a physical port or a virtual port Physical ports are 10 100 Ethernet or gigabit Ethernet ports on the WX switch an...

Page 113: ...which the port is a member The entry is added only for the specified VLAN tag tag value VLAN tag value that identifies a virtual port You can specify a number from 1 through 4095 If you do not specif...

Page 114: ...MSS Version 3 0 Examples The following command changes the aging timeout period to 600 seconds for entries that match VLAN orange WX4400 set fdb agingtime orange age 600 success change accepted See A...

Page 115: ...he clear security 12 restrict command to remove it then use the set security 12 restrict command to add the correct address Restriction of client traffic does not begin until you enable the permitted...

Page 116: ...fault VLAN You cannot use a number as the first character in a VLAN name 3Com recommends that you do not use the same name with different capitalizations for VLANs For example do not configure two sep...

Page 117: ...e set port name command to assign the name and add the ports at the same time If you do not specify a tag value the WX switch sends untagged frames for the VLAN If you do specify a tag value the WX se...

Page 118: ...can specify a value from 1 through 10 A higher number indicates a greater preference Defaults Each VLAN on a WX switch s network ports has an affinity value of 5 by default Access Enabled History Int...

Page 119: ...for specific traffic use access controls lists ACLs to set the Class of Service CoS for the packets See Security ACL Commands on page 445 Commands by Usage This chapter presents QOS commands alphabeti...

Page 120: ...os dscp to cos map from dscp cos to dscp map Resets the mapping between the specified internal QoS value and the DSCP values with which MSS marks outbound packets QoS values are from 0 to 7 dscp to co...

Page 121: ...faults are listed by the display qos command Access Enabled History Introduced in MSS Version 4 1 Examples The following command maps internal CoS value 5 to DSCP value 50 WX1200 set qos cos to dscp m...

Page 122: ...QoS value You can specify a number from 0 to 7 Defaults The defaults are listed by the display qos command Access Enabled History Introduced in MSS Version 4 1 Examples The following command maps DSC...

Page 123: ...WX1200 display qos default Ingress QoS Classification Map dscp to cos Ingress DSCP CoS Level 00 09 0 0 0 0 0 0 0 0 1 1 10 19 1 1 1 1 1 1 2 2 2 2 20 29 2 2 2 2 3 3 3 3 3 3 30 39 3 3 4 4 4 4 4 4 4 4 40...

Page 124: ...values Syntax display qos dscp table Defaults None Access Enabled History Introduced in MSS Version 4 0 as the display security acl dscp command and renamed in MSS Version 4 1 Examples The following...

Page 125: ...Type Command IP Interface set interface on page 160 set interface dhcp client on page 161 set interface status on page 163 display interface on page 142 display dhcp client on page 138 clear interface...

Page 126: ...on page 194 set summertime on page 191 display timedate on page 155 display timezone on page 155 display summertime on page 154 clear timezone on page 136 clear summertime on page 135 NTP set ntp on...

Page 127: ...et snmp notify target on page 181 set ip snmp server on page 169 display snmp status on page 153 display snmp community on page 151 display snmp usm on page 154 display snmp notify profile on page 152...

Page 128: ...erface mauve ip success cleared ip on vlan mauve See Also set interface on page 160 set interface dhcp client on page 161 display interface on page 142 clear ip alias Removes an alias which is a strin...

Page 129: ...See Also clear ip dns server on page 129 display ip dns on page 144 set ip dns on page 164 set ip dns domain on page 165 set ip dns server on page 166 clear ip dns server Removes a DNS server from a W...

Page 130: ...IP address and subnet mask for the route destination in dotted decimal notation for example 10 10 10 10 255 255 255 0 ip addr mask length IP address and subnet mask length in CIDR format for example 1...

Page 131: ...umber for Telnet management traffic to its default WX4400 clear ip telnet success change accepted See Also display ip https on page 145 display ip telnet on page 148 set ip https server on page 167 se...

Page 132: ...interval on page 175 clear ntp update interval Resets the NTP update interval to the default value Syntax clear ntp update interval Defaults The default NTP update interval is 64 seconds Access Enabl...

Page 133: ...ar snmp community name setswitch2 success change accepted See Also set snmp community on page 175 display snmp community on page 151 clear snmp notify profile Clears an SNMP notification profile Synta...

Page 134: ...lts None Access Enabled History Introduced in MSS Version 4 0 Examples The following command clears notification target 3 WX1200 clear snmp notify target 3 success change accepted See Also set snmp no...

Page 135: ...a wireless LAN switch Syntax clear summertime Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples To clear the summertime setting from a WX switch type the following command W...

Page 136: ...g Mobility Domain operations Topology reporting for dual homed MAP access points Default source IP address used in unsolicited communications such as AAA accounting reports and SNMP traps Examples To...

Page 137: ...summertime on page 154 display timedate on page 155 display timezone on page 155 display arp Shows the ARP table Syntax display arp ip addr ip addr IP address Defaults If you do not specify an IP addr...

Page 138: ...om the ARP table Host IP address hostname or alias HW Address MAC address mapped to the IP address hostname or alias VLAN VLAN the entry is for Type Entry type DYNAMIC Entry was learned from network t...

Page 139: ...iption Interface VLAN name and number Configuration Status Status of the DHCP client on this VLAN Enabled Disabled DHCP State State of the IP interface IF_UP IF_DOWN Lease Allocation Duration of the a...

Page 140: ...ame Address MAC Lease Remaining sec 1 default 10 10 20 2 00 01 02 03 04 05 12345 1 default 10 10 20 3 00 01 03 04 06 07 2103 2 red vlan 192 168 1 5 00 01 03 04 06 08 102 2 red vlan 192 168 1 7 00 01 0...

Page 141: ...h the server can lease addresses Hardware Address MAC address of the DHCP client Lease Remaining Number of seconds remaining before the address lease expires State State of the address lease SUSPEND M...

Page 142: ...nterface VLAN Name Address Mask Enabled State RIB 1 default 10 10 10 10 255 255 255 0 YES Up ipv4 2 mauve 10 10 20 10 255 255 255 0 NO Down ipv4 4094 web aaa 10 10 10 1 255 255 255 0 YES Up ipv4 Table...

Page 143: ...are displayed Access Enabled History Introduced in MSS Version 3 0 Examples The following command displays all the aliases configured on a WX switch WX4400 display ip alias Name IP Address HR1 192 16...

Page 144: ...MSS Version 3 0 Examples The following command displays the DNS information WX4400 display ip dns Domain Name example com DNS Status enabled IP Address Type 10 1 1 1 PRIMARY 10 1 1 2 SECONDARY 10 1 2...

Page 145: ...Examples The following command shows the status and port number for the HTTPS management interface to the WX switch WX4400 display ip https HTTPS is enabled HTTPS is set to use port 443 Last 10 Connec...

Page 146: ...e of the HTTPS server Enabled Disabled HTTPS is set to use port TCP port number on which the WX switch listens for HTTPS connections Last 10 connections List of the last 10 devices to establish connec...

Page 147: ...f the VLAN s ports Examples The following command shows all routes in a WX switch s IP route table WX4400 display ip route Router table for IPv4 Destination Mask Proto Metric NH Type Gateway VLAN Inte...

Page 148: ...r Route is for a remote destination A WX switch forwards traffic for the destination to the gateway router Gateway Next hop router for reaching the route destination This field applies only to static...

Page 149: ...lnet on page 131 display ip https on page 145 set ip https server on page 167 set ip telnet on page 171 set ip telnet server on page 172 display ntp Shows NTP client information Syntax display ntp Def...

Page 150: ...Current update interval Number of seconds between queries sent by the WX switch to the NTP servers for updates Current time System time that was current on the WX switch when you pressed Enter after t...

Page 151: ...splay snmp community Displays the configured SNMP community strings Syntax display snmp community Defaults None Access Enabled History Introduced in MSS Version 4 0 Peer state State of the NTP session...

Page 152: ...uced in MSS Version 4 0 display snmp notify profile Displays SNMP notification profiles Syntax display snmp notify profile Defaults None Access Enabled History Introduced in MSS Version 4 0 See Also c...

Page 153: ...Enabled History Introduced in MSS Version 4 0 See Also set snmp community on page 175 set snmp notify target on page 181 set snmp notify profile on page 177 set snmp protocol on page 186 set snmp secu...

Page 154: ...ertime offset by default Access All History Introduced in MSS Version 3 0 Examples To display the summertime setting on a WX switch type the following command WX1200 display summertime Summertime is e...

Page 155: ...et on a WX switch s real time clock type the following command WX1200 display timedate Sun Feb 29 2004 23 59 02 PST See Also clear summertime on page 135 clear timezone on page 136 display summertime...

Page 156: ...t num packets dnf flood interval time size size source ip ip addr vlan name host IP address MAC address hostname alias or user to ping count num packets Number of ping packets to send You can specify...

Page 157: ...ed History Introduced in MSS Version 3 0 Usage To stop a ping command that is in progress press Ctrl C Examples The following command pings a WX switch that has IP address 10 1 1 1 WX1200 ping 10 1 1...

Page 158: ...ntry is automatically removed if the entry ages out or after a reboot reset or power cycle ip addr IP address of the entry in dotted decimal notation mac addr MAC address to map to the IP address Use...

Page 159: ...ess Enabled History Introduced in MSS Version 3 0 Usage Aging applies only to dynamic entries To reset the ARP aging timeout to its default value use the set arp agingtime 1200 command Examples The fo...

Page 160: ...rface If you replace an interface that is in use as the system IP address replacing the interface can interfere with system tasks that use the system IP address including the following Mobility domain...

Page 161: ...efault on all other switch models and is disabled on a WXR100 if the switch is already configured or the factory reset switch is not pressed and held during power on Access Enabled History Introduced...

Page 162: ...dress range also called the address pool stop ip addr2 Specifies the ending address of the address range Defaults The DHCP server is enabled by default on a new unconfigured WXR100 in order to provide...

Page 163: ...status Administratively disables or reenables an IP interface Syntax set interface vlan id status up down vlan id VLAN name or number up Enables the interface down Disables the interface Defaults IP...

Page 164: ...MSS Version 3 0 Examples The following command configures the alias HR1 for IP address 192 168 1 2 WX4400 set ip alias HR1 192 168 1 2 success change accepted See Also clear ip alias on page 128 displ...

Page 165: ...ccess Enabled Usage To override the default domain name when entering a hostname in a CLI command enter a period at the end of the hostname For example if the default domain name is example com enter...

Page 166: ...primary server does not reply Defaults None Access Enabled Usage You can configure a WX switch to use one primary DNS server and up to five secondary DNS servers Examples The following commands config...

Page 167: ...to disabled in 3 1 In addition the HTTPS server is no longer required for WebAAA Examples The following command enables the HTTPS server on a WX switch WX1200 set ip https server enable success change...

Page 168: ...you add a static route use the display interface command to verify that the WX switch has an IP interface in the same subnet as the route s next hop router If not the VLAN Interface field of the disp...

Page 169: ...te from a WX switch to any host on the 192 168 4 x subnet through the local router 10 5 4 2 and gives the route a cost of 1 WX4400 set ip route 192 168 4 0 255 255 255 0 10 5 4 2 1 success change acce...

Page 170: ...re Shell SSH management traffic CAUTION If you change the SSH port number from an SSH session MSS immediately ends the session To open a new management session you must configure the SSH client to use...

Page 171: ...s supported on a WX switch is eight If Telnet is also enabled the WX switch can have up to eight Telnet or SSH sessions in any combination and one Console session See Also crypto generate key on page...

Page 172: ...ch CAUTION If you disable the Telnet server Telnet access to the WX switch is also disabled Syntax set ip telnet server enable disable enable Enables the Telnet server disable Disables the Telnet serv...

Page 173: ...n 3 0 Usage If NTP is configured on a system whose current time differs from the NTP server time by more than 10 minutes convergence of the WX time can take many NTP update intervals 3Com recommends t...

Page 174: ...queries all the servers and selects the best response based on the method described in RFC 1305 Network Time Protocol Version 3 Specification Implementation and Analysis To use NTP you also must enab...

Page 175: ...nge accepted See Also clear ntp server on page 131 clear ntp update interval on page 132 display ntp on page 149 set ntp on page 173 set ntp server on page 174 set snmp community Configures a communit...

Page 176: ...nd private for read write to blank in MSS Version 3 1 Default strings removed and new access types added for SNMPv3 read notify notify only notify read write in MSS Version 4 0 Usage SNMP community st...

Page 177: ...e Name of the notification profile you are creating or modifying The profile name can be up to 32 alphanumeric characters long with no spaces To modify the default notification profile specify default...

Page 178: ...ted when a client experiences an 802 1X failure ClientRoamingTraps Generated when a client roams CounterMeasureStartTraps Generated when MSS begins countermeasures against a rogue access point Counter...

Page 179: ...th a third party AP RFDetectDoSPortTraps Generated when MSS detects an associate request flood reassociate request flood or disassociate request flood RFDetectDoSTraps Generated when MSS detects a DoS...

Page 180: ...r all RF detection notification types WX1200 set snmp notify profile snmpprof_rfdetect send RFDetectAdhocUserTraps success change accepted WX1200 set snmp notify profile snmpprof_rfdetect send RFDetec...

Page 181: ...otify profile on page 133 set ip snmp server on page 169 set snmp community on page 175 set snmp notify target on page 181 set snmp protocol on page 186 set snmp security on page 187 set snmp usm on p...

Page 182: ...arget Specify ip if the ip hex hex string target s SNMP engine ID is based on its IP address If the target s SNMP engine ID is a hexadecimal value use hex hex string to specify the value profile profi...

Page 183: ...name Notification profile this SNMP user will use to specify the notification types to send or drop security Specifies the security level and is applicable only unsecured when the SNMP version is usm...

Page 184: ...ile profile name target num ID for the target This ID is local to the WX switch and does not need to correspond to a value on the target itself You can specify a number from 1 to 10 ip addr udp port n...

Page 185: ...cknowledgements The inform option is applicable to SNMP version v2c or usm only Examples The following command configures a notification target for acknowledged notifications WX1200 set snmp notify ta...

Page 186: ...versions of SNMP enable Enables the specified SNMP version s disable Disables the specified SNMP version s Defaults All SNMP versions are disabled by default Access Enabled History Introduced in MSS V...

Page 187: ...not encrypted encrypted SNMP message exchanges are authenticated and encrypted auth req unsec notify SNMP message exchanges are authenticated but are not encrypted and notifications are neither authe...

Page 188: ...e auth type none md5 sha auth pass phrase string auth key hex string encrypt type none des 3des aes encrypt pass phrase string encrypt key hex string usm username Name of the SNMPv3 user Specify betwe...

Page 189: ...h type none md5 sha auth pass phrase string auth key hex string Specifies the authentication type used to authenticate communications with the remote SNMP engine You can specify one of the following n...

Page 190: ...ssociated with the local SNMP engine ID This user can send traps to notification receivers WX 1200 set snmp usm snmpmgr1 snmp engine id local success change accepted The following command creates USM...

Page 191: ...of the year to start or end the time change Valid values are jan feb mar apr may jun jul aug sep oct nov and dec hour Hour to start or end the time change a value between 0 and 23 on the 24 hour cloc...

Page 192: ...The system IP address determines the interface or source IP address MSS uses for system tasks including the following Mobility domain operations Topology reporting for dual homed MAP access points De...

Page 193: ...tch Syntax set timedate date mmm dd yyyy time hh mm ss date mmm dd yyyy System date mmm month dd day yyyy year time hh mm ss System time in hours minutes and seconds Defaults None Access Enabled Histo...

Page 194: ...minutes that the wireless LAN switch s real time clock is offset from Coordinated Universal Time UTC These values are also used by Network Time Protocol NTP if it is enabled Syntax set timezone zone...

Page 195: ...of the remote device hostname Hostname of the remote device port port num TCP port number on which the TCP server on the remote device listens for Telnet connections Defaults MSS attempts to establis...

Page 196: ...oration All rights reserved Username username Password password WX1200 remote display vlan Admin VLAN Tunl Port VLAN Name Status State Affin Port Tag State 1 default Up Up 5 3 none Up 3 red Up Up 5 10...

Page 197: ...rforming a DNS lookup for each hop to the destination host port port num TCP port number listening for the traceroute probes queries num Number of probes per hop size size Probe packet size in bytes Y...

Page 198: ...host An exclamation point following any of these values indicates that the Port Unreachable message returned by the destination has a maximum hop count of 0 or 1 This can occur if the destination use...

Page 199: ...on page 156 F Fragmentation needed but Do Not Fragment DNF bit was set S Source route failed A Communication administratively prohibited Unknown error occurred Table 40 Error messages for traceroute...

Page 200: ...200 CHAPTER 7 IP SERVICES COMMANDS...

Page 201: ...y Use Table 41 to locate commands in this chapter based on their use Table 41 AAA Commands by Usage Type Command Authentication set authentication console on page 231 set authentication admin on page...

Page 202: ...r mac usergroup attr on page 214 clear mac user group on page 212 clear mac usergroup on page 213 Web authorization set web portal on page 262 Accounting set accounting admin console on page 225 set a...

Page 203: ...control MAC address user glob Single user or set of users with administrative access or network access Specify a username use the double asterisk wildcard character to specify all usernames or use the...

Page 204: ...to or following the first delimiter character either an at sign or a period For details see User Globs on page 26 Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The follow...

Page 205: ...ge 26 Defaults None Access Enabled History Introduced in MSS Version 3 0 The syntax descriptions for the clear authentication commands have been separated for clarity However the options and behavior...

Page 206: ...racter to specify a set of usernames up to or following the first delimiter character either an at sign or a period For details see User Globs on page 26 Defaults None Access Enabled History Introduce...

Page 207: ...entication port Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command removes a last resort authentication rule for wired authentication access WX4400 clear...

Page 208: ...character to specify a set of MAC addresses For details see MAC Address Globs on page 27 Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command removes a MAC...

Page 209: ...The following command removes the proxy rule for SSID mycorp and userglob WX4400 clear authentication proxy ssid mycorp See Also set authentication proxy on page 241 display aaa on page 219 clearauthe...

Page 210: ...ay aaa on page 219 clear location policy Removes a rule from the location policy on a WX switch Syntax clear location policy rule number rule number Index number of a location policy rule to remove fr...

Page 211: ...MAC address of the user in hexadecimal numbers separated by colons You can omit leading zeros Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage Deleting a MAC user s profile fro...

Page 212: ...ization attributes see Table 44 on page 249 Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command removes an access control list ACL from the profile of a u...

Page 213: ...usergroup on page 213 display aaa on page 219 set mac user on page 248 clear mac usergroup Removes a user group from the local database on the WX switch for a group of users who are authenticated by a...

Page 214: ...ing MAC user group attribute name Name of an attribute used to authorize the MAC users in the user group for a particular service or session characteristic For a list of authorization attributes see T...

Page 215: ...d See Also set mobility profile on page 255 set mobility profile mode on page 257 display mobility profile on page 224 clear user Removes a user profile from the local database on the WX switch for a...

Page 216: ...e the documentation for your RADIUS server Syntax clear user username attr attribute name username Username of a user with a password attribute name Name of an attribute used to authorize the user for...

Page 217: ...me from the user s profile but does not delete either the user or the user group from the local WX database To remove the group use clear usergroup Examples The following command removes the user Nin...

Page 218: ...display aaa on page 219 set usergroup on page 261 clear usergroup attr Removes an authorization attribute from a user group in the local database on the WX switch To remove an authorization attribute...

Page 219: ...x display aaa Defaults None Access Enabled History Introduced in MSS Version 3 0 Web Portal section added to indicate the state of the WebAAA feature in MSS Version 4 0 Examples To display all current...

Page 220: ...oup eastcoasters session timeout 99 Table 42 describes the fields that can appear in display aaa output Table 42 display aaa Output Field Description Default Values RADIUS default values for all param...

Page 221: ...ervers Information about active RADIUS servers Server Name of each RADIUS server currently active Addr IP address of each RADIUS server currently active Ports UDP ports that the WX switch uses for aut...

Page 222: ...stored accounting records type the following command WX4400 display accounting statistics Sep 26 11 01 48 Acct Status Type START Acct Authentic 2 User Name geetha AAA_TTY_ATTR 2 Event Timestamp 106459...

Page 223: ...anuary 1 1970 at which the event was triggered See RFC 2869 for more information Acct Session Time Number of seconds that the session has been online Acct Output Octets Number of octets the WX switch...

Page 224: ...ocation policy Id Clauses 1 deny if user eq theirfirm com 2 permit vlan guest_1 if vlan neq wodefirm com 3 permit vlan bld4 tac inacl tac_24 in if user eq ny wodefirm com See Also clear location polic...

Page 225: ...access to the WX switch through Telnet or Web Manager console Users with administrative access to the WX switch through a console connection user glob Single user or set of users with administrative...

Page 226: ...mote Authentication Dial In User Service RADIUS servers You can also enter the names of existing RADIUS server groups as methods Defaults Accounting is disabled for all users by default Access Enabled...

Page 227: ...le specifically to users who are authenticated on a wired authentication port user glob Single user or set of users with administrative access or network access Specify a username use the double aster...

Page 228: ...ecords on one or more Remote Authentication Dial In User Service RADIUS servers You can also enter the names of existing RADIUS server groups as methods Defaults Accounting is disabled for all users b...

Page 229: ...r them A method can be one of the following local Uses the local database of usernames and user groups on the WX switch for authentication server group name Uses the defined group of RADIUS servers fo...

Page 230: ...n However if local appears first followed by a RADIUS server group MSS ignores any failed searches in the local WX database and sends an authentication request to the RADIUS server group If a AAA rule...

Page 231: ...at MSS uses to handle authentication Specify one or more of the following methods in priority order MSS applies multiple methods in the order you enter them A method can be one of the following local...

Page 232: ...ods in the set authentication console command MSS applies them in the order in which they appear in the command with these results If the first method responds with pass or fail the evaluation is fina...

Page 233: ...fy a username use the double asterisk wildcard character to specify all usernames or use the single asterisk wildcard character to specify a set of usernames up to or following the first delimiter cha...

Page 234: ...rver EAP MD5 does not work with Microsoft wired authentication clients method1 method2 method3 method4 At least one and up to four methods that MSS uses to handle authentication Specify one or more of...

Page 235: ...mand MSS applies them in the order in which they appear in the command with these results If the first method responds with pass or fail the evaluation is final If the first method does not respond MS...

Page 236: ...1x on page 206 display aaa on page 219 set authentication admin on page 229 set authentication console on page 231 set authentication last resort on page 236 set authentication mac on page 239 set aut...

Page 237: ...unting are also disabled for these users When using RADIUS for authentication a last resort user s default authorization password is 3Com Access Enabled History Introduced in MSS Version 3 0 Usage You...

Page 238: ...name to the user name last resort For example if the requested SSID is mycorp MSS attempts to authenticate the user last resort mycorp If the RADIUS server or local database used as the authenticatio...

Page 239: ...Globs on page 27 method1 method2 method3 method4 At least one of up to four methods that MSS uses to handle authentication Specify one or more of the following methods in priority order MSS applies mu...

Page 240: ...nfiguration contains a set authentication mac command that matches the SSID the user is attempting to access and the user s MAC address MSS uses the method specified by the command Otherwise MSS uses...

Page 241: ...AN Globs on page 26 radius server group A group of RADIUS servers used for authentication Defaults None Access Enabled History Introduced in MSS 4 0 Usage AAA for third party AP users has additional c...

Page 242: ...all SSIDs type any wired Applies this authentication rule specifically to users connected to a wired authentication port method1 method2 method3 method4 At least one and up to four methods that MSS us...

Page 243: ...not respond MSS tries the second method and so on However if local appears first followed by a RADIUS server group MSS overrides any failed searches in the local WX database and sends an authenticatio...

Page 244: ...lob user operator user glob port port list dap dap num before rule number modify rule number deny Denies access to the network to users with characteristics that match the location policy rule permit...

Page 245: ...se the double asterisk wildcard character to specify all VLAN names or use the single asterisk wildcard character to specify a set of VLAN names up to or following the first delimiter character either...

Page 246: ...ANDed All conditions in the rule must match for MSS to take the specified action If the location policy contains multiple rules MSS compares the user information to the rules one at a time in the ord...

Page 247: ...tac_24 to the traffic they receive WX4400 set location policy permit vlan bld4 tac outacl tac_24 if user eq ny ourfirm com The following command authorizes access to users on VLANs with names matchin...

Page 248: ...leading zeros group name Name of an existing MAC user group Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage MSS does not require MAC users to belong to user groups Users auth...

Page 249: ...at you can assign to local users see Table 44 Table 44 Authentication Attributes for Local Users Attribute Description Valid Value s encryption type Type of encryption required for access by the clien...

Page 250: ...are valid filter id Profile acl1 filter id OutboundACL acl2 filter id Profile acl1 OutboundACL acl2 Each example goes on a single line on the server The format in which to specify the values depends o...

Page 251: ...mpt access and network users receive Framed access session timeout network access mode only Maximum number of seconds for the user s session Number between 0 and 4 294 967 296 seconds approximately 13...

Page 252: ...onal mo Monday tu Tuesday we Wednesday th Thursday fr Friday sa Saturday su Sunday wk Any day between Monday and Friday Separate values or a series of ranges except time ranges with commas or a vertic...

Page 253: ...in as soon as the user start date The MAC user does not need to wait for the MAC user group s start date url network access mode only URL to which the user is redirected after successful WebAAA Web UR...

Page 254: ...212 display aaa on page 219 set mac usergroup attr Creates a user group in the local database on the WX switch for users who are authenticated by a MAC address and assigns authorization attributes fo...

Page 255: ...LAN orange WX4400 set mac usergroup eastcoasters attr vlan name orange success change accepted See Also clear mac usergroup attr on page 214 display aaa on page 219 set mobility profile Creates a Mobi...

Page 256: ...ty profile name set mac usergroup attr mobility profile name To enable the use of the Mobility Profile feature on the WX switch use the set mobility profile mode command CAUTION When the Mobility Prof...

Page 257: ...e on the WX switch CAUTION When the Mobility Profile feature is enabled a user is denied access if assigned a Mobility Profile attribute in the local WX switch database or RADIUS server when no Mobili...

Page 258: ...SS does not encrypt the displayed form of the password string and instead displays the string exactly as you entered it If you omit this option MSS does encrypt the displayed form of the string passwo...

Page 259: ...rd To assign authorization attributes in RADIUS see the documentation for your RADIUS server Syntax set user username attr attribute name value username Username of a user with a password attribute na...

Page 260: ...change accepted The following command assigns Tamara to the Mobility Profile tulip WX4400 set user Tamara attr mobility profile tulip success change accepted The following command limits the days and...

Page 261: ...ization attributes in RADIUS see the documentation for your RADIUS server Syntax set usergroup group name attr attribute name value group name Name of a group for password users Specify a name of up t...

Page 262: ...rdiology attr vlan name crimson success change accepted See Also clear usergroup on page 217 clear usergroup attr on page 218 display aaa on page 219 set web portal Globally enables or disables WebAAA...

Page 263: ...set web portal 263 See Also clear authentication proxy on page 209 set service profile auth fallthru on page 374 set user on page 258...

Page 264: ...264 CHAPTER 8 AAA COMMANDS...

Page 265: ...ersion on all the WX switches in a Mobility Domain Commands by Usage This chapter presents Mobility Domain commands alphabetically Use Table 45 to locate commands in this chapter based on their use Ta...

Page 266: ...r a Mobility Domain from a WX switch within the domain type the following command WX1200 clear mobility domain success change accepted See Also clear mobility domain member on page 266 set mobility do...

Page 267: ...ig Displays the configuration of the Mobility Domain Syntax display mobility domain config Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command displays th...

Page 268: ...4 STATE_UP SEED Table 46 describes the fields in the display See Also clear mobility domain on page 266 set mobility domain member on page 269 set mobility domain mode member seed ip on page 270 Table...

Page 269: ...ge This command must be entered from the seed WX switch Examples The following commands add three WX switches with the IP addresses 192 168 1 8 192 168 1 9 and 192 168 1 10 as members of a Mobility Do...

Page 270: ...ation Syntax set mobility domain mode member seed ip ip addr ip addr IP address of the Mobility Domain member in dotted decimal notation Defaults None Access Enabled History Introduced in MSS Version...

Page 271: ...current WX switch must have its IP address set with the set system ip address command After you enter this command all Mobility Domain traffic is sent and received from the specified IP address You mu...

Page 272: ...272 CHAPTER 9 MOBILITY DOMAIN COMMANDS...

Page 273: ...X switches serve as a seed switch At least one of the Network Domain seeds maintains a connection with each of the member WX switches in the Network Domain The Network Domain seeds share information a...

Page 274: ...rt of a Network Domain To clear a Network Domain from a WX switch within the domain type the following command WX1200 clear network domain This will clear all network domain configuration Would you li...

Page 275: ...History Introduced in MSS 4 1 Usage This command has no effect if the WX switch is not configured as part of a Network Domain Examples The following command clears the Network Domain member configurat...

Page 276: ...WX switch Defaults None Access Enabled History Introduced in MSS 4 1 Usage This command has no effect if the WX switch is not configured as a Network Domain seed Examples The following command clears...

Page 277: ...n seed in dotted decimal notation Defaults None Access Enabled History Introduced in MSS 4 1 Usage This command has no effect if the WX switch is not configured as part of a Network Domain or if the W...

Page 278: ...itch that is a Network Domain member the following output is displayed WX1200 display network domain Member Network Domain name California Member State Mode 10 8 107 1 UP SEED On a WX switch that is a...

Page 279: ...f the other seeds in the Network Domain State State of the connection between the WX switch and the peer Network Domain seeds UP DOWN Member IP addresses of the seed WX switch and members in the Netwo...

Page 280: ...on the WX switch When the WX switch needs to connect to a Network Domain seed it first attempts to connect to the seed with the highest affinity If that seed is unavailable the WX attempts to connect...

Page 281: ...that all the Network Domain seeds have the same database of VLAN information Syntax set network domain peer ip addr ip addr IP address of the Network Domain seed to specify as a peer in dotted decimal...

Page 282: ...e WX switches as Network Domain seeds If you do this you must identify them as peers by using the set network domain peer command Examples The following command creates a Network Domain named Californ...

Page 283: ...ountry code after MAP configuration disables MAP access points and deletes their configuration If you change the country code on a WX switch you must reconfigure all MAP access points MAP Access Point...

Page 284: ...page 376 Radio Properties set radio profile 11g only on page 347 set radio profile beacon interval on page 355 set radio profile rts threshold on page 365 set radio profile frag threshold on page 358...

Page 285: ...90 set service profile shared key auth on page 384 display service profile on page 321 clear service profile on page 289 RF Auto Tuning set radio profile auto tune channel config on page 349 set radio...

Page 286: ...set ap dap radio mode on page 341 Dual Homing set ap dap bias on page 328 Load Balancing set ap dap group on page 332 display ap dap group on page 303 MAP Administration and Maintenance set ap dap na...

Page 287: ...3 WX1200 clear ap 3 radio 2 Table 50 Radio Specific Parameters Parameter Default Value Description channel 802 11b 6 802 11a Lowest valid channel number for the country of operation Number of the chan...

Page 288: ...threshold service profile short retry For information about these parameters see the set radio profile commands that use them Defaults If you reset an individual parameter the parameter is returned to...

Page 289: ...400 clear radio profile rptest success change accepted See Also display radio profile on page 317 set ap dap radio radio profile on page 343 set radio profile mode on page 362 clear service profile Re...

Page 290: ...de on page 362 display ap dap config Displays global and radio specific settings for a MAP access point Syntax display ap config port list radio 1 2 Syntax display dap config dap num radio 1 2 port li...

Page 291: ...DAP1 boot download enable YES Radio 1 type 802 11a mode disabled channel dynamic tx pwr 11 profile default auto tune max power default min client rate 24 max retransmissions 10 Table 51 describes the...

Page 292: ...channel Channel number antennatype External antenna model if applicable tx pwr Transmit power in dBm profile Radio profile that manages the radio Until you assign the radio to a radio profile MSS assi...

Page 293: ...set ap dap radio antennatype on page 334 set ap dap radio channel on page 339 set ap dap radio radio profile on page 343 set ap dap radio tx power on page 344 auto tune max retransmissions Maximum per...

Page 294: ...d MAP for which to display statistics counters radio 1 Shows statistics counters for radio 1 radio 2 Shows statistics counters for radio 2 This option does not apply to single radio models Defaults No...

Page 295: ...v Phy Err Ct 0 Transmit Retries 60501 Radio Adjusted Tx Pwr 15 Noise Floor 93 802 3 Packet Tx Ct 0 802 3 Packet Rx Ct 0 No Receive Descriptor 0 TxUniPkt TxUniByte RxPkt RxByte UndcrptPkt TxMultiPkt Tx...

Page 296: ...te a problem in the RF environment TKIP Pkt Transfer Ct Total number of TKIP packets sent and received by the radio TKIP Pkt Replays Number of TKIP packets that were resent to the MAP by a client A lo...

Page 297: ...MAP could not create a descriptor A descriptor describes a received packet s size and its location in MAP memory The MAP buffers descriptors and clears them during interframe spaces This counter incre...

Page 298: ...hould always be 0 If the value is not 0 check the system log for MIC error messages and contact 3Com TAC TKIP Decrypt Err Number of times a decryption error occurred with a packet encrypted with TKIP...

Page 299: ...cast packets transmitted by the radio TxUniByte Number of unicast bytes transmitted by the radio TxMultiByte Number of multicast bytes transmitted by the radio RxPkt Number of packets received by the...

Page 300: ...tics counters port list List of ports connected to the MAP access point s for which to display QoS statistics counters Defaults None Access Enabled History Introduced in MSS Version 4 0 Examples The f...

Page 301: ...ng command displays Ethernet statistics for the Ethernet ports on Distributed MAP 1 WX4400 display dap etherstats 1 DAP 1 ether 1 RxUnicast 75432 TxGoodFrames 55210 RxMulticast 18789 TxSingleColl 32 R...

Page 302: ...es known to be lost due to a temporary lack of software resources TxGoodFrames Number of frames transmitted properly on the link TxSingleColl Number of transmitted frames that encountered a single col...

Page 303: ...oadbalance1 6 6 Refusing 2 Table 55 describes the fields in this display See Also set ap dap group on page 332 Table 55 Output for display ap group Field Description Load Balance Grp Name of the MAP a...

Page 304: ...information for radio 2 This option does not apply to single radio models Defaults None Access Enabled History Introduced in MSS Version 3 0 True base MAC addresses of radios are displayed in MSS Ver...

Page 305: ...led operational channel 64 operational power 14 base mac 00 0b 0e 00 d2 c1 bssid1 00 0b 0e 00 d2 94 ssid private The following command displays the status of a directly connected MAP WX1200 display ap...

Page 306: ...Field Description DAP Connection ID for the Distributed MAP Note This field is applicable only if the MAP is configured on the WX switch as a Distributed MAP Port WX port number Note This field is ap...

Page 307: ...ved from the WX is invalid For Distributed MAPs this field also indicates whether the MAP s management traffic with the WX is encrypted and whether the MAP s fingerprint has been verified on the WX no...

Page 308: ...the radio is sending countermeasures packets to combat a rogue The following information appears for external antennas External antenna detected configured as antenna model Indicates that an external...

Page 309: ...models radio all Shows RF attribute information for both radios Defaults None Table 57 Output for display ap status terse and display dap status terse Field Description Port WX port number connected t...

Page 310: ...display auto tune attributes Field Description Noise Noise threshold on the active channel RF Auto Tuning prefers channels with low noise levels over channels with higher noise levels Utilization Numb...

Page 311: ...for which to display neighbors radio 1 Shows neighbor information for radio 1 radio 2 Shows neighbor information for radio 2 This option does not apply to single radio models radio all Shows neighbor...

Page 312: ...317 set ap dap radio auto tune max power on page 335 set ap dap radio auto tune max retransmissions on page 337 set radio profile auto tune channel config on page 349 set radio profile auto tune chann...

Page 313: ...ormation only if the Distributed MAP is configured on the switch where you use the command The switch does not need to be the one that booted the MAP but it must have the MAP in its configuration Also...

Page 314: ...ed on a WX switch Syntax display dap global dap num serial id serial ID dap num Number of a Distributed MAP for which to display configuration settings serial id serial ID MAP access point serial ID D...

Page 315: ...LOW M9DE48B123400 10 4 3 2 HIGH 17 M9DE48B123600 10 3 8 111 HIGH M9DE48B123600 10 4 3 2 LOW 18 M9DE48B123700 10 3 8 111 LOW M9DE48B123700 10 4 3 2 HIGH Table 61 describes the fields in this display Ta...

Page 316: ...ected is configured as a network port instead of a MAP access port and if the network port is a member of a VLAN If a Distributed MAP is configured on a WX switch in another Mobility Domain the MAP ca...

Page 317: ...and new fields added in MSS Version 4 0 Countermeasures Active Scan WMM enabled Table 62 Output for display dap unconfigured Field Description Serial Id Serial ID of the Distributed MAP Model MAP mod...

Page 318: ...eacon Interval Rate in milliseconds at which each MAP radio in the profile advertises the beaconed SSID DTIM Interval Number of times after every beacon that each MAP radio in the radio profile sends...

Page 319: ...e Channel Interval Interval in seconds at which RF Auto Tuning decides whether to change the channels on radios in a radio profile At the end of each interval MSS processes the results of the RF scans...

Page 320: ...page 359 set radio profile max rx lifetime on page 360 set radio profile max tx lifetime on page 361 set radio profile mode on page 362 set radio profile preamble length on page 364 set radio profile...

Page 321: ...rvice profile wpa_clients ssid name private ssid type crypto beacon yes auth fallthru web auth WEP Key 1 value none WEP Key 2 value none WEP Key 3 value none WEP Key 4 value none WEP Unicast Index 1 W...

Page 322: ...his key to encrypt traffic with static Wired Equivalent Privacy WEP none T he key is not configured preset The key is configured Note The WEP parameters apply to traffic only on the encrypted SSID WEP...

Page 323: ...iphers Lists the WPA cipher suites advertised by radios in the radio profile mapped to this service profile authentication Lists the authentication methods supported for WPA clients 802 1X dynamic aut...

Page 324: ...ts a MAP access point Syntax reset ap port list dap dap num ap port list List of ports connected to the MAP access points to restart dap dap num Number of a Distributed MAP to reset Defaults None Acce...

Page 325: ...mode enable command The profile uses the default radio profile by default You can change the profile using the set dap auto radio radio profile command You can use set dap auto commands to change sett...

Page 326: ...on page 340 set ap dap radio mode on page 341 set ap dap radio radio profile on page 343 set ap dap upgrade firmware on page 346 set dap auto radiotype Sets the radio type for single MAP radios that...

Page 327: ...ile 11g only command on the radio profile that contains the radio Examples The following command sets the radio type to 802 11b WX4400 set dap auto radiotype 11b success change accepted See Also set d...

Page 328: ...p dap radio auto tune min client rate on page 340 set ap dap radio mode on page 341 set ap dap radio radio profile on page 343 set ap dap upgrade firmware on page 346 set ap dap bias Changes the bias...

Page 329: ...ame the MAP selects the switch that has the greatest capacity to add more active MAPs For example if a MAP is dual homed to two WX4400 wireless LAN switches and one of the switches has 50 active MAPs...

Page 330: ...Power LED flashes green orange The Ethernet LED does not change When blink mode is enabled on other models MP xxx the health and radio LEDs alternately blink green and amber By default blink mode is...

Page 331: ...he Distributed MAP whose fingerprint you are verifying hex The 16 digit hexadecimal number of the fingerprint Use a colon between each digit Make sure the fingerprint you enter matches the fingerprint...

Page 332: ...active sessions than the radio of the same type with the least number of active sessions within the group Syntax set ap port list dap dap num auto group name ap port list List of MAP access ports to a...

Page 333: ...dap group on page 303 set ap dap name Changes a MAP name Syntax set ap port list dap dap num name name ap port list List of ports connected to the MAP access point to rename dap dap num Number of a Di...

Page 334: ...rt list List of ports connected to the MAP access points on which to set the channel dap dap num Number of a Distributed MAP on which to set the channel radio 1 Radio 1 of the MAP radio 2 Radio 2 of t...

Page 335: ...ess Enabled History Introduced in MSS Version 3 0 Model numbers added for 802 11a external antennas and the default changed to internal except for the MP 262 in MSS Version 3 2 Model numbers added for...

Page 336: ...fault maximum power setting that RF Auto Tuning can set on a radio is the highest setting allowed for the country of operation or highest setting supported on the hardware whichever is lower Access En...

Page 337: ...option does not apply to single radio models retransmissions Percentage of packets that can result in retransmissions without resulting in a channel change You can specify from 1 to 100 Defaults The d...

Page 338: ...ases power by 1 dBm The radio continues increasing the power in 1 dBm increments until the retransmissions fall below the threshold After the retransmissions fall below the threshold the radio reduces...

Page 339: ...type The default channel number for 802 11b g is 6 The default channel number for 802 11a is the lowest valid channel number for the country of operation Access Enabled History Introduced in MSS Versi...

Page 340: ...n which to set the channel dap auto Sets the radio mode for MAPs managed by the MAP configuration profile See set dap auto on page 325 radio 1 Radio 1 of the MAP radio 2 Radio 2 of the MAP This option...

Page 341: ...the minimum data rate or higher and the maximum retransmissions must be within the allowed percentile before the radio begins reducing power again Examples The following command increases the minimum...

Page 342: ...which a profile is assigned use the set ap radio radio profile command To enable or disable all radios that use a specific radio profile use the set radio profile command Examples The following comman...

Page 343: ...rs with no spaces mode enable Enables radios on the specified ports with the parameter settings in the specified radio profile mode disable Disables radios on the specified ports Defaults None Access...

Page 344: ...ransmit power you can configure on any 3Com radio is the maximum allowed for the country in which you plan to operate the radio or one of the following values if that value is less than the country ma...

Page 345: ...n MAP access ports The maximum transmission unit MTU for encrypted MAP management traffic is 1498 bytes whereas the MTU for unencrypted management traffic is 1474 bytes Make sure the devices in the in...

Page 346: ...following command configures a WX to require Distributed MAPs to have encryption keys WX4400 set dap security require See Also set dap fingerprint on page 331 set service profile cipher wep40 on page...

Page 347: ...ware disable See Also display ap dap config on page 290 set radio profile 11g only Configures each 802 11b g radio in a radio profile to allow associations with 802 11g clients only Syntax set radio p...

Page 348: ...1g only enable success change accepted See Also display ap dap config on page 290 display radio profile on page 317 set port type ap on page 91 set radio profile mode on page 362 set radio profile act...

Page 349: ...he MAP radios in a radio profile Syntax set radio profile name auto tune channel config enable disable name Radio profile name enable Configures radios to dynamically select their channels when the ra...

Page 350: ...hannel interval on page 351 set radio profile auto tune power config on page 353 set radio profile auto tune channel holddown Sets the minimum number of seconds a radio in a radio profile must remain...

Page 351: ...performed during the previous interval and changes radio channels if needed Syntax set radio profile name auto tune channel interval seconds name Radio profile name seconds Number of seconds RF Auto T...

Page 352: ...orarily increased their power reduce it by 1 dBm The power backoff continues in 1 dBm increments after each interval until the power returns to expected setting Syntax set radio profile name auto tune...

Page 353: ...lt power levels if unassigned when the radios are started Defaults Dynamic power assignment is disabled by default Access Enabled History Introduced in MSS Version 3 0 Usage When RF Auto Tuning for po...

Page 354: ...st to RF changes if needed You can specify from 1 to 65535 seconds Defaults The default power tuning interval is 300 seconds Access Enabled History Introduced in MSS Version 3 0 Usage RF Auto Tuning a...

Page 355: ...change parameters in the profile Use the set radio profile mode command Examples The following command changes the beacon interval for radio profile rp1 to 200 ms WX4400 set radio profile rp1 beacon...

Page 356: ...nly configured Configures radios to attack only devices in the attack list on the WX switch on demand countermeasures When this option is specified devices found to be rogues by other means such as po...

Page 357: ...ulticast and broadcast frames stored in its buffers to clients who request them in response to the DTIM The DTIM interval applies to both the beaconed SSID and the nonbeaconed SSID Syntax set radio pr...

Page 358: ...adio profile name threshold Maximum frame length in bytes You can enter a value from 256 through 2346 Defaults The default fragmentation threshold for MAP radios is 2346 bytes Access Enabled History I...

Page 359: ...times the radio can send the same long unicast frame You can enter a value from 1 through 15 Defaults The default long unicast retry threshold for MAP radios is 5 attempts Access Enabled History Intr...

Page 360: ...econd through 250 000 250 seconds Defaults The default maximum receive threshold for MAP radios is 2000 ms 2 seconds Access Enabled History Introduced in MSS Version 3 0 Usage You must disable all rad...

Page 361: ...0 5 second through 250 000 250 seconds Defaults The default maximum transmit threshold for MAP radios is 2000 ms 2 seconds Access Enabled History Introduced in MSS Version 3 0 Usage You must disable...

Page 362: ...arameters controlled by a radio profile and their default values Table 66 Defaults for Radio Profile Parameters Parameter Default Value Radio Behavior When Parameter Set to Default Value 11g only disa...

Page 363: ...000 ms 2 seconds max tx lifetime 2000 Allows a frame that is scheduled for transmission to stay in the buffer for up to 2000 ms 2 seconds preamble length short Advertises support for short 802 11b pre...

Page 364: ...p1 mode enable The following command enables the WPA IE on MAP radios in radio profile rp2 WX4400 set radio profile rp2 wpa ie enable success change accepted See Also display ap dap config on page 290...

Page 365: ...e profile Use the set radio profile mode command Examples The following command configures 802 11b g radios that use the radio profile rp_long to advertise support for long preambles instead of short...

Page 366: ...g SSID and encryption settings in the service profile Syntax set radio profile name service profile name radio profile name Radio profile name of up to 16 alphanumeric characters with no spaces servic...

Page 367: ...s not use WEP with 40 bit keys to encrypt traffic sent to WPA clients psk phrase No passphrase defined Uses dynamically generated keys rather than statically configured keys to authenticate WPA client...

Page 368: ...e auth fallthru on page 374 set service profile auth psk on page 375 set service profile beacon on page 376 web aaa form Not configured For WebAAA users serves the default login web page or if configu...

Page 369: ...7 set service profile wep active multicast index on page 388 set service profile wep active unicast index on page 389 set service profile wep key index on page 390 set service profile wpa ie on page 3...

Page 370: ...WMM on the MAP radios in a radio profile Syntax set radio profile name wmm enable disable name Radio profile name enable Enables WMM disable Disables WMM Defaults WMM is enabled by default Access Enab...

Page 371: ...g the SSID managed by the service profile These SSID default attributes are applied in addition to any supplied by the RADIUS server or from the local database Syntax set service profile name attr att...

Page 372: ...configured with the vlan name attribute set to blue and the RADIUS server returns the vlan name attribute set to orange then the attribute from the RADIUS server takes precedence the user is placed in...

Page 373: ...the WPA IE is disabled the auth dot1x setting has no effect Access Enabled History Introduced in MSS Version 3 0 Usage This command does not disable dynamic WEP for non WPA clients To disable dynamic...

Page 374: ...l last resort Automatically authenticates the user and allows access to the SSID requested by the user without requiring a username and password none Denies authentication and prohibits the user from...

Page 375: ...e Examples The following command sets the fallthru authentication for SSIDS managed by the service profile rnd_lab to none WX4400 set service profile rnd_lab auth fallthru none success change accepted...

Page 376: ...following command enables PSK authentication for service profile wpa_clients WX4400 set service profile wpa_clients auth psk enable success change accepted See Also display service profile on page 32...

Page 377: ...ice profile on page 321 set radio profile beacon interval on page 355 set service profile ssid name on page 384 set service profile ssid type on page 385 set service profile cipher ccmp Enables Counte...

Page 378: ...ption in a service profile Syntax set service profile name cipher tkip enable disable name Service profile name enable Enables TKIP encryption for WPA clients disable Disables TKIP encryption for WPA...

Page 379: ...WPA IE When 104 bit WEP in WPA is enabled in the service profile radios managed by a radio profile that is mapped to the service profile can also support non WPA clients that use dynamic WEP To suppor...

Page 380: ...is disabled by default Access Enabled History Introduced in MSS Version 3 0 Usage To use 40 bit WEP with WPA clients you must also enable the WPA IE When 40 bit WEP in WPA is enabled in the service p...

Page 381: ...nts in a service profile Radios use the PSK as a pairwise master key PMK to derive unique pairwise session keys for individual WPA clients Syntax set service profile name psk phrase passphrase name Se...

Page 382: ...to use for authenticating WPA clients in a service profile Radios use the PSK as a pairwise master key PMK to derive unique pairwise session keys for individual WPA clients Syntax set service profile...

Page 383: ...sn ie Enables the Robust Security Network RSN Information Element IE The RSN IE advertises the RSN authentication methods and cipher suites supported by radios in the radio profile mapped to the servi...

Page 384: ...is disabled by default Access Enabled History Introduced in MSS Version 3 0 Examples The following command enables shared key authentication in service profile sp4 WX4400 set service profile sp4 share...

Page 385: ...pecifies whether the SSID managed by a service profile is encrypted or unencrypted Syntax set service profile name ssid type clear crypto name Service profile name clear Wireless traffic for the servi...

Page 386: ...ds ms countermeasures remain in effect You can specify from 0 to 60 000 Defaults The default countermeasures wait time is 60 000 ms 60 seconds Access Enabled History Introduced in MSS Version 3 0 Usag...

Page 387: ...switch s user file area If the custom login page includes gif or jpg images their path names are interpreted relative to the directory from which the page is served To use WebAAA the fallthru authent...

Page 388: ...the static Wired Equivalent Privacy WEP key one of four to use for encrypting multicast frames Syntax set service profile name wep active multicast index num name Service profile name num WEP key numb...

Page 389: ...om 1 through 4 Defaults If WEP encryption is enabled and WEP keys are defined MAP radios use WEP key 1 to encrypt unicast frames by default Access Enabled History Introduced in MSS Version 3 0 Usage B...

Page 390: ...numbers or letters ASCII characters in the following ranges are supported 0 to 9 A to F a to f Defaults By default no static WEP keys are defined Access Enabled History Introduced in MSS Version 3 0...

Page 391: ...ess Enabled History Introduced in MSS Version 3 0 Usage When the WPA IE is enabled the default authentication method is 802 1X There is no default cipher suite You must enable the cipher suites you wa...

Page 392: ...392 CHAPTER 11 MANAGED ACCESS POINT COMMANDS...

Page 393: ...page 398 display spantree blockedports on page 401 Bridge Priority set spantree priority on page 419 Port Cost set spantree portcost on page 414 set spantree portvlancost on page 417 display spantree...

Page 394: ...st command Examples The following command resets the STP port cost on ports 5 and 6 to the default value WX1200 clear spantree portcost 5 6 success change accepted See Also clear spantree portvlancost...

Page 395: ...or only specific VLANs use the clear spantree portvlanpri command Examples The following command resets the STP priority on port 6 to the default WX1200 clear spantree portpri 6 success change accepte...

Page 396: ...tcost on page 394 display spantree on page 398 display spantree portvlancost on page 403 set spantree portcost on page 414 set spantree portvlancost on page 417 clear spantree portvlanpri Resets to th...

Page 397: ...anpri on page 418 clear spantree statistics Clears STP statistics counters for a network port or ports and resets them to 0 Syntax clear spantree statistics port list vlan vlan id port list List of po...

Page 398: ...ys STP information for VLAN default WX1200 display spantree vlan default VLAN 1 Spanning tree mode PVST Spanning tree type IEEE Spanning tree enabled Designated Root 00 02 4a 70 49 f7 Designated Root...

Page 399: ...tch is the root bridge then the root cost is 0 Designated Root Port Port through which this WX switch reaches the root bridge If this WX switch is the root bridge this field says We are the root Root...

Page 400: ...y traffic including STP control traffic The port might be administratively disabled or the link might be disconnected Forwarding The port is forwarding Layer 2 traffic Learning The port is learning th...

Page 401: ...or number If you do not specify a VLAN MSS displays information for blocked ports on all VLANs Defaults None Access All History Introduced in MSS Version 3 0 Usage The command lists information separa...

Page 402: ...cess All History Introduced in MSS Version 3 0 Examples The following command shows uplink fast convergence information for all ports WX1200 display spantree portfast Port Vlan Portfast 1 1 disable 2...

Page 403: ...path cost 19 See Also clear spantree portcost on page 394 clear spantree portvlancost on page 395 display spantree on page 398 set spantree portcost on page 414 set spantree portvlancost on page 417...

Page 404: ...ed cost 0x0 designated_bridge 00 0b 0e 00 04 30 designated_port 38 top_change_ack FALSE config_pending FALSE port_inconsistency none Port based information statistics config BPDU s xmitted port VLAN 0...

Page 405: ...15 topology change initiator 0 last topology change occured Tue Jul 01 2003 22 33 36 topology change FALSE topology change time 35 topology change detected FALSE topology change count 1 topology chan...

Page 406: ...information with information in STP control packets received by the port to compute the spanning tree and change state to blocking or forwarding port_id STP port ID port_number STP port number path c...

Page 407: ...ontrol point SCP failures root inc trans count Number of times the root bridge changed inhibit loopguard State of the loop guard In the current release the state is always FALSE loop inc trans count N...

Page 408: ...ridge forward delay Value of the forwarding delay interval in seconds when this WX switch is the root or is attempting to become the root topology change initiator Port number that initiated the most...

Page 409: ...umber of expired messages link loading Indicates whether the link is oversubscribed BPDU in processing Indicates whether BPDUs are currently being processed num of similar BPDU s to process Number of...

Page 410: ...able Enables STP disable Disables STP all Enables or disables STP on all VLANs vlan vlan id VLAN name or number MSS enables or disables STP on only the specified VLAN on all ports within the VLAN port...

Page 411: ...e backbone fast convergence feature is not compatible with switches that are running standard IEEE 802 1D Spanning Tree implementations This includes switches running Rapid Spanning Tree or Multiple S...

Page 412: ...ame or number MSS changes the forwarding delay on only the specified VLAN Defaults The default forwarding delay is 15 seconds Access Enabled History Introduced in MSS Version 3 0 Examples The followin...

Page 413: ...idge hello packet that is acceptable to a wireless LAN switch acting as a designated bridge on one or all of its VLANs After waiting this period of time for a new hello packet the WX switch determines...

Page 414: ...cost port list List of ports MSS applies the cost change to all the specified ports cost cost Numeric value You can specify a value from 1 through 65 535 STP selects lower cost paths over higher cost...

Page 415: ...play spantree on page 398 display spantree portvlancost on page 403 set spantree portvlancost on page 417 set spantree portfast Enables or disables STP port fast convergence on one or more ports on a...

Page 416: ...priority on the specified ports priority value Priority value You can specify a value from 0 highest priority through 255 lowest priority Defaults The default STP priority for all network ports is 12...

Page 417: ...her cost paths all Changes the cost on all VLANs vlan vlan id VLAN name or number MSS changes the cost on only the specified VLAN Defaults The default port cost depends on the port speed and link type...

Page 418: ...est priority through 255 lowest priority all Changes the priority on all VLANs vlan vlan id VLAN name or number MSS changes the priority on only the specified VLAN Defaults The default STP priority fo...

Page 419: ...ault root bridge priority for the switch on all VLANs is 32 768 Access Enabled History Introduced in MSS Version 3 0 Examples The following command sets the bridge priority of VLAN pink to 69 WX4400 s...

Page 420: ...cting as access switches to the network core distribution layer but are not in the core themselves Do not enable the feature on WX switches that are in the network core Examples The following command...

Page 421: ...page 422 Proxy Reporting set igmp proxy report on page 438 Pseudo querier set igmp querier on page 441 display igmp querier on page 427 Timers set igmp qi on page 439 set igmp oqi on page 437 set igm...

Page 422: ...ar igmp statistics IGMP statistics cleared for all vlans See Also display igmp statistics on page 431 display igmp Displays IGMP configuration information and statistics Syntax display igmp vlan vlan...

Page 423: ...0 00 02 04 06 08 0a 258 Querier information Querier for vlan orange Port Querier IP Querier MAC TTL 1 193 122 135 178 00 0b cc d2 e9 b4 23 IGMP vlan member ports 1 2 3 IGMP static ports none IGMP stat...

Page 424: ...ration values rvalue Robustness value Multicast router information List of multicast routers and active multicast groups The fields containing this information are described separately The display igm...

Page 425: ...t general query message If IGMP snooping does not detect a querier the output indicates this The display igmp querier command shows the same information Querier for vlan VLAN containing the querier In...

Page 426: ...mrouter vlan vlan id vlan vlan id VLAN name or number If you do not specify a VLAN MSS displays the multicast routers in all VLANs Defaults None Access All History Introduced in MSS Version 3 0 Examp...

Page 427: ...uters for vlan VLAN containing the multicast routers Ports are listed separately for each VLAN Port Number of the physical port through which the WX can reach the router Mrouter IPaddr IP address of t...

Page 428: ...the multicast all systems group If IGMP snooping does not detect a querier the output indicates this finding as shown in the following example WX1200 display igmp querier vlan red Querier for vlan red...

Page 429: ...ddress and subnet mask of a multicast group in CIDR format for example 239 20 20 10 24 If you do not specify a group address MSS displays the multicast receivers for all groups Defaults None Access Al...

Page 430: ...0 05 09 0c 0a 01 111 Table 78 describes the fields in this display See Also set igmp receiver on page 441 Table 78 Output for display igmp receiver table Field Description VLAN VLAN that contains the...

Page 431: ...displays IGMP statistics for VLAN orange WX1200 display igmp statistics vlan orange IGMP statistics for vlan orange IGMP message type Received Transmitted Dropped General Queries 0 0 0 GS Queries 0 0...

Page 432: ...dvertise the IP address of the sending interface as a multicast router interface Mrouter Term Multicast router termination messages A multicast router sends this type of message when multicast forward...

Page 433: ...ing on VLAN orange WX1200 set igmp disable vlan orange success change accepted See Also set igmp rv on page 442 Topology notifications Number of Layer 2 topology change notifications received by the W...

Page 434: ...p If there are no more receivers for the group the WX switch also sends a leave message for the group to multicast routers You can specify a value from 1 through 65 535 vlan vlan id VLAN name or numbe...

Page 435: ...ort from the list of static multicast router ports Defaults By default no ports are static multicast router ports Access Enabled History Introduced in MSS Version 3 0 Usage You cannot add MAP access p...

Page 436: ...e following command enables multicast router solicitation on VLAN orange WX1200 set igmp mrsol enable vlan orange success change accepted See Also set igmp mrsol mrsi on page 436 set igmp mrsol mrsi C...

Page 437: ...electing itself the querier You can specify a value from 1 through 65 535 vlan vlan id VLAN name or number If you do not specify a VLAN the timer change applies to all VLANs Defaults The default other...

Page 438: ...le Enables proxy reporting disable Disables proxy reporting Defaults Proxy reporting is enabled on all VLANs by default Access Enabled History Introduced in MSS Version 3 0 Usage Proxy reporting reduc...

Page 439: ...Introduced in MSS Version 3 0 Usage The query interval is applicable only when the WX is querier for the subnet For the WX switch to become the querier the pseudo querier feature must be enabled on t...

Page 440: ...sponse interval is 100 tenths of a second 10 seconds Access Enabled History Introduced in MSS Version 3 0 Usage The query response interval is applicable only when the WX is querier for the subnet For...

Page 441: ...and no multicast router is servicing the subnet Examples The following example enables the pseudo querier on the orange VLAN WX1200 set igmp querier enable vlan orange success change accepted See Als...

Page 442: ...oves port 7 from the list of static multicast receiver ports WX1200 set igmp receiver port 7 disable success change accepted See Also display igmp receiver table on page 429 set igmp rv Changes the ro...

Page 443: ...set igmp rv 443 See Also set igmp oqi on page 437 set igmp qi on page 439 set igmp qri on page 440...

Page 444: ...444 CHAPTER 13 IGMP SNOOPING COMMANDS...

Page 445: ...ds by Usage This chapter presents security ACL commands alphabetically Use Table 80 to locate commands in this chapter based on their use Table 80 Security ACL Commands by Usage Type Command Create Se...

Page 446: ...efaults None Access Enabled History Introduced in MSS Version 3 0 Usage This command deletes security ACLs only in the edit buffer You must use the commit security acl command with this command to del...

Page 447: ...any enable hits set security acl ip acl_135 hits 2 0 1 deny IP source IP 192 168 1 1 0 0 0 0 destination IP any enable hits See Also clear security acl map on page 447 commit security acl on page 449...

Page 448: ...ap num One or more Distributed MAPs based on their connection IDs Specify a single connection ID or specify a comma separated list of connection IDs a hyphen separated range or any combination with no...

Page 449: ...Ls from the running configuration and nonvolatile storage Syntax commit security acl acl name all acl name Name of an existing security ACL to commit ACL names must start with a letter and are case in...

Page 450: ...acl_124 IP Static WX4400 display security acl info all editbuffer acl editbuffer information for all See Also clear security acl on page 446 display security acl on page 450 display security acl info...

Page 451: ...ACL Type Status acl_122 IP Not committed acl_132 IP Not committed acl 144 IP Not committed See Also clear security acl on page 446 display security acl info on page 452 set security acl on page 459 di...

Page 452: ...ACLs in the edit buffer before they are committed Syntax display security acl info acl name all editbuffer acl name Name of an existing security ACL to display ACL names must start with a letter and a...

Page 453: ...he edit buffer including the committed ACE rules 1 and 2 and the uncommitted rule 3 WX4400 display security acl info acl_123 editbuffer ACL edit buffer information for acl_123 set security acl ip acl_...

Page 454: ...ap on page 447 display security acl map on page 453 set security acl map on page 464 display security acl resource usage Displays statistics about the resources used by security ACL filtering on the W...

Page 455: ...ary memory 0 max 512 PSCBs in secondary memory 0 max 9728 Leaves in primary 2 max 151 Leaves in secondary 0 max 12096 Sum node depth 1 Information on Network Processor status Fragmentation control 0 U...

Page 456: ...ecurity ACL data entries PSCBs in primary memory Number of pattern search control blocks PSCBs stored in primary node memory PSCBs in secondary memory Number of PSCBs stored in secondary node memory L...

Page 457: ...ts security ACEs for IP only Root in first Leaf buffer allocation True Enough primary leaf buffers are allocated in nonvolatile memory to accommodate all leaves False Insufficient primary leaf buffers...

Page 458: ...d ACEs Defaults None Access Enabled History Introduced in MSS Version 3 0 In mapping Application of security ACLs to incoming traffic on the WX switch True Security ACLs are mapped to incoming traffic...

Page 459: ...rity acl on page 450 set security acl In the edit buffer creates a security access control list ACL adds one access control entry ACE to a security ACL and or reorders ACEs in the ACL The ACEs in an A...

Page 460: ...sk operator port port2 precedence precedence tos tos before editbuffer index modify editbuffer index hits acl name Security ACL name ACL names must be unique within the WX switch must start with a let...

Page 461: ...mask IP address and wildcard mask of the network or host from which the packet is being sent Specify both address and mask in dotted decimal notation For more information see Wildcard Masks on page 26...

Page 462: ...0 through 255 For a list of ICMP message type and code numbers see www iana org assignments icmp parameters precedence precedence Filters packets by precedence level Specify a value from 0 through 7...

Page 463: ...activate them with the commit security acl command and map them to a VLAN port or virtual port or to a user If the WX switch is reset or restarted any ACLs in the edit buffer are lost You cannot perf...

Page 464: ...estination port 80 only and counts the hits WX4400 set security acl ip acl_125 deny tcp 192 168 1 1 0 0 0 0 192 168 1 2 0 0 0 0 eq 80 hits Finally the following command commits the security ACLs in th...

Page 465: ...connection ID or specify a comma separated list of connection IDs a hyphen separated range or any combination with no spaces MSS assigns the security ACL to the specified Distributed MAPs in Assigns t...

Page 466: ...counter counts the number of packets filtered by the security ACL or hits Syntax set security acl hit sample rate seconds seconds Number of seconds between samples A sample rate of 0 zero disables th...

Page 467: ...the ACL was mapped WX4400 set security acl hit sample rate 15 WX4400 display security acl info acl_153 ACL information for acl_153 set security acl ip acl_153 hits 3 916 1 permit IP source IP 20 1 1...

Page 468: ...468 CHAPTER 14 SECURITY ACL COMMANDS...

Page 469: ...sage This chapter presents cryptography commands alphabetically Use Table 82 to locate commands in this chapter based on their use Table 82 Cryptography Commands by Usage Type Command Encryption Keys...

Page 470: ...te authenticates the WX to 802 1X supplicants clients web Stores the certificate authority s certificate that signed the WebAAA certificate for the WX switch The Web certificate authenticates the WX t...

Page 471: ...i wpoer0QWNFNkj90044mbdrl1277SWQ8G7DiwYUtrqoQplKJvxz Lm8wmVYxP56M CUAm908C2foYgOY40 END CERTIFICATE See Also display crypto ca certificate on page 481 crypto certificate Installs one of the WX switch...

Page 472: ...text editor such as Notepad or vi 2 Enter the crypto certificate command on the CLI command line 3 When MSS prompts you for the PEM formatted certificate paste the PKCS 7 object file onto the command...

Page 473: ...e key pair for authenticating the WX switch to WebAAA clients 512 1024 2048 Length of the key pair in bits The minimum key size for SSH is 1024 Defaults None Access Enabled History Introduced in MSS V...

Page 474: ...the WX switch to WebAAA clients After you type the command you are prompted for the following variables Country Name string Optional Specify the abbreviation for the country in which the WX switch is...

Page 475: ...u must enter a common name for the WX switch This command outputs a PKCS 10 text string in Privacy Enhanced Mail protocol PEM format that you paste to another location for submission to the certificat...

Page 476: ...ntax crypto generate self signed admin eap web admin Generates an administrative certificate to authenticate the WX switch to 3WXM or Web Manager eap Generates an EAP certificate to authenticate the W...

Page 477: ...domain name It simply needs to be formatted like one Email Address string Optional Specify your email address in up to 80 alphanumeric characters with no spaces Unstructured Name string Optional Speci...

Page 478: ...thority s own certificate to authenticate the WX switch to 802 1X supplicants clients web Creates a one time password for installing a PKCS 12 object file for a WebAAA certificate and key pair and opt...

Page 479: ...ject file into the certificate and key storage area on the WX switch This object file contains a public private key pair an WX certificate signed by a certificate authority and the certificate authori...

Page 480: ...P from a remote location to the local nonvolatile storage system on the WX switch Examples The following commands copy a PKCS 12 object file for an EAP certificate and key pair and optionally the cert...

Page 481: ...rtificate authenticates the WX switch to 802 1X supplicants clients web Displays information about the certificate authority s certificate that signed the WebAAA certificate for the WX switch The WebA...

Page 482: ...e that authenticates the WX switch to WebAAA clients Defaults None Access Enabled History Introduced in MSS Version 3 0 Webaaa option renamed to web in MSS Version 4 1 Usage You must have generated a...

Page 483: ...key after the first connection so you need to check the key only once Syntax display crypto key ssh Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples To display SSH key infor...

Page 484: ...484 CHAPTER 15 CRYPTOGRAPHY COMMANDS...

Page 485: ...e RADIUS appendix in the Wireless LAN Switch and Controller Configuration Guide Table 85 RADIUS Commands by Usage Type Command RADIUS Client set radius client system ip on page 491 clear radius client...

Page 486: ...ait for the RADIUS server to respond before retransmitting Defaults Global RADIUS parameters have the following default values deadtime 0 zero minutes The WX switch does not designate unresponsive RAD...

Page 487: ...y Introduced in MSS Version 3 0 Usage The clear radius client system ip command causes the WX switch to use the IP address of the interface through which it sends a RADIUS client request as the source...

Page 488: ...tries from the switch WX4400 clear radius proxy client all success change accepted See Also set radius proxy client on page 492 clear radius proxy port Removes RADIUS proxy ports configured for third...

Page 489: ...rs42 success change accepted See Also display aaa on page 219 set radius server on page 494 clear server group Removes a RADIUS server group from the configuration or disables load balancing for the g...

Page 490: ...of minutes the WX switch waits after declaring an unresponsive RADIUS server unavailable before retrying the RADIUS server You can specify from 0 to 1440 minutes key string Password shared secret key...

Page 491: ...y success change accepted WX1200 set radius retransmit 1 success change accepted WX1200 set radius timeout 21 success change accepted See Also clear radius server on page 489 display aaa on page 219 s...

Page 492: ...mber key string address ip address IP address of the third party AP Enter the address in dotted decimal notation port udp port number UDP port on which the WX switch listens for RADIUS access requests...

Page 493: ...ADIUS proxy for the SSID supported by the AP Syntax set radius proxy port port list tag tag value ssid ssid name port port list WX port s connected to the third party AP tag tag value 802 1Q tag value...

Page 494: ...his RADIUS server Enter an alphanumeric string of up to 32 characters with no blanks address ip address IP address of the RADIUS server Enter the address in dotted decimal notation auth port port numb...

Page 495: ...esignate unresponsive RADIUS servers as unavailable key No key author password When using RADIUS for authentication a MAC user s MAC address is also used as the default authorization password for that...

Page 496: ...uthentication last resort on page 236 set authentication mac on page 239 set authentication web on page 242 set radius on page 490 set server group on page 496 set server group Configures a group of o...

Page 497: ...32 characters load balance enable disable Enables or disables load balancing of authentication requests among the servers in the group Defaults Load balancing is disabled by default Access Enabled His...

Page 498: ...server group shorebirds load balance enable success change accepted To disable load balancing between shorebirds server group members type the following command WX1200 set server group shorebirds loa...

Page 499: ...ased on their use For information about configuring 802 1X commands for user authentication see AAA Commands on page 201 Table 86 802 1X Commands by Usage Type Command Wired Authentication Port Contro...

Page 500: ...eature Access Enabled History Introduced in MSS Version 3 0 Examples To reset the Bonded period to its default type the following command WX4400 clear dot1x bonded period success change accepted Reaut...

Page 501: ...mples To reset the number of 802 1X requests the WX can send to the default setting type the following command WX4400 clear dot1x max req success change accepted See Also display dot1x on page 505 set...

Page 502: ...dot1x port control success change accepted See Also display dot1x on page 505 set dot1x port control on page 512 clear dot1x quiet period Resets the quiet period after a failed authentication to the...

Page 503: ...eauth max success change accepted See Also display dot1x on page 505 set dot1x reauth max on page 514 clear dot1x reauth period Resets the time period that must elapse before a reauthentication attemp...

Page 504: ...s change accepted See Also display dot1x on page 505 set dot1x timeout auth server on page 515 clear dot1x timeout supplicant Resets to the default setting the number of seconds that must elapse befor...

Page 505: ...oL retransmission time WX4400 clear dot1x tx period success change accepted See Also display dot1x on page 505 set dot1x tx period on page 516 display dot1x Displays 802 1X client information for stat...

Page 506: ...EXAMPLE havel 00 05 5d 7e 98 1a Authenticated vlan eng EXAMPLE nash 00 0b be a9 dc 4e Authenticated vlan pm xalik xmple com 00 05 5d 7e 96 e3 Authenticated vlan eng EXAMPLE mishan 00 02 2d 6f 44 77 A...

Page 507: ...authcontrol auto max sessions 1 port 8 authcontrol auto max sessions 1 Type the following command to display 802 1X statistics WX4400 display dot1x stats 802 1X statistic value Enters Connecting 709...

Page 508: ...ss While Authenticating Number of times the WX switch state transitions from AUTHENTICATING from AUTHENTICATED as a result of an EAP Response Identity message being received from the supplicant client...

Page 509: ...e Bonded Auth bonded authentication period which is the number of seconds MSS retains session information for an authenticated machine while waiting for the 802 1X client on the machine to start re au...

Page 510: ...ntication rules that contain the bonded option Examples To set the bonded authentication period to 60 seconds type the following command WX4400 set dot1x bonded period 60 success change accepted See A...

Page 511: ...ecify a value between 0 and 10 Defaults The default number of EAP retransmissions is 2 Access Enabled History Introduced in MSS Version 3 0 Usage To support SSIDs that have both 802 1X and static WEP...

Page 512: ...with an EAP failure message auto Allows the specified wired authentication ports to process 802 1X authentication normally as determined for the user by the set authentication dot1X command port list...

Page 513: ...00 set dot1x quiet period 90 success dot1x quiet period set to 90 See Also clear dot1x quiet period on page 502 set dot1x wep rekey period on page 518 set dot1x reauth Determines whether the WX switch...

Page 514: ...reauthentication attempts is 2 Access Enabled History Introduced in MSS Version 3 0 Usage If the number of reauthentications for a wired authentication client is greater than the maximum number of rea...

Page 515: ...WX4400 set dot1x reauth period 100 success dot1x auth server timeout set to 100 See Also display dot1x on page 505 clear dot1x reauth period on page 503 set dot1x timeout auth server Sets the number o...

Page 516: ...ccess Enabled History Introduced in MSS Version 3 0 Examples Type the following command to set the number of seconds for authentication session timeout to 300 WX4400 set dot1x timeout supplicant 300 s...

Page 517: ...iod for each radio associated VLAN and encryption type The WX generates the new broadcast and multicast keys and pushes the keys to the clients via EAPoL key messages disable WEP broadcast and multica...

Page 518: ...conds Specify a value between 30 and 1 641 600 19 days Defaults The default is 1800 seconds 30 minutes Access Enabled History Introduced in MSS Version 3 0 Examples Type the following command to set t...

Page 519: ...s to the WX switch through a Telnet or SSH connection or a console plugged into the switch console Clears sessions for all users with administrative access to the WX switch through a console plugged i...

Page 520: ...lear all administrative sessions through the console type the following command WX4400 clear sessions console This will terminate manager sessions do you wish to continue y n n y To clear all administ...

Page 521: ...all network sessions for a MAC address Specify a MAC address in hexadecimal numbers separated by colons or use the wildcard character to specify a set of MAC addresses For details see MAC Address Glo...

Page 522: ...users whose name begins with the characters Jo type the following command WX1200 clear sessions network user Jo To clear the sessions of all users on VLAN red type the following command WX1200 clear s...

Page 523: ...3 0 Examples To view information about sessions of administrative users type the following command WX4400 display sessions admin Tty Username Time s Type tty0 3644 Console tty2 tech 6 Telnet tty3 ssha...

Page 524: ...y sessions admin display sessions console and display sessions telnet Output Field Description Tty The Telnet terminal number or console for administrative users connected through the console port Use...

Page 525: ...ess Specify a MAC address in hexadecimal numbers separated by colons Or use the wildcard character to specify a set of MAC addresses For details see MAC Address Globs on page 27 ssid ssid name Display...

Page 526: ...play sessions network User Sess IP or MAC VLAN Port Name ID Address Name Radio EXAMPLE Natasha 4 10 10 40 17 vlan eng 3 1 host laptop11 exmpl com 6 10 10 40 16 vlan eng 3 2 nin exmpl com 539 10 10 40...

Page 527: ...on WX 192 168 12 7 AP radio 1 1 AP 00 0b 0e 00 05 fe as of 00 23 32 ago 1 sessions match criteria of 10 total The following command displays verbose output about the sessions of all current network u...

Page 528: ...bytes in 10144 Number of packets with encryption errors 0 Number of bytes with encryption errors 0 Last packet data rate 2 Last packet signal strength 67 dBm Last packet data S N ratio 55 Table 91 de...

Page 529: ...to transfer the user who is roaming to another WX switch STATUS UPDATED WX switch is receiving a final update from a MAP access point about the user who has roamed away WEB_AUTHING User is being authe...

Page 530: ...sociated with one of the current WX switch s MAP access points has appeared at another WX switch in the Mobility Domain ROAMING AWAY The WX switch has been sent a request to transfer the user who is r...

Page 531: ...64 bit counter Unicast bytes out Total number of unicast bytes sent by the WX to the user 64 bit counter Multicast packets in Total number of multicast packets received from the user by the WX 64 bit...

Page 532: ...532 CHAPTER 18 SESSION MANAGEMENT COMMANDS...

Page 533: ...prevent clients from being able to use them You can configure RF detection parameters only on the seed switch of a Mobility Domain Commands by Usage This chapter presents RF detection commands alphab...

Page 534: ...ge 551 clear rfdetect vendor list on page 537 Permitted SSID List set rfdetect ssid list on page 560 display rfdetect ssid list on page 550 clear rfdetect ssid list on page 536 Client Black List set r...

Page 535: ...C address 11 22 33 44 55 66 from the black list WX1200 clear rfdetect black list 11 22 33 44 55 66 success 11 22 33 44 55 66 is no longer blacklisted See Also set rfdetect black list on page 555 displ...

Page 536: ...age 558 clear rfdetect ssid list Removes an SSID from the permitted SSID list Syntax clear rfdetect ssid list ssid name ssid name SSID name you want to remove from the permitted SSID list Defaults Non...

Page 537: ...ry Introduced in MSS Version 4 0 Examples The following command removes client OUI aa bb cc 00 00 00 from the permitted vendor list WX4400 clear rfdetect vendor list client aa bb cc 00 00 00 success a...

Page 538: ...st on page 554 display rfdetect black list Displays information abut the clients in the client black list Syntax display rfdetect black list Defaults None Access Enabled History Introduced in MSS Vers...

Page 539: ...ntel Unknown dap 1 1 2 1 intfr 155 00 05 5d 79 ce 0f D Link Unknown dap 1 1 149 1 intfr 87 00 05 5d 7e 96 a7 D Link Unknown dap 1 1 149 1 intfr 117 00 05 5d 7e 96 ce D Link Unknown dap 1 1 157 1 intfr...

Page 540: ...rogue device rogue Wireless device that is on the network but is not supposed to be on the network intfr Wireless device that is not part of your network and is not a rogue but might be causing RF in...

Page 541: ...1 23 dap 4 1 6 00 0b 0e 03 00 80 rogue 00 0b 0e 11 22 33 10 1 1 23 dap 2 1 11 Typ Classification of the rogue device rogue Wireless device that is on the network but is not supposed to be on the netwo...

Page 542: ...on of the rogue device rogue Wireless device that is on the network but is not supposed to be on the network intfr Wireless device that is not part of your network and is not a rogue but might be caus...

Page 543: ...d 0 0 802 11 mgmt type f flood 0 0 802 11 association flood 0 0 802 11 reassociation flood 0 0 802 11 disassociation flood 0 0 Weak wep initialization vectors 0 0 Spoofed access point mac address atta...

Page 544: ...s managed by another WX switch use the display rfdetect visible command To display rogue information for the entire Mobility Domain use the display rfdetect mobility domain command on the seed switch...

Page 545: ...e network but might be causing RF interference with MAP radios known Device that is a legitimate member of the network Port Radio Channel Port number radio number and channel number of the radio that...

Page 546: ...umber of entries 2 Ignore MAC aa bb cc 11 22 33 aa bb cc 44 55 66 See Also clear rfdetect ignore on page 535 set rfdetect ignore on page 558 display rfdetect mobility domain Displays the rogues detect...

Page 547: ...00 2 00 09 b7 7b 8a 54 Cisco intfr i 00 0a 5e 4b 4a c0 3Com intfr i public 00 0a 5e 4b 4a c2 3Com intfr i w 3Comwlan 00 0a 5e 4b 4a c4 3Com intfr ic 3Com ccmp 00 0a 5e 4b 4a c6 3Com intfr i w 3Com tki...

Page 548: ...adios that detected the SSID Each set of indented lines is for a separate MAP listener In this example two BSSIDs are mapped to the SSID Separate sets of information is shown for each of the BSSIDs an...

Page 549: ...n and encryption information for the rogue The i a or u flag indicates the classification The other flags indicate the encryption used by the rogue For flag definitions see the key in the command outp...

Page 550: ...e rogue Port Radio Channel Port number radio number and channel number of the radio that detected the rogue For a Distributed MAP the connection number is labeled dap This stands for distributed ap Ma...

Page 551: ...age 560 display rfdetect vendor list Displays the entries in the permitted vendor list Syntax display rfdetect vendor list Defaults None Access Enabled History Introduced in MSS Version 4 0 Examples T...

Page 552: ...ed MAP for which to display neighboring BSSIDs radio 1 Shows neighbor information for radio 1 radio 2 Shows neighbor information for radio 2 This option does not apply to single radio models Defaults...

Page 553: ...gue device that sent the 802 11 packet detected by the MAP radio Vendor Company that manufactures or sells the rogue device Type Classification of the rogue device rogue Wireless device that is on the...

Page 554: ...n any WX switch in the Mobility Domain The command takes effect only on that switch Examples The following command disables active scanning on a WX switch WX1200 set rfdetect active scan disable succe...

Page 555: ...34 display rfdetect attack list on page 537 set radio profile countermeasures on page 355 set rfdetect black list Adds an entry to the client black list The client black list specifies clients that ar...

Page 556: ...adio When a MAP radio is sending countermeasures the radio is disabled for use by network traffic until the radio finishes sending the countermeasures Syntax set rfdetect countermeasures enable disabl...

Page 557: ...fdetect countermeasures mac commands After you type the first set rfdetect countermeasures mac command MSS does not issue countermeasures against any devices except the ones you specify using this com...

Page 558: ...ans If you try to initiate countermeasures against a device on the ignore list the ignore list takes precedence and MSS does not issue the countermeasures Countermeasures apply only to rogue devices I...

Page 559: ...gging of rogues disable Disables logging of rogues Defaults RF detection logging is enabled by default Access Enabled History Introduced in MSS Version 3 0 Usage This command is valid only on the seed...

Page 560: ...and To enable signatures on all MAPs in a Mobility Domain enter the command on each WX switch in the Mobility Domain You must use the same MAP signature setting enabled or disabled on all WX switches...

Page 561: ...allowed SSID However to cause MSS to stop classifying the device as a rogue you must add the device s MAC address to the ignore list Examples The following command adds SSID mycorp to the list of perm...

Page 562: ...to the permitted vendor list but not to the ignore list MSS can still classify the device as a rogue Adding an entry to the permitted vendor list merely indicates that the device is from an allowed v...

Page 563: ...e Command Software Version reset system on page 582 display version on page 576 Boot Settings set boot partition on page 587 set boot configuration file on page 586 set boot backup configuration on pa...

Page 564: ...pages backup configuration files image files and any other files stored in the user files area of nonvolatile storage The maximum supported file size is 32 MB If the file size of the tarball is too la...

Page 565: ...y to a TFTP server The filename in this example includes a TFTP server IP address so the archive is not stored locally on the switch WX1200 backup system tftp 10 10 20 9 sysa_bak critical success sent...

Page 566: ...WX4400 clear boot backup configuration success Backup boot config filename was cleared See Also set boot backup configuration on page 585 display boot on page 573 clear boot config Resets to the facto...

Page 567: ...niform resource locator URL can be one of the following subdirname filename file subdirname filename tftp ip addr subdirname filename tmp filename For the filename specify between 1 and 128 alphanumer...

Page 568: ...e must be preceded by the boot partition name which can be boot0 or boot1 Enter the filename as boot0 filename or boot1 filename You must specify the boot partition that was not used to load the curre...

Page 569: ...569 dir on page 570 delete Deletes a file CAUTION MSS does not prompt you to verify whether you want to delete a file When you press Enter after typing a delete command MSS immediately deletes the sp...

Page 570: ...storage and temporary files Syntax dir subdirname file core boot0 boot1 subdirname Subdirectory name If you specify a subdirectory name the command lists the files in that subdirectory Otherwise the...

Page 571: ...005 16 37 18 Total 159 Kbytes used 207663 Kbytes free Boot Filename Size Created boot0 mx040100 020 9780 KB Aug 23 2005 15 54 08 boot1 mx040100 020 9796 KB Aug 28 2005 21 09 56 Boot0 Total 9780 Kbytes...

Page 572: ...005 21 08 30 file sysa_bak 12 KB Mar 15 2005 19 18 44 file testback 28 KB Apr 19 2005 16 37 18 Total 159 Kbytes used 207663 Kbytes free The following command limits the output to the contents of the t...

Page 573: ...on file configuration Backup boot configuration file backup cfg Booted version 4 1 0 65 Booted image boot1 mx040100 020 Table 104 Output for dir Field Description Filename Filename or subdirectory nam...

Page 574: ...h will run next time the software is rebooted Configured boot image Boot partition and image filename MSS will use to boot next time the software is rebooted Configured boot configuration Configuratio...

Page 575: ...efault values Defaults None Access Enabled History Introduced in MSS Version 3 0 New options added for remote traffic monitoring snoop and rfdevice changed to rfdetect in MSS Version 4 0 Usage If you...

Page 576: ...attached MAP access points Syntax display version details details Includes additional software build information and information about the MAP access points configured on the WX switch Defaults None...

Page 577: ...ix d O1 Model WX Hardware Mainboard version 24 revision 3 FPGA version 24 CPU Model 750 Revision 3 1 PoE board version 1 FPGA version 6 Serial number 0321300013 Flash 4 1 0 14 md0a Kernel 3 0 0 20 Fri...

Page 578: ...n a subdirectory specify the subdirectory name followed by a forward slash in front of the filename For example backup_configs config_c Defaults The default file location is nonvolatile storage The cu...

Page 579: ...sion 3 0 Usage This command completely replaces the running configuration with the configuration in the file Examples The following command reloads the configuration from the most recently loaded conf...

Page 580: ...ame If you specify only the filename the CLI displays a message stating that the file does not exist Examples The following command calculates the checksum for image file WX040003 020 in boot partitio...

Page 581: ...2 bytes May 21 2004 19 15 48 file dangcfg 13 KB May 16 2004 18 30 44 dangdir 512 bytes May 16 2004 17 23 44 old 512 bytes Sep 23 2003 21 58 48 Total 33 Kbytes used 207822 Kbytes free Boot Filename Siz...

Page 582: ...S does not restart the WX switch but instead displays a message advising you to either save the configuration changes or use the force option Examples The following command restarts an WX switch that...

Page 583: ...he switch the restore operation fails 3Com recommends deleting unneeded image files before creating or restoring an archive The backup command stores the MAC address of the switch in the archive By de...

Page 584: ...pting to remove it Examples The following example removes subdirectory corp2 WX4400 rmdir corp2 success change accepted See Also dir on page 570 mkdir on page 580 save config Saves the running configu...

Page 585: ...filename used during the most recent reboot is configuration WX4400 save config Configuration saved to configuration The following command saves the running configuration to a file named testconfig1...

Page 586: ...fter rebooting Syntax set boot configuration file filename filename Filename Specify between 1 and 128 alphanumeric characters with no spaces To load the file from a subdirectory specify the subdirect...

Page 587: ...same boot partition for the next software reload that was used to boot the currently running image Access Enabled History Introduced in MSS Version 3 0 Usage To determine the boot partition that was u...

Page 588: ...588 CHAPTER 20 FILE MANAGEMENT COMMANDS...

Page 589: ...e 3Com recommends that you use the lowest levels possible for initial trace commands and slowly increase the levels to get the data you need Commands by Usage This chapter presents trace commands alph...

Page 590: ...ng trace commands and ends trace processes Syntax clear trace trace area all trace area Ends a particular trace process Specify one of the following keywords to end the traces documented in this chapt...

Page 591: ...ured on the WX switch or all possible trace options Syntax display trace all all Displays all possible trace options and their configuration Defaults None Access Enabled History Introduced in MSS Vers...

Page 592: ...cation information Syntax set trace authentication mac addr mac address port port num user username level level mac addr mac address Traces a MAC address Specify a MAC address using colons to separate...

Page 593: ...22 aa bb cc port port num Traces on a WX a port number user username Traces a user Specify a username of up to 80 alphanumeric characters with no spaces level level Determines the quantity of informat...

Page 594: ...alphanumeric characters with no spaces level level Determines the quantity of information included in the output You can set the level with an integer from 1 to 10 where level 10 provides the most inf...

Page 595: ...aces level level Determines the quantity of information included in the output You can set the level with an integer from 1 to 10 where level 10 provides the most information Levels 1 through 5 provid...

Page 596: ...596 CHAPTER 21 TRACE COMMANDS...

Page 597: ...n the Troubleshooting a WX Switch chapter of the Wireless LAN Switch and Controller Configuration Guide Commands by Usage This chapter presents snoop commands alphabetically Use the following table to...

Page 598: ...splay snoop info on page 604 clear snoop map Removes a snoop filter from a MAP radio Syntax clear snoop map filter name dap dap num radio 1 2 filter name Name of the snoop filter dap dap num Number of...

Page 599: ...ddr snap length num filter name Name for the filter The name can be up to 32 alphanumeric characters with no spaces condition list Match criteria for packets Conditions in the list are ANDed Therefore...

Page 600: ...If you do not specify an observer the MAP radio still counts the packets that match the filter snap length num Specifies the maximum number of bytes to capture If you do not specify a length the entir...

Page 601: ...med snoop1 that matches on all traffic and copies the traffic to the device that has IP address 10 10 30 2 WX1200 set snoop snoop1 observer 10 10 30 2 snap length 100 The following command configures...

Page 602: ...r to more than one radio You can map up to eight filters to the same radio If more than one filter has the same observer the MAP sends only one copy of a packet that matches a filter to the observer A...

Page 603: ...t or until the MAP is restarted disable Disables the snoop filter Defaults Snoop filters are disabled by default Access Enabled History Introduced in MSS Version 4 0 Usage The filter mode is not retai...

Page 604: ...mmand Examples The following command shows the MAP radio mappings for all snoop filters configured on a WX switch WX1200 display snoop Dap 3 Radio 2 snoop1 snoop2 Dap 2 Radio 2 snoop2 See Also clear s...

Page 605: ...page 599 display snoop map Shows the MAP radios that are mapped to a specific snoop filter Syntax display snoop map filter name filter name Name of the snoop filter Defaults None Access Enabled Histor...

Page 606: ...io 1 of the MAP radio 2 Radio 2 of the MAP This option does not apply to single radio models Defaults None Access Enabled History Introduced in MSS Version 4 0 Usage The MAP retains statistics for a s...

Page 607: ...ckets received by the radio that match the filter Tx Match Number of packets sent by the radio that match the filter Dropped Number of packets that matched the filter but that were not copied to the o...

Page 608: ...608 CHAPTER 22 SNOOP COMMANDS...

Page 609: ...es the configuration for a syslog server and stops sending log messages to that server Syntax clear log buffer server ip addr buffer Deletes the log messages stored in nonvolatile storage server ip ad...

Page 610: ...the trace buffer Syntax display log buffer number of messages facility facility name matching string severity severity level buffer Displays the log messages in nonvolatile storage number of messages...

Page 611: ...ed in MSS Version 3 0 Usage The debug level produces a lot of messages many of which can appear to be somewhat cryptic Debug messages are used primarily by 3Com for troubleshooting and are not intende...

Page 612: ...command WX4400 display log config Logging console disabled Logging console severity DEBUG Logging sessions disabled Logging sessions severity INFO Logging buffer enabled Logging buffer severity DEBUG...

Page 613: ...ecent facility facility name Area of MSS that is sending the log message Type a space and a question mark after display log trace facility for a list of valid facilities matching string Displays messa...

Page 614: ...WX and MAP events to the WX log buffer or other logging destination and sets the level of the events logged For logging to a syslog server only you can also set the facility logged Syntax set log buf...

Page 615: ...rred These are logged for diagnostic purposes No action is required info Informational messages only No problem exists debug Output from debugging local facility facility level For messages sent to a...

Page 616: ...Entering set log buffer disable with no other keywords turns off all logging to the buffer Examples To log only emergency alert and critical system events to the console type the following command WX...

Page 617: ...47483647 seconds Defaults Mark messages are disabled by default When they are enabled MSS generates a message at the notice level once every 300 seconds by default Access Enabled History Introduced in...

Page 618: ...618 CHAPTER 23 SYSTEM LOG COMMANDS...

Page 619: ...you use these commands only when working with 3Com Technical Support to diagnose a system issue In particular commands that change boot parameters can interfere with a WX switch s ability to boot succ...

Page 620: ...e autoboot option off Same effect as OFF Defaults The autoboot option is enabled by default Access Boot prompt History Introduced in MSS Version 3 0 Examples The following command displays the current...

Page 621: ...ter applies only when the boot type is n network FL num Number representing the bit settings of boot flags to pass to the booted system image Use this parameter only if advised to do so by 3Com OPT op...

Page 622: ...ht c 1996 1997 1998 1999 2000 2001 2002 2003 2004 The NetBSD Foundation Inc All rights reserved Copyright c 1982 1986 1989 1991 1993 The Regents of the University of California All rights reserved Det...

Page 623: ...er you type the change command the system interactively displays the current setting of each parameter and prompts you for the new setting When prompted type the new setting press Enter to accept the...

Page 624: ...E default bootfile HOST IP 0 0 0 0 172 16 0 1 LOCAL IP 0 0 0 0 172 16 0 21 GATEWAY IP 0 0 0 0 172 16 0 20 IP MASK 0 0 0 0 255 255 255 0 FLAGS 0x00000000 OPTIONS run nos boot 0 See Also boot on page 62...

Page 625: ...ly active boot profile use the next command To change boot parameter settings use the change command Examples The following command creates a new boot profile in slot 1 on a WX switch that currently h...

Page 626: ...delete BOOT Index 1 BOOT TYPE c DEVICE boot1 FILENAME default FLAGS 00000000 OPTIONS run nos boot 0 See Also change on page 623 create on page 624 display on page 628 next on page 633 dhcp Displays or...

Page 627: ...Introduced in MSS Version 3 0 Usage Access to the diagnostic mode requires a password which is not user configurable Use this mode only if advised to do so by 3Com dir Displays the boot code and syst...

Page 628: ...8863722 bytes Internal Compact Flash Directory Secondary WXA30001 Rel 8862885 bytes See Also fver on page 630 version on page 636 display Displays the currently active boot profile A boot profile is...

Page 629: ...duced in MSS Version 3 0 Examples To display the currently active boot profile type the following command at the boot prompt boot display BOOT Index 0 BOOT TYPE c DEVICE boot1 FILENAME default FLAGS 0...

Page 630: ...the flash card slot boot0 Boot partition 0 boot1 Boot partition 1 filename System image filename DEVICE Location of the system image file c Nonvolatile storage area containing boot partition 0 d Nonv...

Page 631: ...led in boot partition 1 boot fver boot1 File boot1 default version is 3 0 1 See Also dir on page 627 version on page 636 help Displays a list of all the boot prompt commands or detailed information fo...

Page 632: ...file f file boot0 file boot1 file boot2 file boot3 file Command to display the version of the compressed image file associated with the given device filename See Also ls on page 632 ls Displays a list...

Page 633: ...ofile dir Display the contents of the specified boot partition fver Display the version of the loadable image specified by device filename version Display HW and Bootstrap Bootloader version informati...

Page 634: ...display on page 628 reset Resets a WX switch s hardware Syntax reset Defaults None Access Boot prompt History Introduced in MSS Version 3 0 Usage After resetting the hardware the reset command attempt...

Page 635: ...0 BOOT TYPE c DEVICE boot0 FILENAME default FLAGS 00000000 OPTIONS run nos root md0a See Also boot on page 621 test Displays or changes the state of the poweron test flag The poweron test flag control...

Page 636: ...does not list the system image file versions installed in the boot partitions To display system image file versions use the dir or fver command Examples To display hardware and boot code version info...

Page 637: ...Request If you have trouble registering your product please contact 3Com Global Services for assistance Purchase Value Added Services To enhance response times or extend warranty benefits contact 3Co...

Page 638: ...uct Support heading at http www 3com com Software Upgrades are the software releases that follow the software version included with your original product In order to access upgrades and related docume...

Page 639: ...f publication Find a current directory of contact information posted on the 3Com web site at http csoweb4 3com com contactus Country Telephone Number Country Telephone Number Asia Pacific Rim Telephon...

Page 640: ...1 800 998 2112 1 800 998 2112 1 800 998 2112 52 5 201 0010 1 800 998 2112 1 800 998 2112 0800 13 3COM 1 800 998 2112 AT T 800 998 2112 AT T 800 998 2112 AT T 800 998 2112 1 800 998 2112 AT T 800 998...

Page 641: ...user 211 clear mac user attr 212 clear mac user group 212 clear mac usergroup 213 clear mac usergroup attr 214 clear mobility domain 266 clear mobility domain member 266 clear mobility profile 215 cle...

Page 642: ...display aaa 219 display accounting statistics 222 display arp 137 display auto tune attributes 309 display auto tune neighbors 311 display banner motd 41 display base information 41 display boot 573...

Page 643: ...snoop map 605 display snoop stats 606 display spantree 398 display spantree backbonefast 400 display spantree blockedports 401 display spantree portfast 402 display spantree portvlancost 403 display s...

Page 644: ...set ip https server 167 set ip route 167 set ip snmp server 169 set ip ssh 170 set ip ssh server 171 set ip telnet 171 set ip telnet server 172 set length 53 set license 53 set location policy 244 set...

Page 645: ...et service profile rsn ie 383 set service profile shared key auth 384 set service profile ssid name 384 set service profile ssid type 385 set service profile tkip mc time 386 set service profile web a...

Page 646: ...646 INDEX set usergroup 261 set usergroup attr 261 set vlan name 116 set vlan port 117 set vlan tunnel affinity 118 set web portal 262 T telnet 195 test 635 traceroute 197 V version 636...

Reviews: