Reference Guide
Table Of Contents
- Dell PowerConnect ArubaOS 6.0 Command Line Interface
- Introduction
- aaa authentication captive-portal
- aaa authentication dot1x
- aaa authentication mac
- aaa authentication mgmt
- aaa authentication stateful-dot1x
- aaa authentication stateful-dot1x clear
- aaa authentication stateful-ntlm
- aaa authentication via auth-profile
- aaa authentication via connection-profile
- aaa authentication via web-auth
- aaa authentication vpn
- aaa authentication wired
- aaa authentication wispr
- aaa authentication-server internal
- aaa authentication-server ldap
- aaa authentication-server radius
- aaa authentication-server tacacs
- aaa authentication-server windows
- aaa bandwidth-contract
- aaa derivation-rules
- aaa dns-query-period
- aaa inservice
- aaa ipv6 user add
- aaa ipv6 user clear-sessions
- aaa ipv6 user delete
- aaa ipv6 user logout
- aaa password-policy mgmt
- aaa profile
- aaa query-server
- aaa radius-attributes
- aaa rfc-3576-server
- aaa server-group
- aaa sygate-on-demand
- aaa tacacs-accounting
- aaa test-server
- aaa timers
- aaa trusted-ap
- aaa user add
- aaa user clear-sessions
- aaa user delete
- aaa user fast-age
- aaa user logout
- aaa xml-api
- acceleration
- adp
- am
- ap authorization-profile
- ap enet-link-profile
- ap mesh-cluster-profile
- ap mesh-ht-ssid-profile
- ap mesh-radio-profile
- ap provisioning-profile
- ap provisioning-profile
- ap regulatory-domain-profile
- ap snmp-profile (deprecated)
- ap snmp-user-profile (deprecated)
- ap spectrum clear-webui-view-settings
- ap spectrum local-override
- ap system-profile
- ap wipe out flash
- ap wired-ap-profile
- ap-group
- ap-name
- ap-regroup
- ap-rename
- apboot
- apflash
- apconnect
- apdisconnect
- arp
- audit-trail
- backup
- banner motd
- boot
- cellular profile
- cfgm
- clear
- clock set
- clock summer-time recurring
- clock timezone
- configure terminal
- controller-ip
- control-plane-security
- copy
- cp-bandwidth-contract
- crypto dynamic-map
- crypto ipsec
- crypto isakmp
- crypto isakmp policy
- crypto map global-map
- crypto pki
- crypto pki-import
- crypto-local ipsec-map
- crypto-local isakmp ca-certificate
- crypto-local isakmp dpd
- crypto-local isakmp key
- crypto-local isakmp permit-invalid-cert
- crypto-local isakmp server-certificate
- crypto-local isakmp xauth
- crypto-local pki
- database synchronize
- delete
- destination
- dir
- dynamic-ip
- enable
- enable secret
- enable bypass
- encrypt
- esi group
- esi parser domain
- esi parser rule
- esi parser rule-test
- esi ping
- esi server
- exit
- export
- firewall
- firewall cp
- firewall cp-bandwidth-contract
- gateway health-check disable
- guest-access-email
- halt
- help
- hostname
- ids ap-classification-rule
- ids ap-rule-matching
- ids dos-profile
- ids general-profile
- ids impersonation-profile
- ids management-profile
- ids profile
- ids rate-thresholds-profile
- ids signature-matching-profile
- ids signature-profile
- ids unauthorized-device-profile
- interface fastethernet | gigabitethernet
- interface loopback
- interface port-channel
- interface range
- interface tunnel
- interface vlan
- interface vlan ip igmp proxy
- ip access-list eth
- ip access-list extended
- ip access-list mac
- ip access-list session
- ip access-list standard
- ip cp-redirect-address
- ip default-gateway
- ip dhcp excluded-address
- ip dhcp pool
- ip domain lookup
- ip domain-name
- ip igmp
- ip local
- ip mobile active-domain
- ip mobile domain
- ip mobile foreign-agent
- ip mobile home-agent
- ip mobile proxy
- ip mobile revocation
- ip mobile trail
- ip name-server
- ip nat
- ip ospf
- ip pppoe-max-segment-size
- ip pppoe-password
- ip pppoe-service-name
- ip pppoe-username
- ip radius
- ip route
- ipv6 enable
- ipv6 firewall
- lacp group
- lacp port-priority
- lacp system-priority
- lacp timeout
- license
- localip
- local-userdb add
- local-userdb del
- local-userdb export
- local-userdb fix-database
- local-userdb import
- local-userdb maximum-expiration
- local-userdb modify
- local-userdb send-to-guest
- local-userdb send-to-sponsor
- local-userdb-guest add
- local-userdb-guest del
- local-userdb-guest modify
- local-userdb-guest send-email
- local-userdb-remote-node
- location
- logging
- logging facility
- logging level
- loginsession
- logout
- mac-address-table
- masterip
- master-redundancy
- mgmt-server
- mgmt-user
- mobility-manager
- netdestination
- netservice
- network-printer
- network-storage
- ntp server
- packet-capture
- packet-capture-defaults
- page
- paging
- panic
- papi-security
- pcap
- phonehome
- ping
- pkt-trace
- pkt-trace-global
- pptp ip local pool
- priority-map
- process monitor
- prompt
- provision-ap
- rap-wml
- rap-wml table
- reload
- remote-node-localip
- remote-node-masterip
- remote-node-profile
- rename
- restore
- rf am-scan-profile
- rf arm-profile
- rf dot11a-radio-profile
- rf dot11g-radio-profile
- rf event-thresholds-profile
- rf ht-radio-profile
- rf optimization-profile
- rf spectrum-profile
- rft
- router mobile
- router ospf
- service
- show aaa authentication all
- show aaa authentication captive-portal
- show aaa authentication captive-portal customization
- show aaa authentication dot1x
- show aaa authentication mac
- show aaa authentication mgmt
- show aaa authentication stateful-dot1x
- show aaa authentication stateful-ntlm
- show aaa authentication via auth-profile
- show aaa authentication via connection-profile
- show aaa authentication via web-auth
- show aaa authentication vpn
- show aaa authentication wired
- show aaa authentication wispr
- show aaa authentication-server all
- show aaa authentication-server internal
- show aaa authentication-server ldap
- show aaa authentication-server radius
- show aaa authentication-server tacacs
- show aaa authentication-server windows
- show aaa tacacs-accounting
- show aaa bandwidth-contracts
- show aaa derivation-rules
- show aaa dns-query-period
- show aaa fqdn-server-names
- show aaa main-profile
- show aaa password-policy mgmt
- show aaa profile
- show aaa radius-attributes
- show aaa rfc-3576-server
- show aaa server-group
- show aaa state ap-group
- show aaa state configuration
- show aaa state debug-statistics
- show aaa state messages
- show aaa state station
- show aaa state user
- show aaa sygate-on-demand (deprecated)
- show aaa tacacs-accounting
- show aaa timers
- show aaa xml-api server
- show aaa web admin-port
- show aaa xml-api statistics
- show acceleration
- show acl ace-table
- show acl acl-table
- show acl hits
- show adp config
- show adp counters
- show ap active
- show ap allowed-channels
- show ap ap-group
- show ap arm history
- show ap arm neighbors
- show ap arm rf-summary
- show ap arm scan-times
- show ap arm state
- show ap association
- show ap association remote
- show ap authorization-profile
- show ap blacklist-clients
- show ap bss-table
- show ap bw-report
- show ap client status
- show ap config
- show ap coverage-holes
- show ap database
- show ap database-summary
- show ap debug association-failure (deprecated)
- show ap debug bss-config
- show ap debug bss-stats
- show ap debug client-mgmt-counters
- show ap debug client-stats
- show ap debug client-table
- show ap debug counters
- show ap debug crash-info
- show ap debug datapath
- show ap debug driver-log
- show ap debug log
- show ap debug mgmt-frames (deprecated)
- show ap debug radio-stats
- show ap debug received-config
- show ap debug remote association
- show ap debug shaping-table
- show ap debug system-status
- show ap debug trace-addr
- show ap details
- show ap enet-link-profile
- show ap essid
- show ap ht-rates
- show ap image version
- show ap license-usage
- show ap load-balancing
- show ap mesh active
- show ap mesh debug counters
- show ap mesh debug current-cluster
- show ap mesh debug forwarding-table
- show ap mesh debug hostapd-log
- show ap mesh debug meshd-log
- show ap mesh debug provisioned-clusters
- show ap mesh neighbors
- show ap mesh tech-support
- show ap mesh topology
- show ap mesh-cluster-profile
- show ap mesh-ht-ssid-profile
- show ap mesh-radio-profile
- show ap monitor
- show ap monitor association
- show ap monitor debug
- show ap monitor stats
- show ap pcap status
- show ap profile-usage
- show ap provisioning
- show ap radio-database
- show ap regulatory-domain-profile
- show ap remote counters
- show ap remote debug flash-config
- show ap remote debug mgmt-frames
- show ap spectrum ap-list
- show ap spectrum channel-metrics
- show ap spectrum channel-summary
- show ap spectrum client-list
- show ap spectrum debug
- show ap spectrum debug fft
- show ap spectrum debug monitors
- show ap spectrum debug status
- show ap spectrum device-duty-cycle
- show ap spectrum device-history
- show ap spectrum device-list
- show ap spectrum device-log
- show ap spectrum device-summary
- show ap spectrum interference-power
- show ap spectrum local-override
- show ap spectrum monitors
- show ap spectrum technical-support
- show ap spectrum-load-balancing
- show ap system-profile
- show ap tech-support
- show ap vlan-usage
- show ap wired stats
- show ap wired-ap-profile
- show ap wired-port-profile
- show ap wmm-flow
- show ap-group
- show ap-name
- show arp
- show audit-trail
- show auth-tracebuf
- show banner
- show boot
- show cellular profile
- show clock
- show command-mapping
- show configuration
- show controller-ip
- show country
- show cp-bwcontracts
- show cpuload
- show crypto dp
- show crypto dynamic-map
- show crypto ipsec
- show crypto isakmp
- show crypto map
- show crypto pki
- show crypto-local ipsec-map
- show crypto-local isakmp
- show crypto-local pki
- show database
- show datapath
- show destination
- show dialer group
- show dir
- show dot1x ap-table
- show dot1x ap-table aes
- show dot1x ap-table dynamic-wep
- show dot1x ap-table static-wep
- show dot1x ap-table tkip
- show dot1x counters
- show dot1x supplicant-info
- show dot1x supplicant-info list-all
- show dot1x supplicant-info pmkid
- show dot1x supplicant-info statistics
- show esi groups
- show esi parser
- show esi ping
- show esi servers
- show faults
- show firewall
- show firewall-cp
- show gateway health-check
- show global-user-table count
- show-global-user-table list
- show guest-access-email
- show hostname
- show ids dos-profile
- show ids general-profile
- show ids impersonation-profile
- show ids profile
- show ids rate-thresholds-profile
- show ids signature-matching-profile
- show ids signature-profile
- show ids unauthorized-device-profile
- show image version
- show interface counters
- show interface gigabitethernet
- show interface fastethernet
- show interface loopback
- show interface port-channel
- show interface tunnel
- show interface vlan
- show inventory
- show ip access-group
- show ip access-list
- show ip cp-redirect-address
- show ip dhcp
- show ip domain-name
- show ip igmp
- show ip mobile
- show ip nat pool
- show ip ospf
- show ip pppoe-info
- show ip radius
- show ip route
- show ipc statistics app-ap
- show ipc statistics app-id
- show ipc statistics app-name
- show ipv6 access-list
- show ipv6 datapath session counters
- show ipv6 datapath session table
- show ipv6 datapath user counters
- show ipv6 datapath user table
- show ipv6 firewall
- show ipv6 mld config
- show ipv6 mld counters
- show ipv6 mld group
- show ipv6 mld interface
- show ipv6 user-table
- show keys
- show lacp
- show lacp sys-id
- show license
- show license-usage
- show localip
- show local-userdb
- show local-userdb username
- show local-userdb-remote-node
- show log all
- show log ap-debug
- show log bssid-debug
- show log errorlog
- show log essid-debug
- show log network
- show log security
- show log system
- show log user
- show log user-debug
- show log wireless
- show logging
- show loginsessions
- show mac-address-table
- show master-configpending
- show master-local stats
- show master-redundancy
- show memory
- show mgmt-role
- show mgmt-users
- show netdestination
- show netservice
- show netstat
- show network-printer
- show network-storage
- show ntp peer
- show ntp servers
- show ntp status
- show packet-capture
- show packet-capture-defaults
- show papi-security
- show phonehome
- show poe
- show port link-event
- show port monitor
- show port stats
- show port status
- show port trusted
- show port xsec
- show priority-map
- show processes
- show profile-errors
- show profile-hierarchy
- show provisioning-params
- show profile-list aaa
- show profile-list ap
- show profile-list ap-group
- show profile-list ap-name
- show profile-list ids
- show profile-list rf
- show profile-list wlan
- show provisioning-ap-list
- show rap-wml
- show references aaa authentication
- show references aaa authentication-server
- show references aaa profile
- show references aaa server-group
- show references ap
- show references guest-access-email
- show references ids
- show references papi-security
- show references rf
- show references user-role
- show references web-server
- show references wlan
- show remote-node
- show remote-node-dhcp-pool
- show remote-node-profile
- show rf arm-profile
- show rf dot11a-radio-profile
- show rf dot11g-radio-profile
- show rf event-thresholds-profile
- show rf ht-radio-profile
- show rf optimization-profile
- show rf spectrum-profile
- show rft profile
- show rft result
- show rft transactions
- show rights
- show roleinfo
- show rrm dot11k admission-capacity
- show rrm dot11k ap-channel-report
- show rrm dot11k beacon-report
- show rrm dot11k neighbor-report
- show rrm dot11k transmit-stream-report station-mac
- show running-config
- show session-acl-list
- show slots
- show snmp community
- show snmp inform
- show snmp trap-host
- show snmp trap-list
- show snmp trap-queue
- show snmp user-table
- show spanning-tree
- show spantree
- show ssh
- show startup-config
- show station-table
- show storage
- show switch ip
- show switch software
- show switches
- show switchinfo
- show syscontact
- show syslocation
- show tech-support
- show telnet
- show time-range
- show tpm cert-info
- show trunk
- show uplink
- show usb
- show user
- show user_session_count (deprecated)
- show util_proc
- show valid-network-oui-profile
- show version
- show vlan
- show vlan mapping
- show vlan status
- show vlan summary
- show vlan-bwcontract-explist
- tar
- show voice call-cdrs
- show voice call-counters
- show voice call-density
- show voice call-perf
- show voice call-quality
- show voice call-stats
- show voice client-status
- show voice configurations
- show voice dialplan-profile
- show voice logging
- show voice msg-stats
- show voice real-time-analysis
- show voice real-time-analysis-config
- show voice rtcp-inactivity
- show voice sip
- show voice sip-midcall-req-timeout
- show voice statistics
- show voice trace
- show vpdn l2tp configuration
- show vpdn pptp configuration
- show vpdn pptp local pool
- show via
- show vpn-dialer
- show vrrp
- show web-server
- show wlan dot11k-profile
- show wlan edca-parameters-profile
- show wlan ht-ssid-profile
- show wlan ssid-profile
- show wlan traffic-management-profile
- show wlan virtual-ap
- show wlan voip-cac-profile
- show wms ap
- show wms channel
- show wms client
- show wms counters
- show wms general
- show wms monitor-summary
- show wms probe
- show wms rogue-ap
- show wms routers
- show wms system
- show wms wired-mac
- shutdown
- snmp-server
- spanning-tree (Global Configuration)
- spanning-tree (Configuration Interface)
- spanning-tree mode
- spanning-tree vlan (PVST+)
- spanning-tree vlan range (PVST+)
- ssh
- stm
- support
- syscontact
- syslocation
- telnet
- time-range
- traceroute
- trusted
- uplink
- usb reclassify
- usb-printer
- user-role
- valid-network-oui-profile
- vlan
- vlan-bwcontract-explist
- vlan-name
- voice dialplan-profile
- voice logging
- voice rtcp-inactivity
- voice real-time-config
- voice sip
- voice sip-midcall-req-timeout
- vpdn group l2tp
- vpdn group pptp
- vpn-dialer
- vrrp
- web-server
- whitelist-db cpsec add
- whitelist-db cpsec delete
- whitelist-db cpsec modify
- whitelist-db cpsec revoke
- whitelist-db cpsec purge
- whitelist-db cpsec-local-switch-list
- whitelist-db cpsec-master-switch-list
- whoami
- wlan dot11k-profile
- wlan client-wlan-profile
- wlan edca-parameters-profile
- wlan ht-ssid-profile
- wlan ssid-profile
- wlan traffic-management-profile
- wlan virtual-ap
- wlan voip-cac-profile
- wms ap
- wms clean-db
- wms client
- wms export-class
- wms export-db
- wms general
- wms import-db
- wms reinit-db
- wms-local system
- write
- Appendix A: Command Modes
Dell PowerConnect ArubaOS 6.0 Command Line Interface | Reference Guide crypto-local ipsec-map | 169
You can configure separate CA and server certificates for each site-to-site VPN. You can also configure the same
CA and server certificates for site-to-site VPN and client VPN. Use the show crypto-local ipsec-map command to
display the certificates associated with all configured site-to-site VPN maps; use the tag <map> option to display
certificates associated with a specific site-to-site VPN map.
ArubaOS supports site-to-site VPNs with two statically addressed controllers, or with one static and one
dynamically addressed controller. By default, site-to-site VPN uses IKE Main-mode with Pre-Shared-Keys to
authenticate the IKE SA. This method uses the IP address of the peer, and therefore will not work for dynamically
addressed peers.
To support site-site VPN with dynamically addressed devices, you must enable IKE Aggressive-Mode with
Authentication based on a Pre-Shared-Key. A controller with a dynamic IP address must be configured to be the
initiator of IKE Aggressive-mode for Site-Site VPN, while the controller with a static IP address must be
configured as the responder of IKE Aggressive-mode.
Examples
The following commands configures site-to-site VPN between two controllers:
(host) (config) #crypto-local ipsec-map sf-chi-vpn 100
src-net 101.1.1.0 255.255.255.0
dst-net 100.1.1.0 255.255.255.0
peer-ip 172.16.0.254
vlan 1
trusted
(host) (config) #crypto-local ipsec-map chi-sf-vpn 100
src-net 100.1.1.0 255.255.255.0
dst-net 101.1.1.0 255.255.255.0
peer-ip 172.16.100.254
vlan 1
trusted
For a dynamically addressed controller that initiates IKE Aggressive-mode for Site-Site VPN:
(host) (config)crypto-local ipsec-map <name> <priority>
src-net <ipaddr> <mask>
dst-net <ipaddr> <mask>
peer-ip <ipaddr>
local-fqdn <local_id_fqdn>
vlan <id>
pre-connect enable|disable
trusted enable
For the Pre-shared-key:
crypto-local isakmp key <key> address <ipaddr> netmask <mask>
For a static IP controller that responds to IKE Aggressive-mode for Site-Site VPN:
(host) (config)crypto-local ipsec-map <name2> <priority>
src-net <ipaddr> <mask>
dst-net <ipaddr> <mask>
peer-ip 0.0.0.0
peer-fqdn fqdn-id <peer_id_fqdn>
vlan <id>
trusted enable
For the Pre-shared-key:
crypto-local isakmp key <key> fqdn <fqdn-id>
For a static IP controller that responds to IKE Aggressive-mode for Site-Site VPN with One PSK for All FQDNs: