RoamAbout ® Mobility System Software Command Line Interface Reference Version 5.
Notice Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made. The hardware, firmware, or software described in this document is subject to change without notice.
Enterasys Networks, Inc. Firmware License Agreement BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT, CAREFULLY READ THIS LICENSE AGREEMENT. This document is an agreement (“Agreement”) between the end user (“You”) and Enterasys Networks, Inc.
4. EXPORT RESTRICTIONS. You understand that Enterasys and its Affiliates are subject to regulation by agencies of the U.S. Government, including the U.S. Department of Commerce, which prohibit export or diversion of certain technical products to certain countries, unless a license to export the Program is obtained from the U.S. Government or an exception from obtaining such license may be relied upon by the exporting party.
9. OWNERSHIP. This is a license agreement and not an agreement for sale. You acknowledge and agree that the Program constitutes trade secrets and/or copyrighted material of Enterasys and/or its suppliers. You agree to implement reasonable security measures to protect such trade secrets and copyrighted material. All right, title and interest in and to the Program shall remain with Enterasys and/or its suppliers. All rights not specifically granted to You shall be reserved to Enterasys. 10. ENFORCEMENT.
Enterasys Networks, Inc. Software License Agreement This document is an agreement (“Agreement”) between You, the end user, and Enterasys Networks, Inc. (“Enterasys”) that sets forth your rights and obligations with respect to the software contained in CD‐ROM or other media. BY UTILIZING THE ENCLOSED PRODUCT, YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT, WHICH INCLUDES THE LICENSE AND THE LIMITATION OF WARRANTY AND DISCLAIMER OF LIABILITY.
5. PROTECTION AND SECURITY. You agree not to deliver or otherwise make available the Licensed Materials or any part thereof, including without limitation the object or source code (if provided) of the Licensed Software, to any party other than Enterasys or its employees, except for purposes specifically related to your use of the Licensed Software on a single computer as expressly provided in this Agreement, without the prior written consent of Enterasys.
NEITHER ENTERASYS NOR ITS AFFILIATES MAKE ANY OTHER WARRANTY OR REPRESENTATION, EXPRESS OR IMPLIED, WITH RESPECT TO THE LICENSED MATERIALS, WHICH ARE LICENSED “AS IS”. THE LIMITED WARRANTY AND REMEDY PROVIDED ABOVE ARE EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, WHICH ARE EXPRESSLY DISCLAIMED, AND STATEMENTS OR REPRESENTATIONS MADE BY ANY OTHER PERSON OR FIRM ARE VOID.
viii
Contents About This Guide Introducing Mobility System Software ..............................................................................................................xxi Documentation ................................................................................................................................................ xxii Planning, Configuration, and Deployment ................................................................................................ xxii Installation ................
history ................................................................................................................................................. 3-7 set auto-config .................................................................................................................................... 3-8 set banner motd................................................................................................................................ 3-10 set confirm ........................................
set vlan port ...................................................................................................................................... 5-12 set vlan tunnel-affinity....................................................................................................................... 5-13 show fdb ........................................................................................................................................... 5-14 show fdb agingtime.....................................
set ntp............................................................................................................................................... 7-41 set ntp server.................................................................................................................................... 7-42 set ntp update-interval ...................................................................................................................... 7-43 set snmp community......................................
clear mac-user group........................................................................................................................ 8-13 clear mac-usergroup......................................................................................................................... 8-14 clear mac-usergroup attr .................................................................................................................. 8-15 clear mobility-profile.....................................................
set network-domain mode seed domain-name ................................................................................ 10-8 show network-domain....................................................................................................................... 10-9 Chapter 11: Access Point Commands clear {ap | dap} radio......................................................................................................................... 11-5 clear dap boot-configuration ............................
set radio-profile mode ..................................................................................................................... 11-63 set radio-profile preamble-length .................................................................................................... 11-66 set radio-profile qos-mode .............................................................................................................. 11-67 set radio-profile rfid-mode.....................................................
show {ap | dap} etherstats ............................................................................................................ 11-137 show {ap | dap} group................................................................................................................... 11-139 show {ap | dap} status .................................................................................................................. 11-140 show auto-tune attributes ......................................................
show igmp mrouter ......................................................................................................................... 13-19 show igmp querier .......................................................................................................................... 13-21 show igmp receiver-table................................................................................................................ 13-23 show igmp statistics........................................................
clear dot1x quiet-period .................................................................................................................... 17-6 clear dot1x reauth-max..................................................................................................................... 17-7 clear dot1x reauth-period.................................................................................................................. 17-8 clear dot1x timeout auth-server ...........................................
show rfdetect visible ....................................................................................................................... 19-32 test rflink ......................................................................................................................................... 19-35 Chapter 20: File Management Commands backup ..............................................................................................................................................
show log config ................................................................................................................................. 23-9 show log trace ................................................................................................................................ 23-10 Chapter 24: Boot Prompt Commands autoboot............................................................................................................................................ 24-2 boot...................
About This Guide For information about... Refer to page... Introducing Mobility System Software xxi Documentation xxii Getting Help xxiii This command reference explains Mobility System Software (MSS) command line interface (CLI) commands that you enter on a RoamAbout Switch (called RoamAbout Switch, RBT switch, or RAS in this document) to configure and manage the Mobility System wireless LAN (WLAN).
Documentation Documentation Consult the following documents to plan, install, configure, and manage a Mobility System. Planning, Configuration, and Deployment RoamAbout Switch Manager User’s Guide. Instructions for planning, configuring, deploying, and managing the entire WLAN with the RoamAbout Switch Manager (RASM) tool suite. Read this guide to learn how to plan wireless services, how to configure and deploy RoamAbout equipment to provide those services, and how to optimize and manage your WLAN.
Getting Help Text and Syntax Conventions RoamAbout Switch manuals use the following text and syntax conventions: Convention Use Monospace text Sets off command syntax or sample commands and system responses. Blue text Indicates a hyperlink Bold text Highlights commands that you enter or items you select. Italic text Designates command variables that you replace with appropriate values, or highlights publication titles or words requiring special emphasis.
Documentation xviii • A description of your network environment (such as layout, cable type, other relevant environmental information) • Network load and frame size at the time of trouble (if known) • The device history (for example, if you have returned the device before, or if this a recurring problem) • Any previous Return Material Authorization (RMA) numbers About This Guide
1 Using the Command-Line Interface For information about... Refer to page... CLI Conventions 1-1 Command-Line Editing 1-6 Using CLI Help 1-7 Understanding Command Descriptions 1-8 Mobility System Software (MSS) operates a Mobility System wireless LAN (WLAN) consisting of RoamAbout Switch Manager (RASM) software, RoamAbout Switches (called RoamAbout Switch or RAS in this document), and RoamAbout access points.
CLI Conventions Command Prompts By default, the MSS CLI provides the following prompt for restricted users. The mm portion shows the RAS model number (for example, 20) and the nnnnnn portion shows the last 6 digits of the switch’s media access control (MAC) address.
CLI Conventions MAC Address Notation MSS displays MAC addresses in hexadecimal numbers with a colon (:) delimiter between bytes— for example, 00:01:02:1a:00:01. You can enter MAC addresses with either hyphen (‐) or colon (:) delimiters, but colons are preferred. For shortcuts: • You can exclude leading zeros when typing a MAC address. MSS displays of MAC addresses include all leading zeros.
CLI Conventions wildcard character matches any number of characters up to, but not including, a delimiter character in the glob. Valid user glob delimiter characters are the at (@) sign and the period (.). For example, the following globs identify the following users: User Glob User(s) Designated jose@example.com User jose at example.com *@example.com All users at example.com whose usernames do not contain periods—for example, jose@example.com and tamara@example.com, but not nin.wong@example.
CLI Conventions For example, the VLAN glob bldg4.* matches bldg4.security and bldg4.hr and all other VLAN names with bldg4. at the beginning. Matching Order for Globs In general, the order in which you enter AAA commands determines the order in which MSS matches the user, MAC address, or VLAN to a glob. To verify the order, view the output of the show aaa or show config command. MSS checks globs that appear higher in the list before items lower in the list and uses the first successful match.
Command-Line Editing Command-Line Editing MSS editing functions are similar to those of many other network operating systems. Keyboard Shortcuts The following table lists the keyboard shortcuts for entering and editing CLI commands: Keyboard Shortcut(s) Function Ctrl+A Jumps to the first character of the command line. Ctrl+B or Left Arrow key Moves the cursor back one character. Ctrl+C Escapes and terminates prompts and tasks. Ctrl+D Deletes the character at the cursor.
Using CLI Help Single-Asterisk (*) Wildcard Character You can use the single‐asterisk (*) wildcard character in globbing. (For details, see “User Globs, MAC Address Globs, and VLAN Globs” on page 1‐3.) Double-Asterisk (**) Wildcard Characters The double‐asterisk (**) wildcard character matches all usernames. For details, see “User Globs” on page 1‐3. Using CLI Help The CLI provides online help. To see the full range of commands available at your access level, type the help command.
Understanding Command Descriptions To see all the variations, type one of the commands followed by a question mark (?).
2 Access Commands Use access commands to control access to the Mobility System Software (MSS) (CLI). This chapter presents access commands alphabetically. Use the following table to locate commands in this chapter. For information about... Refer to page...
disable Changes the CLI session from enabled mode to restricted access. Syntax disable Parameters None. Defaults None. Mode Enabled.
enable Places the CLI session in enabled mode, which provides access to all commands required for configuring and monitoring the system. Syntax enable Parameters None. Defaults None. Mode All. Usage MSS displays a password prompt to challenge you with the enable password. To enable a session, your or another administrator must have configured the enable password to this RoamAbout switch with the set enablepass command.
quit Exit from the CLI session. Syntax quit Parameters None. Defaults None. Mode All.
set enablepass Sets the password that provides enabled access (for configuration and monitoring) to the RoamAbout switch. Note: The enable password is case-sensitive. Syntax set enablepass Parameters None. Defaults None. Mode Enabled. Usage After typing the set enablepass command, press Enter. If you are entering the first enable password on this RoamAbout switch, press Enter at the Enter old password prompt. Otherwise, type the old password.
2-6 Access Commands
3 System Services Commands Use system services commands to configure and monitor system information for a RoamAbout switch. This chapter presents system services commands alphabetically. Use the following table to locate commands in this chapter. For information about... Refer to page...
clear banner motd Deletes the message‐of‐the‐day (MOTD) banner that is displayed before the login prompt for each CLI session on the RoamAbout switch. Syntax clear banner motd Defaults None. Mode Enabled.
clear history Deletes the command history buffer for the current CLI session. Syntax clear history Defaults None. Mode All. Example To clear the history buffer, type the following command: RBT-8100# clear history success: command buffer was flushed.
clear prompt Resets the system prompt to its previously configured value. If the prompt was not configured previously, this command resets the prompt to its default. Syntax clear prompt Defaults None. Mode Enabled. Example To reset the prompt, type the following command: wildebeest# clear prompt success: change accepted. RBT-8100# Related Commands set prompt on page 3‐14. (For information about default prompts, see “Command Prompts” on page 1‐2.
clear system Clears the system configuration of the specified information. Caution: If you change the IP address, any currently configured Mobility Domain operations cease. You must reset the Mobility Domain. Syntax clear system [contact | countrycode | ip-address | location | name] Parameters contact Resets the name of contact person for the RoamAbout switch to null. countrycode Resets the country code for the RoamAbout switch to null.
help Displays a list of commands that can be used to configure and monitor the RoamAbout switch. Syntax help Defaults None. Mode All. Example Use this command to see a list of available commands. If you have restricted access, you see fewer commands than if you have enabled access.
history Displays the command history buffer for the current CLI session. Syntax history Defaults None. Mode All.
set auto-config Enables a RoamAbout switch to contact a RoamAbout Switch Manager (RASM) server for its configuration. Syntax set auto-config {enable | disable} Parameters enable Enables the switch to contact a RASM server to request a configuration. disable Disables the auto‐config option. Defaults However, auto‐config is disabled by default on the RBT‐8100. Mode Enabled. Usage A network administrator at the corporate office can preconfigure the switch in a RASM network plan.
Example The following commands stage an RBT‐8100 switch to use the auto‐config option. The network where the switch is installed has a DHCP server, so the switch is configured to use the MSS DHCP client to obtain an IP address, default router address, DNS domain name, and DNS server IP addresses. 1. Configure a VLAN: RBT-8100# set vlan 1 port 7 success: change accepted. 2. Enable the DHCP client on VLAN 1: RBT-8100# set interface 1 ip dhcp-client enable success: change accepted. 3.
set banner motd Configures the banner string that is displayed before the beginning of each login prompt for each CLI session on the RoamAbout switch. Syntax set banner motd ^text^ Parameters ^ Delimiting character that begins and ends the message. text Up to 2000 alphanumeric characters, including tabs and carriage returns, but not the delimiting character (^). The maximum number of characters is approximately 24 lines by 80 characters. Defaults None. Mode Enabled.
set confirm Enables or disables the display of confirmation messages for commands that might have a large impact on the network. Syntax set confirm {on | off} Parameters on Enables confirmation messages. off Disables confirmation messages. Defaults Configuration messages are enabled. Mode Enabled. Usage This command remains in effect for the duration of the session, until you enter an exit or quit command, or until you enter another set confirm command.
set length Defines the number of lines of CLI output to display between paging prompts. MSS displays the set number of lines and waits for you to press any key to display another set, or type q to quit the display. Syntax set length number-of-lines Parameters number‐of‐lines Number of lines of text to display between paging prompts. You can specify from 0 to 512. The 0 value disables the paging prompt action entirely. Defaults MSS displays 24 lines by default. Mode All.
set license Installs an upgrade license key on an RBT‐8400 or RBT‐8200 switch. The RBT‐8400 or RBT‐8200 switch can boot and manage up to 40 access points by default. You can increase the access point support to 80 access points or 120 access points, by installing one or two activation keys. Activation keys are available for 40 additional access points or 80 additional access points. You can install a 40‐access point upgrade or an 80‐access point upgrade.
set prompt Changes the CLI prompt for the RoamAbout switch to a string you specify. Syntax set prompt string Parameters string Alphanumeric string up to 32 characters long. To include spaces in the prompt, you must enclose the string in double quotation marks (“”). Defaults The factory default for the RoamAbout switch name is RBT‐mm‐nnnnnn, where mm is the model number and nnnnnn is the last 6 digits of the 12‐digit system MAC address. Mode Enabled.
set system contact Stores a contact name for the RoamAbout switch. Syntax set system contact string Parameters string Alphanumeric string up to 256 characters long, with no blank spaces. Defaults None. Mode Enabled. To view the system contact string, type the show system command. Example The following command sets the system contact information to tamara@example.com: RBT-8100# set system contact tamara@example.com success: change accepted.
set system countrycode Defines the country‐specific IEEE 802.11 regulations to enforce on the RoamAbout switch. Syntax set system countrycode code Parameters code Table 3-1 3-16 Two‐letter code for the country of operation for the RoamAbout switch. You can specify one of the codes listed in Table 3‐1.
Table 3-1 Country Codes (continued) Country Code Luxembourg LU Malaysia MY Mexico MX Netherlands NL New Zealand NZ Norway NO Poland PL Portugal PT Saudi Arabia SA Singapore SG Slovakia SK Slovenia SI South Africa ZA South Korea KR Spain ES Sweden SE Switzerland CH Taiwan TW Thailand TH United Arab Emirates AE United Kingdom GB United States US Defaults The factory default country code is None. Mode Enabled.
Example To set the country code to Canada, type the following command: RBT-8100# set system country code CA success: change accepted.
set system idle-timeout Specifies the maximum number of seconds a CLI management session with the switch can remain idle before MSS terminates the session. Syntax set system idle-timeout seconds Parameters seconds Number of seconds a CLI management session can remain idle before MSS terminates the session. You can specify from 0 to 86400 seconds (one day). If you specify 0, the idle timeout is disabled. The timeout interval is in 30‐second increments.
set system ip-address Sets the system IP address so that it can be used by various services in the RoamAbout switch. Caution: Any currently configured Mobility Domain operations cease if you change the IP address. If you change the address, you must reset the Mobility Domain. Syntax set system ip-address ip-addr Parameters ip‐addr IP address, in dotted decimal notation. Defaults None. Mode Enabled. Example The following command sets the IP address of the RoamAbout switch to 192.168.253.
set system location Stores location information for the RoamAbout switch. Syntax set system location string Parameters string Alphanumeric string up to 256 characters long, with no blank spaces. Defaults None. Mode Enabled. Usage You cannot include spaces in the system location string. To view the system location string, type the show system command.
set system name Changes the name of the RoamAbout switch from the default system name and also provides content for the CLI prompt, if you do not specify a prompt. Syntax set system name string Parameters string Alphanumeric string up to 256 characters long, with no blank spaces. RoamAbout Switch Manager requires unique RoamAbout switch names. Defaults By default, the system name and command prompt have the same value.
show banner motd Shows the banner that was configured with the set banner motd command. Syntax show banner motd Defaults None. Mode Enabled.
show load Displays CPU usage on the switch. Syntax show load Defaults None. Mode Enabled. Example To display the CPU load recorded from the time the switch was booted, as well as from the previous time the show load command was run, enter the following command: RBT-8100# show load System Load: overall: 2% delta: 5% The overall field shows the CPU load as a percentage from the time the switch was booted. The delta field shows CPU load as a percentage from the last time the show load command was entered.
show licenses Displays information about the license key(s) currently installed on a RBT‐8400 switch. Syntax show licenses Defaults None. Mode All. Usage This command applies only to the RBT‐8200 or RBT‐8400.
show system Displays system information. Syntax show system Defaults None. Mode Enabled. Example To show system information, type the following command: RBT-8100# show system =============================================================================== Product Name: RBT-8100 System Name: RBT-bldg3 System Countrycode: US System Location: first-floor-bldg3 System Contact: tamara@example.com System IP: 192.168.12.
Table 3-2 show system Output (continued) Field Description System Contact Contact information about the system administrator or another person to contact about the system (optionally configured with set system contact). System IP Common interface, source, and default IP address for the RAS, in dotted decimal notation (configured with set system ip-address).
show tech-support Provides an in‐depth snapshot of the status of the RoamAbout switch, which includes details about the boot image, the version, ports, and other configuration values. This command also displays the last 100 log messages. Syntax show tech-support [file [subdirname/]filename] Parameters [subdirname/]filename Optional subdirectory name, and a string up to 32 alphanumeric characters. The command’s output is saved into a file with the specified name in nonvolatile storage. Defaults None.
4 Port Commands Use port commands to configure and manage individual ports and load‐sharing port groups. This chapter presents port commands alphabetically. Use the following table to locate commands in this chapter. For information about... Refer to page...
clear dap Caution: When you clear a Distributed access point, MSS ends user sessions that are using the access point. Removes a Distributed Access Point (DAP). Syntax clear dap dap-num Parameters dap‐num Number of the Distributed access point(s) you want to remove. Defaults None. Mode Enabled. Example The following command clears Distributed access point 1: RBT-8100# clear dap 1 This will clear specified DAP devices.
clear port counters Clears port statistics counters and resets them to 0. Syntax clear port counters Parameters None. Defaults None. Mode Enabled.
clear port-group Removes a port group. Syntax clear port-group name name Parameters name name Name of the port group. Defaults None. Mode Enabled. Example The following command clears port group server1: RBT-8100# clear port-group name server1 success: change accepted.
clear port media-type Disables the copper interface and re‐enables the fiber interface on an RBT‐8400 gigabit Ethernet port. Syntax clear port media-type port-list Parameters port‐list List of physical ports. MSS disables the copper interface and re‐enables the fiber interface on all the specified ports. Defaults The GBIC (fiber) interface is enabled, and the copper interface is disabled, by default. Mode Enabled. Usage This command applies only to the RBT‐8400.
clear port mirror Removes a port mirroring configuration. Syntax clear port mirror Defaults None. Mode Enabled.
clear port name Removes the name assigned to a port. Syntax clear port port-list name Parameters port‐list name List of physical ports. MSS removes the names from all the specified ports. Defaults None. Mode Enabled.
clear port type Note: When you clear a port, MSS ends user sessions that are using the port. Removes all configuration settings from a port and resets the port as a network port. Syntax clear port type port-list Parameters port‐list List of physical ports. MSS resets and removes the configuration from all the specified ports. Defaults The cleared port becomes a network port but is not placed in any VLANs. Mode Enabled. Usage Use this command to change a port back to a network port.
Example The following command clears port 5: RBT-8100# clear port type 5 This may disrupt currently authenticated users. Are you sure? (y/n) [n]y success: change accepted.
monitor port counters Displays and continually updates port statistics. Syntax monitor port counters [octets | packets | receive-errors | transmit-errors | collisions | receive-etherstats | transmit-etherstats] Parameters octets Displays octet statistics first. packets Displays packet statistics first. receive‐errors Displays errors in received packets first. transmit‐errors Displays errors in transmitted packets first. collisions Displays collision statistics first.
Table 4-2 Key Controls for Monitor Port Counters Display (continued) Key Effect on Monitor Display Esc Exits the monitor. MSS stops displaying the statistics and displays a new command prompt. c Clears the statistics counters for the currently displayed statistics type. The counters begin incrementing again. For error reporting, the cyclic redundancy check (CRC) errors include misalignment errors. Jumbo packets with valid CRCs are not counted.
Table 4-3 Output for Monitor Port Counters Statistics Option Field Description Displayed for All Options Port Port the statistics are displayed for. Status Port status. The status can be Up or Down. Rx Octets Total number of octets received by the port. octets This number includes octets received in frames that contained errors. Tx Octets Total number of octets received. This number includes octets received in frames that contained errors.
Table 4-3 Output for Monitor Port Counters (continued) Statistics Option Field Description collisions Single Coll Total number of frames transmitted that experienced one collision before 64 bytes of the frame were transmitted on the network. Multiple Coll Total number of frames transmitted that experienced more than one collision before 64 bytes of the frame were transmitted on the network. Excessive Coll Total number of frames that experienced more than 16 collisions during transmit attempts.
reset port Resets a port by toggling its link state and Power over Ethernet (PoE) state. Syntax reset port port-list Parameters port‐list List of physical ports. MSS resets all the specified ports. Defaults None. Mode Enabled. Usage The reset command disables the port’s link and PoE (if applicable) for at least 1 second, then reenables them. This behavior is useful for forcing an Access Point that is connected to two RoamAbout switches to reboot over the link to the other switch.
set dap Configures a Distributed access point for an Access Point that is indirectly connected to the RoamAbout switch through an intermediate Layer 2 or Layer 3 network. Notes: Before configuring a Distributed access point, you must use the set system countrycode command to set the IEEE 802.11 country-specific regulations on the RoamAbout switch. See set system countrycode on page 3-16.
Example The following command configures Distributed access point 1 for access point model RBT‐1602 with serial‐ID 0322199999: RBT-8100# set dap 1 serial-id 0322199999 model RBT-1602 success: change accepted. The following command removes Distributed access point 1: RBT-8100# clear dap 1 This will clear specified DAP devices.
set port Administratively disables or reenables a port. Syntax set port {enable | disable} port-list Parameters enable Enables the specified ports. disable Disables the specified ports. port‐list List of physical ports. MSS disables or re‐enables all the specified ports. Defaults All ports are enabled. Mode Enabled. Usage A port that is administratively disabled cannot send or receive packets. This command does not affect the link state of the port.
set port-group Configures a load‐sharing port group. All ports in the group function as a single logical link. Syntax set port-group name group-name port-list mode {on | off} Parameters name group‐name Alphanumeric string of up to 255 characters, with no spaces. port‐list List of physical ports. All the ports you specify are configured together as a single logical link. mode {on | off} State of the group. Use on to enable the group or off to disable the group. The group is enabled by default.
set port media-type Disables the fiber interface and enables the copper interface on an RBT‐8400 gigabit Ethernet port. Syntax set port media-type port-list rj45 Parameters port‐list List of physical ports. MSS sets the preference on all the specified ports. rj45 Uses the copper interface. Defaults The GBIC (fiber) interface is enabled, and the copper interface is disabled, by default. Mode Enabled. UsageThis command applies only to the RBT-8400.
set port mirror Configures port mirroring. Port mirroring is a troubleshooting feature that copies (mirrors) traffic sent or received by an RoamAbout Switch port (the source port) to another port (the observer) on the same RoamAbout Switch. You can attach a protocol analyzer to the observer port to examine the source port’s traffic. Both traffic directions (send and receive) are mirrored.
set port name Assigns a name to a port. After naming a port, you can use the port name or number in other CLI commands. Syntax set port port name name Parameters port Number of a physical port. You can specify only one port. name name Alphanumeric string of up to 16 characters, with no spaces. Defaults None. Mode Enabled. Usage To simplify configuration and avoid confusion between a port’s number and its name, Enterasys Networks recommends that you do not use numbers as port names.
set port negotiation Disables or reenables autonegotiation on gigabit Ethernet or 10/100 Ethernet ports. Syntax set port negotiation port-list {enable | disable} Parameters port‐list List of physical ports. MSS disables or reenables autonegotiation on all the specified ports. enable Enables autonegotiation on the specified ports. disable Disables autonegotiation on the specified ports. Defaults Autonegotiation is enabled on all Ethernet ports by default. Mode Enabled.
Enterasys Networks recommends that you do not configure the mode of a RoamAbout Switch port so that one side of the link is set to autonegotiation while the other side is set to full‐duplex. Although MSS allows this configuration, it can result in slow throughput on the link. The slow throughput occurs because the side that is configured for autonegotiation falls back to half‐ duplex. A stream of large packets sent to a RoamAbout Switch port in such a configuration can cause forwarding on the link to stop.
set port speed Changes the speed of a port. Syntax set port speed port-list {10 | 100 | 1000 | auto} Parameters port‐list List of physical ports. MSS sets the port speed on all the specified ports. 10 Sets the port speed of a 10/100 Ethernet port to 10 Mbps and sets the operating mode to full‐duplex. 100 Sets the port speed of a 10/100 Ethernet port to 100 Mbps and sets the operating mode to full‐duplex.
set port trap Enables or disables Simple Network Management Protocol (SNMP) linkup and linkdown traps on an individual port. Syntax set port trap port-list {enable | disable} Parameters port‐list List of physical ports. enable Enables the Telnet server. disable Disables the Telnet server. Defaults SNMP linkup and linkdown traps are disabled by default. Mode Enabled. Usage The set port trap command overrides the global setting of the set snmp trap command.
set port type wired-auth Configures a RoamAbout switch port for a wired authentication user. Note: Before changing the port type from ap to wired-auth or from wired-auth to ap, you must reset the port with the clear port type command. Syntax set port type wired-auth port-list [tag tag-list] [max-sessions num] [auth-fall-thru {last-resort | none }] Parameters port‐list List of physical ports. tag‐list One or more numbers between 1 and 4094 that subdivide a wired authentication port into virtual ports.
Table 4-5 Wired Authentication Port Defaults (continued) Port Parameter Setting IGMP snooping Enabled as users are authenticated and join VLANs. Maximum user sessions 1 (one). Fallthru authentication type None.
show port counters Displays port statistics. Syntax show port counters [octets | packets | receive-errors | transmit-errors | collisions | receive-etherstats | transmit-etherstats] [port port-list] Parameters octets Displays octet statistics. packets Displays packet statistics. receive‐errors Displays errors in received packets. transmit‐errors Displays errors in transmitted packets. collisions Displays collision statistics. receive‐etherstats Displays Ethernet statistics for received packets.
show port-group Displays port group information. Syntax show port-group [all | name group-name] Parameters all Displays information for all port groups. name group‐name Displays information for the specified port group. Defaults None. Mode All. Example The following command displays the configuration of port group server2: RBT-8100# show port-group name server2 Port group: server2 is up Ports: 15, 17 Table 4‐6 describes the fields in the show port‐group output.
show port media-type Displays the enabled interface types on an RBT‐8400 switch’s gigabit Ethernet ports. Syntax show port media-type [port-list] Parameters port‐list List of physical ports. MSS displays the enabled interface types for all the specified ports. Defaults None. Mode All. Usage This command applies only to the RBT‐8400.
show port status Displays configuration and status information for ports. Syntax show port status [port-list] Parameters port‐list List of physical ports. If you do not specify a port list, information is displayed for all ports. Defaults None. Mode All.
Table 4-8 Output for show port status Output What It Displays... Port Port number. Name Port name. If the port does not have a name, the port number is listed. Admin Administrative status of the port: up—The port is enabled. down—The port is disabled. Oper Operational status of the port: up—The port is operational. down—The port is not operational. Config Port speed configured on the port: 10—10 Mbps. 100—100 Mbps. 1000—1000 Mbps. auto—The port sets its own speed.
5 VLAN Commands Use virtual LAN (VLAN) commands to configure and manage parameters for individual port VLANs on network ports, and to display information about clients roaming within a Mobility Domain. This chapter presents VLAN commands alphabetically. Use the following table to locate commands in this chapter. For information about... Refer to page...
clear fdb Deletes an entry from the forwarding database (FDB). Syntax clear fdb {perm | static | dynamic | port port‐list} [vlan vlan‐id] [tag tag‐value] Parameters perm Clears permanent entries. A permanent entry does not age out and remains in the database even after a reboot, reset, or power cycle. You must specify a VLAN name or number with this option. static Clears static entries. A static entry does not age out, but is removed from the database after a reboot, reset, or power cycle.
The following command clears all dynamic forwarding database entries that match all VLANs: RBT-8100# clear fdb dynamic success: change accepted. The following command clears all dynamic forwarding database entries that match ports 3 and 5: RBT-8100# clear fdb port 3,5 success: change accepted.
clear security l2-restrict Removes one or more MAC addresses from the list of destination MAC addresses to which clients in a VLAN are allowed to send traffic at Layer 2. Syntax clear security l2-restrict vlan vlan‐id [permit-mac mac‐addr [mac‐addr] | all] Parameters vlan‐id VLAN name or number. permit‐mac mac‐ addr [mac‐addr] List of MAC addresses. MSS no longer allows clients in the VLAN to send traffic to the MAC addresses at Layer 2. all Removes all MAC addresses from the list.
clear security l2-restrict counters Clear statistics counters for Layer 2 forwarding restriction. Syntax clear security l2-restrict counters [vlan vlan‐id | all] Parameters vlan‐id VLAN name or number. all Clears Layer 2 forwarding restriction counters for all VLANs. Defaults If you do not specify a VLAN or all, counters for all VLANs are cleared. Mode Enabled.
clear vlan Removes physical or virtual ports from a VLAN or removes a VLAN entirely. Caution: When you remove a VLAN, MSS completely removes the VLAN from the configuration and also removes all configuration information that uses the VLAN. If you want to remove only a specific port from the VLAN, make sure you specify the port number in the command. Syntax clear vlan vlan‐id [port port‐list [tag tag‐value]] Parameters vlan‐id VLAN name or number. port port‐list List of physical ports.
Related Commands • set vlan port on page 5‐12 • show vlan config on page 5‐24 RoamAbout Mobility System Software Command Line Reference 5-7
set fdb Adds a permanent or static entry to the forwarding database. Syntax set fdb {perm | static} mac‐addr port port‐list vlan vlan‐id [tag tag‐value] Parameters perm Adds a permanent entry. A permanent entry does not age out and remains in the database even after a reboot, reset, or power cycle. static Adds a static entry. A static entry does not age out, but is removed from the database after a reboot, reset, or power cycle. mac‐addr Destination MAC address of the entry.
set fdb agingtime Changes the aging timeout period for dynamic entries in the forwarding database. Syntax set fdb agingtime vlan‐id age seconds Parameters vlan‐id VLAN name or number. The timeout period change applies only to entries that match the specified VLAN. age seconds Value for the timeout period, in seconds. You can specify a value from 0 through 1,000,000. If you change the timeout period to 0, aging is disabled. Defaults The aging timeout period is 300 seconds (5 minutes). Mode Enabled.
set security l2-restrict Restricts Layer 2 forwarding between clients in the same VLAN. When you restrict Layer 2 forwarding in a VLAN, MSS allows Layer 2 forwarding only between a client and a set of MAC addresses, generally the VLAN’s default routers. Clients within the VLAN are not permitted to communicate among themselves directly. To communicate with another client, the client must use one of the specified default routers.
set vlan name Creates a VLAN and assigns a number and name to it. Syntax set vlan vlan‐num name name Parameters vlan‐num VLAN number. You can specify a number from 2 through 4093. name name String up to 16 alphabetic characters long. Defaults VLAN 1 is named default by default. No other VLANs have default names. Mode Enabled. Usage You must assign a name to a VLAN (other than the default VLAN) before you can add ports to the VLAN. Enterasys Networks recommends that you do not use the name default.
set vlan port Assigns one or more network ports to a VLAN. You also can add a virtual port to each network port by adding a tag value to the network port. Syntax set vlan vlan‐id port port‐list [tag tag‐value] Parameters vlan‐id VLAN name or number. port port‐list List of physical ports. tag tag‐value Tag value that identifies a virtual port. You can specify a value from 1 through 4093. Defaults By default, no ports are members of any VLANs.
set vlan tunnel-affinity Changes a RoamAbout switch’s preferability within a Mobility Domain for tunneling user traffic for a VLAN. When a user roams to a RoamAbout switch that is not a member of the user’s VLAN, the switch can forward the user traffic by tunneling to another RoamAbout switch that is a member of the VLAN. Syntax set vlan vlan‐id tunnel-affinity num Parameters vlan‐id VLAN name or number. tunnel‐affinity num Preference of this switch for forwarding user traffic for the VLAN.
show fdb Displays entries in the forwarding database. Syntax show fdb [mac‐addr‐glob [vlan vlan‐id]] show fdb {perm | static | dynamic | system | all} [port port-list | vlan vlan-id] Parameters mac‐addr‐glob A single MAC address or set of MAC addresses. Specify a MAC address, or use the wildcard character (*) to specify a set of MAC addresses. (For details, see “MAC Address Globs” on page 1‐4.) vlan vlan‐id Name or number of a VLAN for which to display entries. perm Displays permanent entries.
Example The following command displays all entries in the forwarding database: RBT-8100# show fdb all * = Static Entry. + = Permanent Entry. # = System Entry.
show fdb agingtime Displays the aging timeout period for forwarding database entries. Syntax show fdb agingtime [vlan vlan‐id] Parameters vlan vlan‐id VLAN name or number. If you do not specify a VLAN, the aging timeout period for each VLAN is displayed. Defaults None. Mode All.
show fdb count Lists the number of entries in the forwarding database. Syntax show fdb count {perm | static | dynamic} [vlan vlan‐id] Parameters perm Lists the number of permanent entries. A permanent entry does not age out and remains in the database even after a reboot, reset, or power cycle. static Lists the number of static entries. A static entry does not age out, but is removed from the database after a reboot, reset, or power cycle. dynamic Lists the number of dynamic entries.
show roaming station Displays a list of the stations roaming to the RoamAbout switch through a VLAN tunnel. Syntax show roaming station [vlan vlan‐id] [peer ip‐addr] Parameters vlan vlan‐id Output is restricted to stations using this VLAN. peer ip‐addr Output is restricted to stations tunnelling through this peer RoamAbout switch in the Mobility Domain. Defaults None. Mode Enabled. Usage The output displays roaming stations within the previous 1 second.
Table 5-2 Output for show roaming station (continued) Output What It Displays... State State of the session: Setup—Station is attempting to roam to this RoamAbout switch. This switch has asked the RoamAbout switch from which the station is roaming for the station’s session information and is waiting for a reply. Up—MSS has established a tunnel between the RoamAbout switches and the station has successfully roamed to this RoamAbout switch over the tunnel.
show roaming vlan Shows all VLANs in the Mobility Domain, the RoamAbout switches servicing the VLANs, and their tunnel affinity values configured on each switch for the VLANs. Syntax show roaming vlan Parameters None. Defaults None. Mode Enabled. Example The following command shows the current roaming VLANs: RBT-8100# show roaming vlan VLAN RBT Affinity ---------------- --------------- -------vlan-cs 192.168.14.2 5 vlan-eng 192.168.14.4 5 vlan-fin 192.168.14.2 5 vlan-it 192.168.14.4 5 vlan-it 192.168.
show security l2-restrict Displays configuration information and statistics for Layer 2 forwarding restriction. Syntax show security l2-restrict [vlan vlan‐id | all] Parameters vlan‐id VLAN name or number. all Displays information for all VLANs. If you do not specify a VLAN name or all, information is displayed for all VLANs. Mode Enabled. Defaults None.
Table 5-4 5-22 Output for show security l2-restrict Field Description Hits Number of packets whose source MAC address was a client in this VLAN, and whose destination MAC address was one of those listed under Permit MAC.
show tunnel Displays the tunnels from the RoamAbout switch where you type the command. Syntax show tunnel Parameters None. Defaults None. Mode Enabled. Example To display all tunnels from a RoamAbout switch to other switches in the Mobility Domain, type the following command. RBT-8100# show tunnel VLAN Local Address Remote Address State Port LVID RVID --------------- --------------- --------------- ------- ----- ----- ----vlan-eng 192.168.14.2 192.168.14.
show vlan config Displays VLAN information. Syntax show vlan config [vlan‐id] Parameters vlan‐id VLAN name or number. If you do not specify a VLAN, information for all VLANs is displayed. Defaults None. Mode All. Example The following command displays information for VLAN burgundy: RBT-8100# show vlan config burgundy Admin VLAN Tunl VLAN Name Status State Affin Port Tag ---- ---------------- ------ ----- ----- ---------------- ----2 burgundy Up Up 5 2 none 3 none 4 none 6 none 11 none t:10.10.40.
Table 5-6 Output for show vlan config Output What It Displays... VLAN VLAN number. Name VLAN name. Admin Status Administrative status of the VLAN: Down—The VLAN is disabled. Up—The VLAN is enabled. VLAN State Link status of the VLAN: Down—The VLAN is not connected. Up—The VLAN is connected. Tunl Affin Tunnel affinity value assigned to the VLAN. Port Member port of the VLAN. The port can be a physical port or a virtual port.
5-26 VLAN Commands
6 QoS Commands Use Quality of Service (QoS) commands to configure packet prioritization in MSS. Packet prioritization ensures that RoamAbout Switches and RoamAbout Access Points give preferential treatment to high‐priority traffic such as voice and video. (To override the prioritization for specific traffic, use access controls lists [ACLs] to set the Class of Service [CoS] for the packets. See Chapter 14, Security ACL Commands.) This chapter presents QoS commands alphabetically.
clear qos Resets switch mapping of Differentiated Services Code Point (DSCP) to internal QoS values. The switch’s internal QoS map ensures that prioritized traffic remains prioritized while transiting through the RoamAbout Switch.
set qos cos-to-dscp-map Changes the value to which MSS maps an internal QoS value when marking outbound packets. Syntax set qos cos-to-dscp-map level dscp dscp-value Parameters level Internal CoS value. You can specify a number from 0 to 7. dscp dscp‐value DSCP value. You can specify the value as a decimal number. Valid values are 0 to 63. Defaults The defaults are listed by the show qos command. Mode Enabled.
set qos dscp-to-cos-map Changes the internal QoS value to which MSS maps a packet’s DSCP value when classifying inbound packets. Syntax set qos dscp-to-cos-map dscp-range cos level Parameters dscp‐range DSCP range. You can specify the values as decimal numbers. Valid decimal values are 0 to 63. To specify a range, use the following format: 40‐56. Specify the lower number first. cos level Internal QoS value. You can specify a number from 0 to 7. Defaults The defaults are listed by the show qos command.
show qos Displays the switch’s QoS settings. Syntax show qos [default] Parameters default Displays the default mappings. Defaults None. Mode Enabled.
show qos dscp-table Displays a table that maps Differentiated Services Code Point (DSCP) values to their equivalent combinations of IP precedence values and IP ToS values. Syntax show qos dscp-table Parameters None. Mode Enabled. Usage Introduced in MSS v4.0 as the show security acl dscp command and renamed in v4.1.
7 IP Services Commands Use IP services commands to configure and manage IP interfaces, management services, the Domain Name Service (DNS), Network Time Protocol (NTP), and aliases, and to ping a host or trace a route. This chapter presents IP services commands alphabetically. Use the following table to locate commands in this chapter. For information about... Refer to page...
For information about... 7-2 Refer to page...
For information about... Refer to page...
clear interface Removes an IP interface. Syntax clear interface vlan-id ip Parameters vlan‐id VLAN name or number. Defaults None. Mode Enabled.
clear ip alias Removes an alias, which is a string that represents an IP address. Syntax clear ip alias name Parameters name Alias name. Defaults None. Mode Enabled. Example The following command removes the alias server1: RBT-8100# clear ip alias server1 success: change accepted.
clear ip dns domain Removes the default DNS domain name. Syntax clear ip dns domain Parameters None. Defaults None. Mode Enabled. Example The following command removes the default DNS domain name from a RoamAbout switch: RBT-8100# clear ip dns domain Default DNS domain name cleared.
clear ip dns server Removes a DNS server from a RoamAbout switch configuration. Syntax clear ip dns server ip-addr Parameters ip‐addr IP address of a DNS server. Defaults None. Mode Enabled. Example The following command removes DNS server 10.10.10.69 from a RoamAbout switch’s configuration: RBT-8100# clear ip dns server 10.10.10.69 success: change accepted.
clear ip route Removes a route from the IP route table. Syntax clear ip route {default | ip-addr mask | ip-addr/mask-length} default-router Parameters default Default route. Note: default is an alias for IP address 0.0.0.0/0. ip‐addr mask IP address and subnet mask for the route destination, in dotted decimal notation (for example, 10.10.10.10 255.255.255.0). ip‐addr/mask‐length IP address and subnet mask length in CIDR format (for example, 10.10.10.10/24).
clear ip telnet Resets the Telnet server’s TCP port number to its default value. A RoamAbout switch listens for Telnet management traffic on the Telnet server port. Syntax clear ip telnet Parameters None. Defaults The default Telnet port number is 23. Mode Enabled. Example The following command resets the TCP port number for Telnet management traffic to its default: RBT-8100# clear ip telnet success: change accepted.
clear ntp server Removes an NTP server from a RoamAbout switch configuration. Syntax clear ntp server {ip-addr | all} Parameters ip‐addr IP address of the server to remove, in dotted decimal notation. all Removes all NTP servers from the configuration. Defaults None. Mode Enabled. Example The following command removes NTP server 192.168.40.240 from a RoamAbout switch configuration: RBT-8100# clear ntp server 192.168.40.240 success: change accepted.
clear ntp update-interval Resets the NTP update interval to the default value. Syntax clear ntp update-interval Parameters None. Defaults The default NTP update interval is 64 seconds. Mode Enabled. Example To reset the NTP interval to the default value, type the following command: RBT-8100# clear ntp update-interval success: change accepted.
clear snmp community Clears an SNMP community string. Syntax clear snmp community name comm-string Parameters comm‐string Name of the SNMP community you want to clear. Defaults None. Mode Enabled. Example The following command clears community string setswitch2: RBT-8100# clear snmp community name setswitch2 success: change accepted.
clear snmp notify target Clears an SNMP notification target. Syntax clear snmp notify target target-num Parameters target‐num ID of the target. Defaults None. Mode Enabled. The following command clears notification target 3: RBT-8100# clear snmp notify target 3 success: change accepted.
clear snmp notify profile Clears an SNMP notification profile. Syntax clear snmp notify profile profile-name Parameters profile‐name Name of the notification profile you are clearing. Defaults None. Mode Enabled. Example The following command clears notification profile snmpprof_rfdetect: RBT-8100# clear snmp notify profile snmpprof_rfdetect success: change accepted.
clear snmp trap receiver This command is deprecated in MSS Version 4.0. To clear an SNMP notification target (also called trap receiver), see clear snmp notify target on page 7‐13. Syntax clear snmp trap receiver ip-addr Parameters ip‐addr IP address of the trap receiver, in dotted decimal notation. Defaults None. Mode Enabled. Example To delete the trap receiver at IP address 192.168.0.1, type the following command: RBT-8100# clear snmp trap receiver 192.168.0.1 success: change accepted.
clear snmp usm Clears an SNMPv3 user. Syntax clear snmp usm usm-username Parameters usm‐username Name of the SNMPv3 user you want to clear. Defaults None. Mode Enabled. Example The following command clears SNMPv3 user snmpmgr1: RBT-8100# clear snmp usm snmpmgr1 success: change accepted.
clear summertime Clears the summertime setting from a RoamAbout switch. Syntax clear summertime Parameters None. Defaults None. Mode Enabled. Example To clear the summertime setting from a RoamAbout switch, type the following command: RBT-8100# clear summertime success: change accepted.
clear system ip-address Clears the system IP address. Caution: Clearing the system IP address disrupts the system tasks that use the address. Syntax clear system ip-address Parameters None. Defaults None. Mode Enabled.
clear timezone Clears the time offset for the RoamAbout switch’s real‐time clock from Coordinated Universal Time (UTC). UTC is also know as Greenwich Mean Time (GMT). Syntax clear timezone Parameters None. Defaults None. Mode Enabled. Example To return the RoamAbout switch’s real‐time clock to UTC, type the following command: RBT-8100# clear timezone success: change accepted.
ping Tests IP connectivity between a RoamAbout switch and another device. MSS sends an Internet Control Message Protocol (ICMP) echo packet to the specified device and listens for a reply packet. Syntax ping host [count num-packets] [dnf] [flood] [interval time] [size size] [source-ip ip-addr | vlan-name] Parameters host IP address, MAC address, hostname, alias, or user to ping. count num‐packets Number of ping packets to send. You can specify from 0 through 2,147,483,647.
Example The following command pings a device that has IP address 10.1.1.1: RBT-8100# ping 10.1.1.1 PING 10.1.1.1 (10.1.1.1) from 10.9.4.34 : 56(84) bytes of data. 64 bytes from 10.1.1.1: icmp_seq=1 ttl=255 time=0.769 ms 64 bytes from 10.1.1.1: icmp_seq=2 ttl=255 time=0.628 ms 64 bytes from 10.1.1.1: icmp_seq=3 ttl=255 time=0.676 ms 64 bytes from 10.1.1.1: icmp_seq=4 ttl=255 time=0.619 ms 64 bytes from 10.1.1.1: icmp_seq=5 ttl=255 time=0.608 ms --- 10.1.1.
set arp Adds an ARP entry to the ARP table. Syntax set arp {permanent | static | dynamic} ip-addr mac-addr Parameters permanent Adds a permanent entry. A permanent entry does not age out and remains in the database even after a reboot, reset, or power cycle. static Adds a static entry. A static entry does not age out, but the entry does not remain in the database after a reboot, reset, or power cycle. dynamic Adds a dynamic entry.
set arp agingtime Changes the aging timeout for dynamic ARP entries. Syntax set arp agingtime seconds Parameters seconds Number of seconds an entry can remain unused before MSS removes the entry. You can specify from 0 through 1,000,000. To disable aging, specify 0. Defaults The default aging timeout is 1200 seconds. Mode Enabled. Usage Aging applies only to dynamic entries. To reset the ARP aging timeout to its default value, use the set arp agingtime 1200 command.
set interface Configures an IP interface on a VLAN. Syntax set interface vlan-id ip {ip-addr mask | ip-addr/mask-length} Parameters vlan‐id VLAN name or number. ip‐addr mask IP address and subnet mask in dotted decimal notation (for example, 10.10.10.10 255.255.255.0). ip‐addr/mask‐length IP address and subnet mask length in CIDR format (for example, 10.10.10.10/24). Defaults None. Mode Enabled. Usage You can assign one IP interface to each VLAN.
set interface dhcp-client Configures the DHCP client on a VLAN, to allow the VLAN to obtain its IP interface from a DHCP server. Syntax set interface vlan-id ip dhcp-client {enable | disable} Parameters vlan‐id VLAN name or number. enable Enables the DHCP client on the VLAN. disable Disables the DHCP client on the VLAN. Defaults The DHCP client is disabled by default on all switch models. Mode Enabled. Usage You can enable the DHCP client on one VLAN only.
set interface dhcp-server Configures the MSS DHCP server. Note: Use of the MSS DHCP server to allocate client addresses is intended for temporary, demonstration deployments and not for production networks. Enterasys Networks recommends that you do not use the MSS DHCP server to allocate client addresses in a production network.
• Default router—If this option is not set with the set interface dhcp‐server command’s default‐ router option, the MSS DHCP server can use the value set by the set ip route command. A default route configured by set ip route can be used if the route is in the DHCP client’s subnet. Otherwise, the MSS DHCP server does not specify a router address. Example The following command enables the DHCP server on VLAN red‐vlan to serve addresses from the 192.168.1.5 to 192.168.1.
set interface status Administratively disables or reenables an IP interface. Syntax set interface vlan-id status {up | down} Parameters vlan‐id VLAN name or number. up Enables the interface. down Disables the interface. Defaults IP interfaces are enabled by default. Mode Enabled.
set ip alias Configures an alias, which maps a name to an IP address. You can use aliases as shortcuts in CLI commands. Syntax set ip alias name ip-addr Parameters name String of up to 32 alphanumeric characters, with no spaces. ip‐addr IP address in dotted decimal notation. Defaults None. Mode Enabled. Example The following command configures the alias HR1 for IP address 192.168.1.2: RBT-8100# set ip alias HR1 192.168.1.2 success: change accepted.
set ip dns Enables or disables DNS on a RoamAbout switch. Syntax set ip dns {enable | disable} Parameters enable Enables DNS. disable Disables DNS. Defaults DNS is disabled by default. Mode Enabled.
set ip dns domain Configures a default domain name for DNS queries. The RoamAbout switch appends the default domain name to domain names or hostnames you enter in commands. Syntax set ip dns domain name Parameters name Domain name of between 1 and 64 alphanumeric characters with no spaces (for example, example.org). Defaults None. Mode Enabled. Usage To override the default domain name when entering a hostname in a CLI command, enter a period at the end of the hostname.
set ip dns server Specifies a DNS server to use for resolving hostnames you enter in CLI commands. Syntax set ip dns server ip-addr {primary | secondary} Parameters ip‐addr IP address of a DNS server, in dotted decimal or CIDR notation. primary Makes the server the primary server, which MSS always consults first for resolving DNS queries. secondary Makes the server a secondary server. MSS consults a secondary server only if the primary server does not reply. Defaults None. Mode Enabled.
set ip https server Enables the HTTPS server on a RoamAbout switch. The HTTPS server is required for WebView access to the switch. Caution: If you disable the HTTPS server, Web View access to the switch is disabled. Syntax set ip https server {enable | disable} Parameters enable Enables the HTTPS server. disable Disables the HTTPS server. Defaults The HTTPS server is disabled by default. Mode Enabled.
set ip route Adds a static route to the IP route table. Syntax set ip route {default | ip-addr mask | ip-addr/mask-length} default-router metric Parameters default Default route. A RoamAbout switch uses the default route if an explicit route is not available for the destination. Note: default is an alias for IP address 0.0.0.0/0. ip‐addr mask IP address and subnet mask for the route destination, in dotted decimal notation (for example, 10.10.10.10 255.255.255.0).
Example The following command adds a default route that uses default router 10.5.4.1 and gives the route a cost of 1: RBT-8100# set ip route default 10.5.4.1 1 success: change accepted. The following commands add two default routes, and configure MSS to always use the route through 10.2.4.69 when the RoamAbout switch interface to that default router is up: RBT-8100# set ip route default 10.2.4.69 1 success: change accepted. RBT-8100# set ip route default 10.2.4.17 2 success: change accepted.
set ip snmp server Enables or disables the SNMP service on the RoamAbout switch. Syntax set ip snmp server {enable | disable} Parameters enable Enables the SNMP service. disable Disables the SNMP service. Defaults The SNMP service is disabled by default. Mode Enabled. Example The following command enables the SNMP server on a RoamAbout switch: RBT-8100# set ip snmp server enable success: change accepted.
set ip ssh Changes the TCP port number on which a RoamAbout switch listens for Secure Shell (SSH) management traffic. Caution: If you change the SSH port number from an SSH session, MSS immediately ends the session. To open a new management session, you must configure the SSH client to use the new TCP port number. Syntax set ip ssh port port-num Parameters port‐num TCP port number. Defaults The default SSH port number is 22. Mode Enabled.
set ip ssh server Disables or reenables the SSH server on a RoamAbout switch. Caution: If you disable the SSH server, SSH access to the RoamAbout switch is also disabled. Syntax set ip ssh server {enable | disable} Parameters enable Enables the SSH server. disable Disables the SSH server. Defaults The SSH server is enabled by default. Mode Enabled. Usage SSH requires an SSH authentication key. You can generate one or allow MSS to generate one.
set ip telnet Changes the TCP port number on which a RoamAbout switch listens for Telnet management traffic. Caution: If you change the Telnet port number from a Telnet session, MSS immediately ends the session. To open a new management session, you must Telnet to the switch with the new Telnet port number. Syntax set ip telnet port-num Parameters port‐num TCP port number. Defaults The default Telnet port number is 23. Mode Enabled.
set ip telnet server Enables the Telnet server on a RoamAbout switch. Caution: If you disable the Telnet server, Telnet access to the RoamAbout switch is also disabled. Syntax set ip telnet server {enable | disable} Parameters enable Enables the Telnet server. disable Disables the Telnet server. Defaults The Telnet server is disabled by default. Mode Enabled. Usage The maximum number of Telnet sessions supported on a RoamAbout switch is eight.
set ntp Enables or disables the NTP client on a RoamAbout switch. Syntax set ntp {enable | disable} Parameters enable Enables the NTP client. disable Disables the NTP client. Defaults The NTP client is disabled by default. Mode Enabled. Usage If NTP is configured on a system whose current time differs from the NTP server time by more than 10 minutes, convergence of the RoamAbout switch time can take many NTP update intervals.
set ntp server Configures a RoamAbout switch to use an NTP server. Syntax set ntp server ip-addr Parameters ip‐addr IP address of the NTP server, in dotted decimal notation. Defaults None. Mode Enabled. Usage You can configure up to three NTP servers. MSS queries all the servers and selects the best response based on the method described in RFC 1305, Network Time Protocol (Version 3) Specification, Implementation and Analysis. To use NTP, you also must enable the NTP client with the set ntp command.
set ntp update-interval Changes how often MSS sends queries to the NTP servers for updates. Syntax set ntp update-interval seconds Parameters seconds Number of seconds between queries. You can specify from 16 through 1024 seconds. Defaults The default NTP update interval is 64 seconds. Mode Enabled. Example The following command changes the NTP update interval to 128 seconds: RBT-8100# set ntp update-interval 128 success: change accepted.
set snmp community Configures a community string for SNMPv1 or SNMPv2c. Note: For SNMPv3, use the set snmp usm command to configure an SNMPv3 user. SNMPv3 does not use community strings. Syntax set snmp community name comm-string access {read-only | read-notify | notify-only | read-write | notify-read-write} Parameters comm‐string Name of the SNMP community. Specify between 1 and 32 alphanumeric characters, with no spaces.
Examples The following command configures the read‐write community good_community: RBT-8100# set snmp community read-write good_community success: change accepted. The following command configures community string switchmgr1 with access level notify‐read‐ write: RBT-8100# set snmp community name switchmgr1 notify-read-write success: change accepted.
set snmp notify target Configures a notification target for notifications from SNMP. A notification target is a remote device to which MSS sends SNMP notifications. You can configure the MSS SNMP engine to send confirmed notifications (informs) or unconfirmed notifications (traps). Some of the command options differ depending on the SNMP version and the type of notification you specify. You can configure up to 10 notification targets.
retries num Specifies the number of times the MSS SNMP engine will resend a notification that has not been acknowledged by the target. You can specify from 0 to 3 retries. timeout num Specifies the number of seconds MSS waits for acknowledgement of a notification. You can specify from 1 to 5 seconds.
SNMPv2c with Informs To configure a notification target for informs from SNMPv2c, use the following command: Syntax set snmp notify target target-num ip-addr[:udp-port-number] v2c community-string inform [profile profile-name] [retries num][timeout num] Parameters target‐num ID for the target. This ID is local to the RoamAbout switch and does not need to correspond to a value on the target itself. You can specify a number from 1 to 10. ip‐addr[:udp‐port‐number] IP address of the server.
SNMPv1 with Traps To configure a notification target for traps from SNMPv1, use the following command: Syntax set snmp notify target target-num ip-addr[:udp-port-number] v1 community-string [profile profile-name] Parameters target‐num ID for the target. This ID is local to the RoamAbout switch and does not need to correspond to a value on the target itself. You can specify a number from 1 to 10. ip‐addr[:udp‐port‐number] IP address of the server.
Related Commands 7-50 • clear snmp notify target on page 7‐13 • set ip snmp server on page 7‐36 • set snmp community on page 7‐44 • set snmp profile on page 7‐51 • set snmp protocol on page 7‐56 • set snmp security on page 7‐57 • set snmp usm on page 7‐60 • show snmp notify target on page 7‐92 IP Services Commands
set snmp profile Configures an SNMP notification profile. A notification profile is a named list of all the notification types that can be generated by a switch, and for each notification type, the action to take (drop or send) when an event occurs. You can configure up to ten notification profiles. Syntax set snmp profile {default | profile-name} {drop | send} {notification-type | all} Parameters default | profile‐ name Name of the notification profile you are creating or modifying.
notification‐type 7-52 IP Services Commands Name of the notification type: • AuthenTraps—Generated when the RoamAbout switch’s SNMP engine receives a bad community string. • AutoTuneRadioChannelChangeTraps—Generated when the RF Auto‐Tuning feature changes the channel on a radio. • AutoTuneRadioPowerChangeTraps—Generated when the RF Auto‐Tuning feature changes the power setting on a radio. • ClientAssociationFailureTraps—Generated when a client’s attempt to associate with a radio fails.
notification‐type • MobilityDomainTimeoutTraps—Generated when a timeout occurs after a RoamAbout switch has unsuccessfully tried to communicate with a seed member. • APBootTraps—Generated when an access point boots. • APTimeoutTraps—Generated when an access point fails to respond to the RoamAbout switch. • PoEFailTraps—Generated when a serious PoE problem, such as a short circuit, occurs. • RFDetectAdhocUserTraps—Generated when MSS detects an ad‐hoc user.
notification‐type • RFDetectUnAuthorizedAPTraps—Generated when MSS detects the MAC address of an AP that is on the attack list. • RFDetectUnAuthorizedOuiTraps—Generated when a wireless device that is not on the list of permitted vendors is detected. • RFDetectUnAuthorizedSsidTraps—Generated when an SSID that is not on the permitted SSID list is detected. (cont.) all Sends or drops all notifications. Defaults A default notification profile (named default) is already configured in MSS.
RBT-8100# set snmp notify profile RFDetectSpoofedSsidAPTraps success: change accepted. RBT-8100# set snmp notify profile RFDetectUnAuthorizedAPTraps success: change accepted. RBT-8100# set snmp notify profile RFDetectUnAuthorizedOuiTraps success: change accepted. RBT-8100# set snmp notify profile RFDetectUnAuthorizedSsidTraps success: change accepted.
set snmp protocol Enables an SNMP protocol. MSS supports SNMPv1, SNMPv2c, and SNMPv3. Syntax set snmp protocol {v1 | v2c | usm | all} {enable | disable} Parameters v1 SNMPv1 v2c SNMPv2c usm SNMPv3 (with the user security model) all Enables all supported versions of SNMP. enable Enables the specified SNMP version(s). disable Disables the specified SNMP version(s). Defaults All SNMP versions are disabled by default. Mode Enabled. Usage SNMP requires the switch’s system IP address to be set.
set snmp security Sets the minimum level of security MSS requires for SNMP message exchanges. Syntax set snmp security {unsecured | authenticated | encrypted | auth-req-unsec-notify} Parameters unsecured SNMP message exchanges are not secure. This is the only value supported for SNMPv1 and SNMPv2c. authenticated SNMP message exchanges are authenticated but are not encrypted. encrypted SNMP message exchanges are authenticated and encrypted.
set snmp trap This command is deprecated in MSS Version 4.0. To enable or disable SNMP notifications, configure a notification profile. See set snmp profile on page 7‐51. Enables or disables the SNMP trap capability. Traps are event notifications. When a trap condition occurs, the RoamAbout switch sends an SNMP trap message to any network management system specified as a trap receiver. Syntax set snmp trap {enable | disable} [trap-name | all] Parameters enable Enables trap information to be sent.
set snmp trap receiver This command is deprecated in MSS Version 4.0. To configure an SNMP notification target (also called trap receiver), see set snmp notify target on page 7‐46. Adds an IP address to the SNMP trap receiver table. Syntax set snmp trap receiver ip-addr Parameters ip‐addr IP address of the trap receiver, in dotted decimal notation. Defaults None. Mode Enabled. Example To set the IP address of the SNMP trap receiver to 192.168.0.
set snmp usm Creates a USM user for SNMPv3. Note: This command does not apply to SNMPv1 or SNMPv2c. For these SNMP versions, use the set snmp community command to configure community strings.
auth‐type {none | md5 | sha} {auth‐pass‐phrase string | auth‐key hex‐string} Specifies the authentication type used to authenticate communications with the remote SNMP engine. You can specify one of the following: • none—No authentication is used. • md5—Message‐digest algorithm 5 is used. • sha—Secure Hashing Algorithm (SHA) is used. If the authentication type is md5 or sha, you can specify a passphrase or a hexadecimal key.
Related Commands 7-62 • clear snmp usm on page 7‐16 • set ip snmp server on page 7‐36 • set snmp community on page 7‐44 • set snmp notify target on page 7‐46 • set snmp profile on page 7‐51 • set snmp protocol on page 7‐56 • set snmp security on page 7‐57 • show snmp usm on page 7‐94 IP Services Commands
set summertime Offsets the real‐time clock of a RoamAbout switch by +1 hour and returns it to standard time for daylight savings time or a similar summertime period that you set. Syntax set summertime summer-name [start week weekday month hour min end week weekday month hour min] Parameters summer‐name Name of up to 32 alphanumeric characters that describes the summertime offset. You can use a standard name or any name you like. start Start of the time change period.
Related Commands 7-64 • clear summertime on page 7‐17 • clear timezone on page 7‐19 • set timedate on page 7‐66 • set timezone on page 7‐67 • show summertime on page 7‐95 • show timedate on page 7‐96 • show timezone on page 7‐97 IP Services Commands
set system ip-address Configures the system IP address. The system IP address determines the interface or source IP address MSS uses for system tasks, including the following: • Mobility domain operations • Default source IP address used in unsolicited communications such as AAA accounting reports and SNMP traps Syntax set system ip-address ip-addr Parameters ip‐addr IP address, in dotted decimal notation. The address must be configured on one of the RoamAbout switch’s VLANs. Defaults None.
set timedate Sets the time of day and date on the RoamAbout switch. Syntax set timedate {date mmm dd yyyy [time hh:mm:ss]} Parameters date mmm dd yyyy time hh:mm:ss System date: • mmm—month. • dd—day. • yyyy—year. System time, in hours, minutes, and seconds. Defaults None. Mode Enabled. Usage The day of week is automatically calculated from the day you set.
set timezone Sets the number of hours, and optionally the number of minutes, that the RoamAbout switch’s real‐time clock is offset from Coordinated Universal Time (UTC). These values are also used by Network Time Protocol (NTP), if it is enabled. Syntax set timezone zone-name {-hours [minutes]} Parameters zone‐name Time zone name of up to 32 alphabetic characters. You can use a standard name or any name you like. ‐ Minus time to indicate hours (and minutes) to be subtracted from UTC.
show arp Displays the ARP table. Syntax show arp [ip-addr] Parameters ip‐addr IP address. Defaults If you do not specify an IP address, the whole ARP table is displayed. Mode All. Example The following command displays ARP entries: RBT-8100# show arp ARP aging time: 1200 seconds Host -----------------------------10.5.4.51 10.5.4.
Table 7-1 Output for show arp (continued) Field Description Type Entry type: State • DYNAMIC—Entry was learned from network traffic and ages out if unused for longer than the ARP aging timeout. • LOCAL—Entry for the RoamAbout switch MAC address. Each VLAN has one local entry for the switch MAC address. • PERMANENT—Entry does not age out and remains in the configuration even following a reboot. • STATIC—Entry does not age out but is removed after a reboot.
show dhcp-client Displays DHCP client information for all VLANs. Syntax show dhcp-client Parameters None. Defaults None. Mode All. Example The following command displays DHCP client information: RBT-8100# show dhcp-client Interface: corpvlan(4) Configuration Status: Enabled DHCP State: IF_UP Lease Allocation: 65535 seconds Lease Remaining: 65532 seconds IP Address: 10.3.1.110 Subnet Mask: 255.255.255.0 Default Gateway: 10.3.1.1 DHCP Server: 10.3.1.4 DNS Servers: 10.3.1.29 DNS Domain Name: mycorp.
Table 7-2 Output for show dhcp-client (continued) Output What it displays... Subnet Mask Network mask of the IP address received from the DHCP server. Default Gateway Default router IP address received from the DHCP server. If the address is 0.0.0.0, the server did not provide an address. DHCP Server IP address of the DHCP server. DNS Servers DNS server IP address(es) received from the DHCP server. DNS Domain Name Default DNS domain name received from the DHCP server.
show dhcp-server Displays MSS DHCP server information. Syntax show dhcp-server [interface vlan-id] [verbose] Parameters interface vlan‐id Displays the IP addresses leased by the specified VLAN. verbose Displays configuration and status information for the MSS DHCP server. Defaults None. Mode All. Examples The following command displays the addresses leased by the MSS DHCP server: RBT-8100# show dhcp-server VLAN Name Address ---- -------------- --------------1 default 10.10.20.2 1 default 10.10.20.
Lease Remaining: IP Address: Subnet Mask: Default Router: DNS Servers: DNS Domain Name: 12345 seconds 10.10.20.2 255.255.255.0 10.10.20.1 10.10.20.4 10.10.20.5 mycorp.com Table 7‐3 and Table 7‐4 describe the fields in these displays. Table 7-3 Output for show dhcp-server Output What it displays... VLAN VLAN number. Name VLAN name. Address IP address leased by the server. MAC Address MAC address of the device that holds the lease for the address.
Table 7-4 Output for show dhcp-client verbose (continued) Output What it displays... DNS Servers DNS server IP address(es) included in the DHCP Offer to the client. DNS Domain Name Default DNS domain name included in the DHCP Offer to the client.
show interface Displays the IP interfaces configured on the RoamAbout switch. Syntax show interface [vlan-id] Parameters vlan‐id VLAN name or number. Defaults If you do not specify a VLAN ID, interfaces for all VLANs are displayed. Mode All. Usage The IP interface table flags an address assigned by a DHCP server with an asterisk ( * ).
Table 7-5 Output for show interface (continued) Output What it displays...
show ip alias Displays the IP aliases configured on the RoamAbout switch. Syntax show ip alias [ name ] Parameters name Alias string. Defaults If you do not specify an alias name, all aliases are displayed. Mode Enabled. Example The following command displays all the aliases configured on a RoamAbout switch: RBT-8100# show ip alias Name -------------------HR1 payroll radius1 IP Address -------------------192.168.1.2 192.168.1.3 192.168.7.2 Table 7‐6 describes the fields in this display.
show ip dns Displays the DNS servers the RoamAbout switch is configured to use. Syntax show ip dns Parameters None. Defaults None. Mode All. Example The following command displays the DNS information: RBT-8100# show ip dns Domain Name: example.com DNS Status: enabled IP Address Type ----------------------------------10.1.1.1 PRIMARY 10.1.1.2 SECONDARY 10.1.2.1 SECONDARY Table 7‐7 describes the fields in this display. Table 7-7 Output for show ip dns Output What it displays...
• set ip dns on page 7‐30 • set ip dns domain on page 7‐31 • set ip dns server on page 7‐32 RoamAbout Mobility System Software Command Line Reference 7-79
show ip https Displays information about the HTTPS management port. Syntax show ip https Parameters None. Defaults None. Mode All. Example The following command shows the status and port number for the HTTPS management interface to the RoamAbout switch: RBT-8100> show ip https HTTPS is enabled HTTPS is set to use port 443 Last 10 Connections: IP Address Last Connected Time Ago (s) ---------------------------------- -----------10.10.10.
Table 7-8 Output for show ip https (continued) Output What it displays... Time Ago (s) Number of seconds since the device established the HTTPS connection to the switch.
show ip route Displays the IP route table. Syntax show ip route [destination] Parameters destination Route destination IP address, in dotted decimal notation. Defaults None. Mode All. Usage When you add an IP interface to a VLAN that is up, MSS adds direct and local routes for the interface to the route table. If the VLAN is down, MSS does not add the routes.
Table 7-9 Output for show ip route Output What it displays... Destination/Mask IP address and subnet mask of the route destination. The 244.0.0.0 route is automatically added by MSS and supports the IGMP snooping feature. Proto Protocol that added the route to the IP route table. The protocol can be one of the following: • IP—MSS added the route. • Static—An administrator added the route. Metric Cost for using the route. NH-Type Next-hop type: • Local—Route is for a local interface.
show ip telnet Displays information about the Telnet management port. Syntax show ip telnet Parameters None. Defaults None. Mode All. Example The following command shows the status and port number for the Telnet management interface to the RoamAbout switch: RBT-8100> show ip telnet Server Status Port ---------------------------------Enabled 23 Table 7‐10 describes the fields in this display. Table 7-10 Output for show ip telnet Output What it displays...
show ntp Displays NTP client information. Syntax show ntp Parameters None. Defaults None. Mode All. Example To display NTP information for a RoamAbout switch, type the following command: RBT-8100> show ntp NTP client: enabled Current update-interval: 20(secs) Current time: Fri Feb 06 2004, 12:02:57 Timezone is set to 'PST', offset from UTC is -8:0 hours. Summertime is enabled.
Table 7-11 Output for show ntp (continued) Output What it displays... Summertime Summertime period configured on the switch. MSS offsets the system time +1 hour and returns it to standard time for daylight savings time or a similar summertime period that you set. Note: This field is displayed only if you enable summertime. Last NTP update Time when the switch received the most recent update from an NTP server. NTP Server IP address of the NTP server.
show snmp configuration This command is deprecated in MSS Version 4.0. Use the show snmp status command instead. Shows SNMP settings on a RoamAbout switch. Syntax show snmp configuration Parameters None. Defaults None. Mode All.
ClientRoamingTraps AutoTuneRadioPowerChangeTraps AutoTuneRadioChannelChangeTraps CounterMeasureStartTraps CounterMeasureStopTraps ClientDot1xFailureTraps Community Access ---------------read-only read-write YES YES YES YES YES YES Community Name -------------public private Table 7‐12 describes the fields in this display. Table 7-12 Output for show snmp configuration Output What it displays...
show snmp community Displays the configured SNMP community strings. Syntax show snmp community Parameters None. Defaults None. Mode Enabled.
show snmp counters Displays SNMP statistics counters. Syntax show snmp counters Parameters None. Defaults None. Mode Enabled.
show snmp notify profile Displays SNMP notification profiles. Syntax show snmp notify profile Parameters None. Defaults None. Mode Enabled.
show snmp notify target Displays SNMP notification targets. Syntax show snmp notify target Parameters None. Defaults None. Mode Enabled.
show snmp status Displays SNMP version and status information. Syntax show snmp status Parameters None. Defaults None. Mode Enabled.
show snmp usm Displays information about SNMPv3 users. Defaults None. Mode Enabled.
show summertime Shows a RoamAbout switch’s offset from its real‐time clock. Syntax show summertime Parameters None. Defaults There is no summertime offset by default. Mode All. Example To display the summertime setting on a RoamAbout switch, type the following command: RBT-8100# show summertime Summertime is enabled, and set to 'PDT'.
show timedate Shows the date and time of day currently set on a RoamAbout switch’s real‐time clock. Syntax show timedate Parameters None. Defaults None. Mode All.
show timezone Shows the time offset for the real‐time clock from UTC on a RoamAbout switch. Syntax show timezone Parameters None. Defaults None. Mode All.
telnet Opens a Telnet client session with a remote device. Syntax telnet {ip-addr | hostname} [port port-num] Parameters ip‐addr IP address of the remote device. hostname Hostname of the remote device. port port‐num TCP port number on which the TCP server on the remote device listens for Telnet connections. Defaults MSS attempts to establish Telnet connections with TCP port 23 by default. Mode Enabled.
10 backbone 4094 web-aaa Up Up Up Up 5 21 22 none Up none Up 2 4094 Up 0 When the administrator presses Ctrl+t to end the Telnet connection, the management session returns to the local RoamAbout switch prompt: RBT-8100-remote> Session 0 pty tty2.d terminated tt name tty2.
traceroute Traces the route to an IP host. Syntax traceroute host [dnf] [no-dns] [port port-num] [queries num] [size size] [ttl hops] [wait ms] Parameters host IP address, hostname, or alias of the destination host. Specify the IP address in dotted decimal notation. dnf Sets the Do Not Fragment bit in the ping packet to prevent the packet from being fragmented. no‐dns Prevents MSS from performing a DNS lookup for each hop to the destination host.
Example The following example traces the route to host server1: RBT-8100# traceroute server1 traceroute to server1.example.com (192.168.22.7), 30 hops max, 38 byte packets 1 engineering-1.example.com (192.168.192.206) 2 ms 1 ms 1 ms 2 engineering-2.example.com (192.168.196.204) 2 ms 3 ms 2 ms 3 gateway_a.example.com (192.168.1.201) 6 ms 3 ms 3 ms 4 server1.example.com (192.168.22.7) 3 ms * 2 ms The first row of the display indicates the target host, the maximum number of hops, and the packet size.
7-102 IP Services Commands
8 AAA Commands Use authentication, authorization, and accounting (AAA) commands to provide a secure network connection and a record of user activity. Location policy commands override any virtual LAN (VLAN) or security ACL assignment by AAA or the local RAS database to help you control access locally. (Security ACLs are packet filters. For command descriptions, see Chapter 14, Security ACL Commands.) This chapter presents AAA commands alphabetically.
For information about... 8-2 Refer to page...
clear accounting Removes accounting services for specified wireless users with administrative access or network access. Syntax clear accounting {admin | dot1x | system} {user-glob} Parameters admin Users with administrative access to the RAS through a console connection or through a Telnet or Web View connection. dot1x Users with network access through the RAS. Users with network access are authorized to use the network through either an IEEE 802.1X method or their media access control (MAC) address.
clear authentication admin Removes an authentication rule for administrative access through Telnet or Web View. Syntax clear authentication admin user-glob Parameters user‐glob A single user or set of users. Specify a username, use the double‐asterisk wildcard character (**) to specify all usernames, or use the single‐asterisk wildcard character (*) to specify a set of usernames up to or following the first delimiter character, either an at sign (@) or a period (.).
clear authentication console Removes an authentication rule for administrative access through the Console. Syntax clear authentication console user-glob Parameters user‐glob A single user or set of users. Specify a username, use the double‐asterisk wildcard character (**) to specify all usernames, or use the single‐asterisk wildcard character (*) to specify a set of usernames up to or following the first delimiter character, either an at sign (@) or a period (.).
clear authentication dot1x Removes an 802.1X authentication rule. Syntax clear authentication dot1x {ssid ssid-name | wired} user-glob Parameters ssid ssid‐name SSID name to which this authentication rule applies. wired Clears a rule used for access over a RoamAbout switch’s wired‐ authentication port. user‐glob User‐glob associated with the rule you are removing. Default None. Mode Enabled. Example The following command removes 802.
clear authentication mac Removes a MAC authentication rule. Syntax clear authentication mac {ssid ssid-name | wired} mac-addr-glob Parameters ssid ssid‐name SSID name to which this authentication rule applies. wired Clears a rule used for access over a RoamAbout switch’s wired‐ authentication port. mac‐addr‐glob MAC address glob associated with the rule you are removing. Default None. Mode Enabled.
clear authentication proxy Removes a proxy rule for third‐party AP users. Syntax clear authentication proxy ssid ssid-name user-glob Parameters ssid ssid‐name SSID name to which this authentication rule applies. user‐glob User‐glob associated with the rule you are removing. Default None. Mode Enabled.
clear authentication web Removes a WebAAA rule. Syntax clear authentication web {ssid ssid-name | wired} user-glob Parameters ssid ssid‐name SSID name to which this authentication rule applies. wired Clears a rule used for access over a RoamAbout switch’s wired‐ authentication port. user‐glob User‐glob associated with the rule you are removing. Default None. Mode Enabled. Example The following command removes WebAAA for SSID research and userglob temp*@thiscorp.
clear location policy Removes a rule from the location policy on a RAS. Syntax clear location policy rule-number Parameters rule‐number Index number of a location policy rule to remove from the location policy. Default None. Mode Enabled. Usage To determine the index numbers of location policy rules, use the show location policy command. Removing all the ACEs from the location policy disables this function on the RAS.
clear mac-user Removes a user profile from the local database on the RAS, for a user who is authenticated by a MAC address. (To remove a user profile in RADIUS, see the documentation for your RADIUS server.) Syntax clear mac-user mac-addr Parameters mac‐addr MAC address of the user, in hexadecimal numbers separated by colons (:). You can omit leading zeros. Default None. Mode Enabled.
clear mac-user attr Removes an authorization attribute from the user profile in the local database on the RAS, for a user who is authenticated by a MAC address. (To remove an authorization attribute in RADIUS, see the documentation for your RADIUS server.) Syntax clear mac-user mac-addr attr attribute-name Parameters mac‐addr MAC address of the user, in hexadecimal numbers separated by colons (:). You can omit leading zeros.
clear mac-user group Removes a user profile from a MAC user group in the local database on the RAS, for a user who is authenticated by a MAC address. (To remove a MAC user group profile in RADIUS, see the documentation for your RADIUS server.) Syntax clear mac-user mac-addr group Parameters mac‐addr MAC address of the user, in hexadecimal numbers separated by colons (:). You can omit leading zeros. Default None. Mode Enabled.
clear mac-usergroup Removes a user group from the local database on the RAS, for a group of users who are authenticated by a MAC address. (To delete a MAC user group in RADIUS, see the documentation for your RADIUS server.) Syntax clear mac-usergroup group-name Parameters group‐name Name of an existing MAC user group. Default None. Mode Enabled. Usage To remove a user from a MAC user group, use the clear mac‐user group command.
clear mac-usergroup attr Removes an authorization attribute from a MAC user group in the local database on the RAS, for a group of users who are authenticated by a MAC address. (To unconfigure an authorization attribute in RADIUS, see the documentation for your RADIUS server.) Syntax clear mac-usergroup group-name attr attribute-name Parameters group‐name Name of an existing MAC user group.
clear mobility-profile Removes a Mobility Profile entirely. Syntax clear mobility-profile name Parameters name Name of an existing Mobility Profile. Default None. Mode Enabled. Example The following command removes the Mobility Profile for user Nin: RBT-8100# clear mobility-profile Nin success: change accepted.
clear user Removes a user profile from the local database on the RAS, for a user with a password. (To remove a user profile in RADIUS, see the documentation for your RADIUS server.) Syntax clear user username Parameters username Username of a user with a password. Default None. Mode Enabled. Usage Deleting the user’s profile from the database deletes the assignment of any attributes in the profile to the user.
clear user attr Removes an authorization attribute from the user profile in the local database on the RAS, for a user with a password. (To remove an authorization attribute from a RADIUS user profile, see the documentation for your RADIUS server.) Syntax clear user username attr attribute-name Parameters username Username of a user with a password. attribute‐name Name of an attribute used to authorize the user for a particular service or session characteristic.
clear user group Removes a user with a password from membership in a user group in the local database on the RAS. (To remove a user from a user group in RADIUS, see the documentation for your RADIUS server.) Syntax clear user username group Parameters username Username of a user with a password. Default None. Mode Enabled. Usage Removing the user from the group removes the group name from the user’s profile, but does not delete either the user or the user group from the local RAS database.
clear usergroup Removes a user group and its attributes from the local database on the RAS, for users with passwords. (To delete a user group in RADIUS, see the documentation for your RADIUS server.) Syntax clear usergroup group-name Parameters group‐name Name of an existing user group. Default None. Mode Enabled. Usage Removing a user group from the local RAS database does not remove the user profiles of the group’s members from the database.
clear usergroup attr Removes an authorization attribute from a user group in the local database on the RAS. (To remove an authorization attribute in RADIUS, see the documentation for your RADIUS server.) Syntax clear usergroup group-name attr attribute-name Parameters group‐name Name of an existing user group. attribute‐name Name of an attribute used to authorize all the users in the group for a particular service or session characteristic.
set accounting {admin | console} Sets up accounting services for specified wireless users with administrative access, and defines the accounting records and where they are sent. Syntax set accounting {admin | console} {user-glob} {start-stop | stop-only} method1 [method2] [method3] [method4] Parameters admin Users with administrative access to the RAS through Telnet or Web View. console Users with administrative access to the RAS through a console connection.
Example The following command issues start‐and‐stop accounting records at the local RAS database for administrator Natasha, when she accesses the switch using Telnet or Web View: RBT-8100# set accounting admin Natasha start-stop local success: change accepted.
set accounting {dot1x | mac | web | last-resort} Sets up accounting services for specified wireless users with network access, and defines the accounting records and where they are sent. Syntax set accounting {dot1x | mac | web} {ssid ssid-name | wired} {user-glob | mac-addr-glob} {start-stop | stop-only} method1 [method2] [method3] [method4] Parameters dot1x Users with network access through the RoamAbout Switch who are authenticated by 802.1X.
method1 method2 method3 method4 At least one of up to four methods that MSS uses to process accounting records. Specify one or more of the following methods in priority order. If the first method does not succeed, MSS tries the second method, and so on. A method can be one of the following: • local—Stores accounting records in the local database on the RAS . When the local accounting storage space is full, MSS overwrites older records with new ones.
set accounting system Configures MSS to send Accounting‐On and Accounting‐Off messages to a specified RADIUS server group. Syntax set accounting system method1 [method2] [method3] [method4] Parameters method1 method2 method3 At least one of up to four methods that MSS uses to process accounting records. Specify one or more methods in priority order. If the first method does not succeed, MSS tries the second method, and so on. Note: The local method is not valid for this command.
set authentication admin Configures authentication and defines where it is performed for specified users with administrative access through Telnet or Web View. Syntax set authentication admin user-glob method1 [method2] [method3] [method4] Parameters user‐glob Single user or set of users with administrative access over the network through Telnet or Web View.
Usage You can configure different authentication methods for different groups of users. (For details, see “User Globs, MAC Address Globs, and VLAN Globs” on page 1‐3.) If you specify multiple authentication methods in the set authentication console command, MSS applies them in the order in which they appear in the command, with these results: • If the first method responds with pass or fail, the evaluation is final. • If the first method does not respond, MSS tries the second method, and so on.
set authentication console Configures authentication and defines where it is performed for specified users with administrative access through a console connection. Syntax set authentication console user-glob method1 [method2] [method3] [method4] Parameters user‐glob Single user or set of users with administrative access through the switch’s console.
Note: The syntax descriptions for the set authentication commands have been separated for clarity. However, the options and behavior for the set authentication console command are the same as in previous releases. Usage You can configure different authentication methods for different groups of users. (For details, see “User Globs, MAC Address Globs, and VLAN Globs” on page 1‐3.
set authentication dot1x Configures authentication and defines how and where it is performed for specified wireless or wired authentication clients who use an IEEE 802.1X authentication protocol to access the network through the RAS. Syntax set authentication dot1x {ssid ssid-name | wired} user-glob [bonded] protocol method1 [method2] [method3] [method4] Parameters ssid ssid‐name SSID name to which this authentication rule applies. To apply the rule to all SSIDs, type any.
protocol Protocol used for authentication. Specify one of the following: • eap‐md5—Extensible Authentication Protocol (EAP) with message‐digest algorithm 5. For wired authentication clients: – Uses challenge‐response to compare hashes – Provides no encryption or integrity checking for the connection Note: The eap-md5 option does not work with Microsoft wired authentication clients.
Default By default, authentication is unconfigured for all clients with network access through AP ports or wired authentication ports on the RAS. Connection, authorization, and accounting are also disabled for these users. Bonded authentication is disabled by default. Mode Enabled. Usage You can configure different authentication methods for different groups of users by “globbing.” (For details, see “User Globs” on page 1‐3.
Related Commands 8-34 • clear authentication dot1x on page 8‐6 • set authentication admin on page 8‐27 • set authentication console on page 8‐29 • set authentication mac on page 8‐35 • set authentication web on page 8‐38 • set service‐profile auth‐fallthru on page 11‐82 • show aaa on page 8‐62 AAA Commands
set authentication mac Configures authentication and defines where it is performed for specified non‐802.1X users with network access through a media access control (MAC) address. Syntax set authentication mac {ssid ssid-name | wired} mac-addr-glob method1 [method2] [method3] [method4] Parameters ssid ssid‐name SSID name to which this authentication rule applies. To apply the rule to all SSIDs, type any.
• However, if local appears first, followed by a RADIUS server group, MSS ignores any failed searches in the local RAS database and sends an authentication request to the RADIUS server group. If the switch’s configuration contains a set authentication mac command that matches the SSID the user is attempting to access and the user’s MAC address, MSS uses the method specified by the command. Otherwise, MSS uses local MAC authentication by default.
set authentication proxy Configures a proxy authentication rule for a third‐party AP’s wireless users. Syntax set authentication proxy ssid ssid-name user-glob radius-server-group Parameters ssid ssid‐name SSID name to which this authentication rule applies. user‐glob A single user or a set of users.
set authentication web Configures an authentication rule to allow a user to log in to the network using a web page served by the RoamAbout switch. The rule can be activated if the user is not otherwise granted or denied access by 802.1X, or granted access by MAC authentication. Syntax set authentication web {ssid ssid-name | wired} user-glob method1 [method2] [method3] [method4] Parameters user‐glob A single user or a set of users.
You can configure a rule either for wireless access to an SSID, or for wired access through a RoamAbout switch’s wired authentication port. If the rule is for wireless access to an SSID, specify the SSID name or specify any to match on all SSID names. If the rule is for wired access, specify wired instead of an SSID name.
set location policy Creates and enables a location policy on a RAS. A location policy enables you to locally set or change authorization attributes for a user after the user is authorized by AAA, without making changes to the AAA server.
vlan operator vlan‐glob VLAN‐Name attribute assigned by AAA and condition by which to determine if the location policy rule applies. Replace operator with one of the following operands: • eq—Applies the location policy rule to all users assigned VLAN names matching vlan‐glob. • neq—Applies the location policy rule to all users assigned VLAN names not matching vlan‐glob.
The order of rules in the location policy is important to ensure users are properly granted or denied access. To position rules within the location policy, use before rule‐number and modify rule‐number in the set location policy command, and the clear location policy rule‐number command. When applying security ACLs: • Use inacl inacl‐name to filter traffic that enters the switch from users via an AP access port or wired authentication port, or from the network via a network port.
set mac-user Configures a user profile in the local database on the RAS for a user who can be authenticated by a MAC address, and optionally adds the user to a MAC user group. (To configure a MAC user profile in RADIUS, see the documentation for your RADIUS server.) Syntax set mac-user mac-addr [group group-name] mac‐addr MAC address of the user, in hexadecimal numbers separated by colons (:). You can omit leading zeros. group‐name Name of an existing MAC user group. Default None. Mode Enabled.
set mac-user attr Assigns an authorization attribute in the local database on the RAS to a user who is authenticated by a MAC address. (To assign authorization attributes through RADIUS, see the documentation for your RADIUS server.) Syntax set mac-user mac-addr attr attribute-name value Parameters mac‐addr MAC address of the user, in hexadecimal numbers separated by colons (:). You can omit leading zeros.
Table 8-1 Authentication Attributes for Local Users Attribute Description Valid Value(s) encryption-type Type of encryption required for access by the client. Clients who attempt to use an unauthorized encryption method are rejected. One of the following numbers that identifies an encryption algorithm: Note: Encryption-Type is an Enterasys Networks vendorspecific attribute (VSA). The vendor ID is 14525, and the vendor type is 3.
Table 8-1 Authentication Attributes for Local Users (continued) Attribute Description mobility-profile Mobility Profile attribute for the Name of an existing Mobility Profile, which can user. (For more information, see be up to 32 alphanumeric characters, with no set mobility-profile on page 8-52.) tabs or spaces. (network access mode only) service-type Valid Value(s) Note: Mobility-Profile is an Enterasys Networks vendorspecific attribute (VSA). The vendor ID is 14525, and the vendor type is 2.
Table 8-1 Authentication Attributes for Local Users (continued) Attribute Description Valid Value(s) start-date Date and time at which the user becomes eligible to access the network. Date and time, in the following format: MSS does not authenticate the user unless the attempt to access the network occurs at or after the specified date and time, but before the end-date (if specified).
Table 8-1 Authentication Attributes for Local Users (continued) Attribute Description Valid Value(s) url URL to which the user is redirected after successful WebAAA. Web URL, in standard format. For example: (network access mode only) http://www.example.com Note: You must include the http:// portion.
success: change accepted.
set mac-usergroup attr Creates a user group in the local database on the RAS for users who are authenticated by a MAC address, and assigns authorization attributes for the group. (To configure a user group and assign authorization attributes through RADIUS, see the documentation for your RADIUS server.) Syntax set mac-usergroup group-name attr attribute-name value Parameters group‐name Name of a MAC user group. Specify a name of up to 32 alphanumeric characters, with no spaces.
Related Commands • clear mac‐usergroup attr on page 8‐15 • show aaa on page 8‐62 RoamAbout Mobility System Software Command Line Reference 8-51
set mobility-profile Creates a Mobility Profile and specifies the access point and/or wired authentication ports on the RoamAbout switch through which any user assigned to the profile is allowed access. Syntax set mobility-profile name name {port {none | all | port-list}} | {dap {none | all | dap-num}} Parameters name Name of the Mobility Profile. Specify up to 32 alphanumeric characters, with no spaces.
To change the ports in a profile, use set mobility‐profile again with the updated port list. Example The following commands create the Mobility Profile magnolia, which restricts user access to port 12; enable the Mobility Profile feature on the RoamAbout switch; and assign the magnolia Mobility Profile to user Jose. RBT-8100# set mobility-profile name magnolia port 12 success: change accepted. RBT-8100# set mobility-profile mode enable success: change accepted.
set mobility-profile mode Enables or disables the Mobility Profile feature on the RoamAbout switch. Caution: When the Mobility Profile feature is enabled, a user is denied access if assigned a Mobility-Profile attribute in the local RoamAbout switch database or RADIUS server when no Mobility Profile of that name exists on the RoamAbout switch. Syntax set mobility-profile mode {enable | disable} Parameters enable Enables the use of the Mobility Profile feature on the RoamAbout switch.
set user Configures a user profile in the local database on the RAS for a user with a password. (To configure a user profile in RADIUS, see the documentation for your RADIUS server.) Syntax set user username password [encrypted] string Parameters username Username of a user with a password. password string Password of up to 32 alphanumeric characters, with no spaces. encrypted Indicates that the password string you entered is already in its encrypted form.
Related Commands 8-56 • clear user on page 8‐17 • show aaa on page 8‐62 AAA Commands
set user attr Configures an authorization attribute in the local database on the RAS for a user with a password. (To assign authorization attributes in RADIUS, see the documentation for your RADIUS server.) Syntax set user username attr attribute-name value Parameters username Username of a user with a password. attribute‐name value Name and value of an attribute you are using to authorize the user for a particular service or session characteristic.
set user group Adds a user to a user group. The user must have a password and a profile that exists in the local database on the RAS. (To configure a user in RADIUS, see the documentation for your RADIUS server.) Syntax set user username group group-name Parameters username Username of a user with a password. group‐name Name of an existing user group for password users. Default None. Mode Enabled. Usage MSS does not require users to belong to user groups.
set usergroup Creates a user group in the local database on the RAS for users and assigns authorization attributes for the group. (To create user groups and assign authorization attributes in RADIUS, see the documentation for your RADIUS server.) Syntax set usergroup group-name attr attribute-name value Parameters group‐name Name of a group for password users. Specify a name of up to 32 alphanumeric characters, with no spaces. The name must begin with an alphabetic character.
Related Commands 8-60 • clear usergroup on page 8‐20 • clear usergroup attr on page 8‐21 • show aaa on page 8‐62 AAA Commands
set web-portal Globally enables or disables WebAAA on a RoamAbout switch. Syntax set web-portal {enable | disable} Parameters enable Enables WebAAA on the switch. disable Disables WebAAA on the switch. Default Enabled. Mode Enabled. Usage This command disables or reenables support for WebAAA. However, WebAAA has additional configuration requirements. For information, see the “Configuring AAA for Network Users” chapter in the RoamAbout Mobility System Software Configuration Guide.
show aaa Displays all current AAA settings. Syntax show aaa Parameters None. Default None. Mode Enabled. Example To display all current AAA settings, type the following command: RBT-8100# show aaa Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null) Radius Servers Server Addr Ports T/o Tries Dead State -------------------------------------------------------------------rs-3 198.162.1.1 1821 1813 5 3 0 UP rs-4 198.168.1.
Filter-Id = acl-999.in Filter-Id = acl-999.out user last-resort-guestssid Vlan-Name = k2 user last-resort-any Vlan-Name = foo mac-user 01:02:03:04:05:06 usergroup eastcoasters session-timeout = 99 Table 8‐2 describes the fields that can appear in show aaa output. Table 8-2 show aaa Output Output What it displays... Default Values RADIUS default values for all parameters. authport UDP port on the RAS for transmission of RADIUS authorization and authentication messages. The default port is 1812.
Table 8-2 show aaa Output (continued) Output What it displays... Server groups Names of RADIUS server groups and member servers configured on the RAS. Web Portal State of the WebAAA feature: • enabled • disabled set commands List of commands used to configure AAA on the RAS. user and user group profiles List of user and user group profiles stored in the local database on the RAS.
show accounting statistics Displays the AAA accounting records for wireless users. The records are stored in the local database on the RAS. (To display RADIUS accounting records, see the documentation for your RADIUS server.) Syntax show accounting statistics Parameters None. Default None. Mode Enabled.
Event-Timestamp=1134520793 AAA_ACCT_SVC_ATTR=2 AAA_VLAN_NAME_ATTR=default Calling-Station-Id=00-06-25-12-06-38 Nas-Port-Id=3/1 Called-Station-Id=00-0B-0E-00-CC-01 AAA_SSID_ATTR=vineet-dot1x Table 8‐3 describes the fields that can appear in show accounting statistics output. Table 8-3 show accounting statistics Output Output What it displays... Date and time Date and time of the accounting record.
Related Commands • clear accounting on page 8‐3 • set accounting {admin | console} on page 8‐22 • show aaa on page 8‐62 RoamAbout Mobility System Software Command Line Reference 8-67
show location policy Displays the list of location policy rules that make up the location policy on a RAS. Syntax show location policy Parameters None. Default None. Mode Enabled. Example The following command displays the list of location policy rules in the location policy on a RAS: RBT-8100 show location policy Id Clauses ---------------------------------------------------------------1) deny if user eq *.theirfirm.com 2) permit vlan guest_1 if vlan neq *.wodefirm.com 3) permit vlan bld4.
show mobility-profile Displays the named Mobility Profile. If you do not specify a Mobility Profile name, this command shows all Mobility Profile names and port lists on the RoamAbout switch. Syntax show mobility-profile [name] Parameters name Name of an existing Mobility Profile. Default None. Mode Enabled.
8-70 AAA Commands
9 Mobility Domain Commands Use Mobility Domain commands to configure and manage Mobility Domain groups. A Mobility Domain is a system of RoamAbout switch access points working together to support a roaming user (client). One RoamAbout switch acts as a seed switch, which maintains and distributes a list of IP addresses of the domain members. Note: Enterasys Networks recommends that you run the same MSS version on all the RoamAbout switches in a Mobility Domain.
clear domain security Disables RoamAbout Switch to RoamAbout Switch security. Syntax clear domain security Default None. Mode Enabled. Usage This command is equivalent to the set domain security none command. Example The following command disables RoamAbout Switch to RoamAbout Switch security on an RoamAbout Switch: RBT-8100# clear domain security success: change accepted.
clear mobility-domain Clears all Mobility Domain configuration and information from a RoamAbout switch, regardless of whether the RoamAbout switch is a seed or a member of a Mobility Domain. Syntax clear mobility-domain Parameters None. Default None. Mode Enabled. Usage This command has no effect if the RoamAbout switch is not configured as part of a Mobility Domain.
clear mobility-domain member On the seed RoamAbout switch, removes the identified member from the Mobility Domain. Syntax clear mobility-domain member ip-addr Parameters ip‐addr IP address of the Mobility Domain member, in dotted decimal notation. Default None. Mode Enabled. Usage This command has no effect if the RoamAbout switch member is not configured as part of a Mobility Domain or the current RoamAbout switch is not the seed.
set domain security Enables RoamAbout Switch to RoamAbout Switch security in the RoamAbout Switch’s Mobility Domain. Syntax set domain security {none | required} Parameters none RoamAbout Switch to RoamAbout Switch security is disabled. required RoamAbout Switch to RoamAbout Switch security is enabled. Default The default is none. (RoamAbout Switch to RoamAbout Switch security is disabled.) Mode Enabled.
set mobility-domain member On the seed RoamAbout switch, adds a member to the list of Mobility Domain members. If the current RoamAbout switch is not configured as a seed, this command is rejected. Syntax set mobility-domain member ip-addr key hex-bytes Parameters ip‐addr IP address of the Mobility Domain member in dotted decimal notation. key hex‐bytes Fingerprint of the public key to use for RoamAbout switch security. Specify the key as 16 hexadecimal bytes.
set mobility-domain mode member seed-ip On a nonseed RoamAbout switch, sets the IP address of the seed RoamAbout switch. This command is used on a member RoamAbout switch to configure it as a member. If the RoamAbout switch is currently part of another Mobility Domain or using another seed, this command overwrites that configuration. Syntax set mobility-domain mode member seed-ip ip-addr key hex-bytes Parameters ip‐addr IP address of the Mobility Domain member, in dotted decimal notation.
set mobility-domain mode seed domain-name Creates a Mobility Domain by setting the current RoamAbout switch as the seed device and naming the Mobility Domain. Syntax set mobility-domain mode seed domain-name mob-domain-name Parameters mob‐domain‐name Name of the Mobility Domain. Specify between 1 and 32 characters with no spaces. Default None. Mode Enabled. Usage Before you use this command, the current RoamAbout switch must have its IP address set with the set system ip‐address command.
show mobility-domain config Displays the configuration of the Mobility Domain. Syntax show mobility-domain config Parameters None. Default None. Mode Enabled. Example The following command displays the Mobility Domain configuration: RBT-8100# show mobility-domain config This switch is a member, with seed 192.168.14.
show mobility-domain On the seed RoamAbout switch, displays the Mobility Domain status and members. Syntax show mobility-domain Parameters None. Default None. Mode Enabled. Example To display Mobility Domain status, type the following command: RBT-8100# show mobility-domain Mobility Domain name: Pleasanton Member State --------------------------192.168.253.11 STATE_UP 192.168.253.12 STATE_DOWN 192.168.253.
10 Network Domain Commands Use Network Domain commands to configure and manage Network Domain groups. A Network Domain is a group of geographically dispersed Mobility Domains that share information among themselves over a WAN link. This shared information allows a user configured on an RoamAbout Switch in one Mobility Domain to establish connectivity on an RoamAbout Switch in another Mobility Domain elsewhere in the same Network Domain.
clear network-domain Clears all Network Domain configuration and information from an RoamAbout Switch, regardless of whether the RoamAbout Switch is a seed or a member of a Network Domain. Syntax clear network-domain Defaults None. Mode Enabled. Usage This command has no effect if the RoamAbout Switch is not configured as part of a Network Domain.
clear network-domain mode Removes the Network Domain seed or member configuration from the RoamAbout Switch. Syntax clear network-domain mode {seed | member} Parameters seed Clears the Network Domain seed configuration from the RoamAbout Switch. member Clears the Network Domain member configuration from the RoamAbout Switch. Defaults None. Mode Enabled. Usage This command has no effect if the RoamAbout Switch is not configured as part of a Network Domain.
clear network-domain peer Removes the configuration of a Network Domain peer from an RoamAbout Switch configured as a Network Domain seed. Syntax clear network-domain peer {ip-addr | all} ip‐addr IP address of the Network Domain peer in dotted decimal notation. all Clears the Network Domain peer configuration for all peers from the RoamAbout Switch. Defaults None. Mode Enabled. Usage This command has no effect if the RoamAbout Switch is not configured as a Network Domain seed.
clear network-domain seed-ip Removes the specified Network Domain seed from the RoamAbout Switch’s configuration. When you enter this command, the Network Domain TCP connections between the RoamAbout Switch and the specified Network Domain seed are closed. Syntax clear network‐domain seed‐ip ip‐addr Parameters ip‐addr IP address of the Network Domain seed in dotted decimal notation. Defaults None. Mode Enabled.
set network-domain mode member seed-ip Sets the IP address of a Network Domain seed. This command is used for configuring an RoamAbout Switch as a member of a Network Domain. You can specify multiple Network Domain seeds and configure one as the primary seed. Syntax set network-domain mode member seed-ip ip-addr [affinity num] Parameters ip‐addr IP address of the Network Domain seed, in dotted decimal notation. num Preference for using the specified Network Domain seed.
set network-domain peer On a Network Domain seed, configures one or more RoamAbout Switches as redundant Network Domain seeds. The seeds in a Network Domain share information about the VLANs configured on the member devices, so that all the Network Domain seeds have the same database of VLAN information. Syntax set network-domain peer ip-addr Parameters ip‐addr IP address of the Network Domain seed to specify as a peer, in dotted decimal notation. Defaults None. Mode Enabled.
set network-domain mode seed domain-name Creates a Network Domain by setting the current RoamAbout Switch as a seed device and naming the Network Domain. Syntax set network-domain mode seed domain-name net-domain-name net‐domain‐name Name of the Network Domain. Specify between 1 and 16 characters with no spaces. Defaults None. Mode Enabled. Usage Before you use this command, the current RoamAbout Switch must have its IP address set with the set system ip‐address command.
show network-domain Displays the status of Network Domain seeds and members. Syntax show network-domain Defaults None. Mode Enabled. Examples To display Network Domain status, type the following command. The output of the command differs based on whether the RoamAbout Switch is a member of a Network Domain or a Network Domain seed.
Table 10-1 show network-domain Output Field Description Output if RBT is the Network Domain seed: Network Domain name Name of the Network Domain for which the RoamAbout Switch is a seed. Peer IP addresses of the other seeds in the Network Domain.
11 Access Point Commands Use access point commands to configure and manage access points. Be sure to do the following before using the commands: • Define the country‐specific IEEE 802.11 regulations on the RoamAbout switch. (Refer to set system countrycode on page 3‐16.) • Install the access point and connect it to a port on the RoamAbout switch. (Refer to the RoamAbout Wireless Switch Installation Guide specific to your wireless switch.
For information about... 11-2 Refer to page...
For information about... Refer to page...
For information about... 11-4 Refer to page...
clear {ap | dap} radio Disables an access point radio and resets it to its factory default settings. Syntax clear {ap port-list | dap dap-num} radio {1 | 2 | all} Parameters ap port‐list List of ports connected to the access point(s) on which to reset a radio. dap dap‐num Number of a Distributed access point on which to reset a radio. radio 1 Radio 1 of the access point. radio 2 Radio 2 of the access point. (This option does not apply to single‐radio models.
Usage When you clear a radio, MSS performs the following actions: • Clears the transmit power, channel, and external antenna setting from the radio. • Removes the radio from its radio profile and places the radio in the default radio profile. This command does not affect the PoE setting.
clear dap boot-configuration Removes the static IP address configuration for a Distributed AP. Syntax clear dap boot-configuration dap-num Parameters dap dap‐num Number of the Distributed AP for which you are clearing static IP information. Defaults None. Mode Enabled. Usage When the static IP configuration is cleared for a Distributed AP, the next time the Distributed AP is rebooted, it uses the standard boot process.
clear radio-profile Removes a radio profile or resets one of the profile’s parameters to its default value. Syntax clear radio-profile name [parameter] Parameters name Radio profile name. parameter Radio profile parameter: • beacon‐interval • dtim‐interval • countermeasures • frag‐threshold • max‐rx‐lifetime • max‐tx‐lifetime • preamble‐length • rts‐threshold • service‐profile (For information about these parameters, see the set radio‐profile commands that use them.
The following commands disable the radios that are using radio profile rptest and remove the profile: RBT-8100# set radio-profile rptest mode disable RBT-8100# clear radio-profile rptest success: change accepted.
clear service-profile Removes a service profile or resets one of the profile’s parameters to its default value. Syntax clear service-profile name [soda {agent-directory | failure-page | remediation-acl | success-page | logoutpage}] Parameters name Service profile name. soda agent‐directory Resets the directory for Sygate On‐Demand (SODA) agent files to the default directory. By default, the directory name for SODA agent files is the same as the service profile name.
Related Commands • clear radio‐profile on page 11‐8 • set radio‐profile mode on page 11‐63 • show service‐profile on page 11‐160 RoamAbout Mobility System Software Command Line Reference 11-11
reset {ap | dap} Restarts an access point. Syntax reset {ap port-list | dap dap-num} Parameters ap port‐list List of ports connected to the access points to restart. dap dap‐num Number of a Distributed access point to reset. Defaults None. Mode Enabled. Usage When you enter this command, the access point drops all sessions and reboots. Caution: Restarting an access point can cause data loss for users who are currently associated with the access point.
set dap auto Creates a profile for automatic configuration of Distributed access points. Syntax set dap auto Defaults None. Mode Enabled. Usage Table 11‐2 lists the configurable profile parameters and their defaults. The only parameter that requires configuration is the profile mode. The profile is disabled by default. To use the profile to configure Distributed access points, you must enable the profile using the set dap auto mode enable command. The profile uses the default radio profile by default.
Example The following command creates a profile for automatic Distributed access points configuration: RBT-8100# set dap auto success: change accepted.
set dap auto mode Enables a RoamAbout switch’s profile for automatic Distributed access point configuration. Syntax set dap auto mode {enable | disable} Parameters enable Enables the access point configuration profile. disable Disables the access point configuration profile. Defaults The access point configuration profile is disabled by default. Mode Enabled. Usage You must use the set dap auto command to create the profile before you can enable it.
set dap auto persistent Converts a temporary AP configuration created by the AP configuration profile into a persistent AP configuration on the RoamAbout Switch. Syntax set dap auto persistent [dap-num | all] Parameters dap‐num Converts the configuration of the Distributed AP that has the specified connection number into a permanent configuration. all Converts the configurations of all Auto‐APs being managed by the switch into permanent configurations. Defaults None. Mode Enabled.
set dap auto radiotype Sets the radio type for single‐access point radios that use the access point configuration profile. Syntax set dap auto [radiotype {11a | 11b| 11g}] Parameters radiotype 11a | 11b | 11g Radio type: • 11a—802.11a • 11b—802.11b • 11g—802.11g Defaults The default radio type for model AP3000 is 802.11g. Usage If you set the radiotype to 11a and the AP configuration profile is used to configure a two‐radio AP model, radio 1 is configured as an 802.
set {ap | dap} bias Changes the bias for an access point. Bias is the priority of one RoamAbout switch over other RoamAbout switches for booting and configuring the access point. Syntax set {ap port-list | dap {dap-num | auto}} bias {high | low} Parameters ap port‐list List of ports on which to change the bias for directly connected access points. dap dap‐num Number of a Distributed access point for which to change the bias. dap auto Configures bias for the access point configuration profile.
set {ap | dap} blink Enables or disables LED blink mode on an access point to make it easy to identify. When blink mode is enabled on AP‐xxx models, the health and radio LEDs alternately blink green and amber. set {ap port-list | dap {dap-num | auto}}blink {enable | disable} Parameters ap port‐list List of ports connected to the access points on which to turn blink mode on or off. dap dap‐num Number of a Distributed access point on which to turn blink mode on or off.
set dap boot-ip Specifies static IP address information for a Distributed AP. Syntax set dap dap-num boot-ip ip ip-addr netmask mask-addr gateway gateway-addr [mode {enable | disable}] set dap dap-num boot-ip mode {enable | disable} set dap dap-num boot-ip mode {enable | disable} Parameters dap dap‐num Number of the Distributed AP for which you are specifying static IP information. ip ip‐addr The IP address to be assigned to the AP, in dotted decimal notation (for example, 10.10.10.10).
Related Commands • clear dap boot‐configuration on page 11‐7 • set dap boot‐switch on page 11‐22 • set dap boot‐vlan on page 11‐24 • show dap boot‐configuration on page 11‐149 RoamAbout Mobility System Software Command Line Reference 11-21
set dap boot-switch Specifies the RoamAbout Switch a Distributed AP contacts and attempts to use as its boot device. Syntax set dap dap-num boot-switch [switch-ip ip-addr] [name name dns ip-addr] [mode {enable | disable}] Parameters dap dap‐num Number of the Distributed AP for which you are specifying static IP information. switch‐ip ip‐addr The IP address of the RoamAbout Switch the Distributed AP should boot from.
The following command configures Distributed AP 1 to use the RoamAbout Switch with the name ras2 as its boot device. The DNS server at 172.16.0.1 is used to resolve the name of the RoamAbout Switch. RBT-8100# set dap 1 boot-switch name ras2 dns 172.16.0.1 mode enable success: change accepted.
set dap boot-vlan Specifies 802.1Q VLAN tagging information for a Distributed AP. Syntax set dap dap-num boot-vlan vlan-tag tag-value [mode {enable | disable}] set dap dap-num boot-vlan mode {enable | disable} Parameters dap dap‐num Number of the Distributed AP for which you are specifying VLAN information. vlan‐tag tag‐value The VLAN tag value. You can specify a number from 1 – 4095. mode {enable | disable} Enables or disables use of the specified VLAN tag on the Distributed AP. Defaults None.
set {ap | dap} contact Specifies contact information for an AP. Syntax set {ap port-list | dap {dap-num} contact string Parameters ap port‐list List of ports on which to specify contact information for directly connected APs. dap dap‐num Number of a Distributed AP for which to specify contact information. contact string Contact information for the AP. If the contact information includes spaces, enclose the string in quotes. Defaults None. Mode Enabled.
set dap fingerprint Verifies an AP’s fingerprint on a RoamAbout switch. If AP‐RoamAbout Switch security is required by a RoamAbout switch, an AP can establish a management session with the switch only if you have verified the AP’s identity by verifying its fingerprint on the switch. Note: The AP3000 does not require a fingerprint. Syntax set dap num fingerprint hex Parameters dap dap‐num Number of the Distributed AP whose fingerprint you are verifying.
set {ap | dap} force-image-download Configures an AP to download its software image from the RoamAbout Switch instead of loading the image that is locally stored on the AP. Syntax set {ap port-list | dap {dap-num | auto}} force-image-download {enable | disable} ap port‐list The list of AP access ports. dap dap‐num The number of a Distributed AP. dap auto Configures forced image download for the AP configuration profile. (Refer to “set dap auto” on page 11‐13.
set {ap | dap} group Configures a named group of access points. MSS automatically load balances sessions among the access points in a group. To balance the sessions, MSS rejects an association request for an access point’s radio if that radio has at least four more active sessions than the radio of the same type with the least number of active sessions within the group.
set {ap | dap} image Loads an AirDefense image on an AP. set {ap | dap} location Specifies location information for an AP. Syntax set {ap port-list | dap {dap-num} location string Parameters ap port‐list List of ports on which to specify location information for directly connected APs. dap dap‐num Number of a Distributed AP for which to specify location information. location string Location information for the AP. If the location information includes spaces, enclose the string in quotes.
set {ap | dap} name Changes an access point name. Syntax set {ap port-list | dap dap-num} name name Parameters ap port‐list List of ports connected to the access point to rename. dap dap‐num Number of a Distributed access point to rename. name Alphanumeric string of up to 16 characters, with no spaces. Defaults The default name of a Distributed access point is based on the number you assign to it when you configure the connection.
set {ap | dap} radio antenna-location Specifies the location (indoors or outdoors) of an external antenna. Use this command to ensure that the proper set of channels is available on the radio. In some cases, the set of valid channels for a radio differs depending on whether the antenna is located indoors or outdoors. Syntax set {ap port-list | dap dap-num} antenna-location {indoors | outdoors} ap port‐list A list of ports connected to the AP access point to rename.
set {ap | dap} radio antennatype Sets the model number for an external antenna. Syntax set {ap port-list | dap dap-num} radio {1 | 2} antennatype {ANT1060 | ANT1120 | ANT1180 | ANT5060 | ANT5120 | ANT5180} Parameters ap port‐list List of ports connected to the access points on which to set the channel. dap dap‐num Number of a Distributed AP on which to set the channel. radio 1 Radio 1 of the AP. radio 2 Radio 2 of the AP. antennatype • Specifies the antenna model number.
set {ap | dap} radio auto-tune max-power Sets the maximum power that RF Auto‐Tuning can set on a radio. Syntax set {ap port-list | dap {dap-num | auto}} radio {1 | 2} auto-tune max-power power-level Parameters ap port‐list List of ports connected to the access points on which to set the maximum power. dap dap‐num Number of a Distributed access point on which to set the maximum power. dap auto Sets the maximum power for radios configured by the access point configuration profile.
set {ap | dap} radio auto-tune max-retransmissions Deprecated in MSS Version 5.0. set {ap | dap} radio auto-tune min-client-rate Deprecated in MSS Version 5.0. To configure radio transmit rates, refer to “set service‐profile transmit‐rates” on page 11‐117.
set {ap | dap} radio channel Sets an access point radio’s channel. Syntax set {ap port-list | dap dap-num} radio {1 | 2} channel channel-number Parameters ap port‐list List of ports connected to the access points on which to set the channel. dap dap‐num Number of a Distributed access point on which to set the channel. radio 1 Radio 1 of the access point. radio 2 Radio 2 of the access point. (This option does not apply to single‐radio models.) channel channel‐ number Channel number.
set {ap | dap} radio auto-tune min-client-rate Sets the minimum rate at which a radio is allowed to transmit traffic to clients. The radio automatically increases its transmit power when necessary to maintain at least the minimum rate with an associated client. Syntax set {ap port-list | dap {dap-num | auto}} radio {1 | 2} auto-tune min-clientrate rate Parameters ap port‐list List of ports connected to the access points on which to set the minimum data rate.
Note: A radio also can increase power, in 1 dBm increments, if more than the allowed percentage of packets received by the radio from a client are retransmissions. After a radio increases power, all clients must be at the minimum data rate or higher and the maximum retransmissions must be within the allowed percentile, before the radio begins reducing power again. Example The following command increases the minimum data rate on radio 1, which is an 802.
set {ap | dap} radio mode Enables or disables a radio on an access point. Syntax set {ap port-list | dap {dap-num | auto}} radio {1 | 2} mode {enable | disable} Parameters ap port‐list List of ports connected to the access point(s) on which to turn a radio on or off. dap dap‐num Number of a Distributed access point on which to turn a radio on or off. dap auto Sets the radio mode for access points managed by the access point configuration profile. (See set dap auto on page 11‐13.
set {ap | dap} radio radio-profile Assigns a radio profile to an access point radio and enables or disables the radio. Syntax set {ap port-list | dap {dap-num | auto}} radio {1 | 2} radioprofile name mode {enable | disable} Parameters ap port‐list List of ports. dap dap‐num Number of a Distributed access point. dap auto Sets the radio profile for the access point configuration profile. (See set dap auto on page 11‐13.) radio 1 Radio 1 of the access point. radio 2 Radio 2 of the access point.
set {ap | dap} radio tx-power Sets an access point radio’s transmit power. Syntax set {ap port-list | dap dap-num} radio {1 | 2} tx-power power-level Parameters ap port‐list List of ports connected to the access points on which to set the transmit power. dap dap‐num Number of a Distributed access point on which to set the transmit power. radio 1 Radio 1 of the access point. radio 2 Radio 2 of the access point. (This option does not apply to single‐radio models.
Related Commands • set {ap | dap} radio channel on page 11‐35 • show {ap | dap} config on page 11‐128 RoamAbout Mobility System Software Command Line Reference 11-41
set dap security Sets security requirements for management sessions between a RoamAbout switch and its Distributed access points. Note: The maximum transmission unit (MTU) for encrypted access point management traffic is 1498 bytes, whereas the MTU for unencrypted management traffic is 1474 bytes. Make sure the devices in the intermediate network between the RoamAbout switch and Distributed access point can support the higher MTU.
• show {ap | dap} config on page 11‐128 • show {ap | dap} status on page 11‐140 RoamAbout Mobility System Software Command Line Reference 11-43
set {ap | dap} upgrade-firmware Disables or reenables automatic upgrade of an access point’s boot firmware. Syntax set {ap port-list | dap {dap-num | auto}} upgrade-firmware {enable | disable} Parameters ap port‐list List of ports connected to the access point(s) on which to allow automatic firmware upgrades. dap dap‐num Number of a Distributed access point on which to allow automatic firmware upgrades. dap auto Configures firmware upgrades for the access point configuration profile.
set radio-profile active-scan Disables or reenables active RF detection scanning on the access point radios managed by a radio profile. When active scanning is enabled, access point radios look for rogue devices by sending probe any requests (probe requests with a null SSID name), to solicit probe responses from other access points. Passive scanning is always enabled and cannot be disabled. During passive scanning, radios look for rogues by listening for beacons and probe responses.
set radio-profile auto-tune channel-config Disables or reenables dynamic channel tuning (RF Auto‐Tuning) for the access point radios in a radio profile. Syntax set radio-profile name auto-tune channel-config {enable | disable} [no-client] Parameters name Radio profile name. enable Configures radios to dynamically select their channels when the radios are started. disable Configures radios to use their statically assigned channels, or the default channels if unassigned, when the radios are started.
• set radio‐profile auto‐tune power‐config on page 11‐52 • show radio‐profile on page 11‐157 RoamAbout Mobility System Software Command Line Reference 11-47
set radio-profile auto-tune channel-holddown Sets the minimum number of seconds a radio in a radio profile must remain at its current channel assignment before RF Auto‐Tuning can change the channel. The channel holddown provides additional stability to the network by preventing the radio from changing channels too rapidly in response to spurious RF anomalies such as short‐duration channel interference. Syntax set radio-profile name auto-tune channel-holddown holddown Parameters name Radio profile name.
set radio-profile auto-tune channel-interval Sets the interval at which RF Auto‐Tuning decides whether to change the channels on radios in a radio profile. At the end of each interval, MSS processes the results of the RF scans performed during the previous interval, and changes radio channels if needed. Syntax set radio-profile name auto-tune channel-interval seconds Parameters name Radio profile name.
set radio-profile auto-tune channel-lockdown Locks down the current channel settings on all radios in a radio profile. The channel settings that are in effect when the command is entered are changed into statically configured channel assignments on the radios. RF Auto‐Tuning of channels is then disabled in the radio profile. Syntax set radio-profile name auto-tune channel-lockdown Parameters name Radio profile name.
set radio-profile auto-tune power-backoff-timer Deprecated in MSS Version 5.0.
set radio-profile auto-tune power-config Enables or disables dynamic power tuning (RF Auto‐Tuning) for the access point radios in a radio profile. Syntax set radio-profile name auto-tune power-config {enable | disable} Parameters name Radio profile name. enable Configures radios to dynamically set their power levels when the access points are started. disable Configures radios to use their statically assigned power levels, or the default power levels if unassigned, when the radios are started.
set radio-profile auto-tune power-interval Sets the interval at which RF Auto‐Tuning decides whether to change the power level on radios in a radio profile. At the end of each interval, MSS processes the results of the RF scans performed during the previous interval, and changes radio power levels if needed. Syntax set radio-profile name auto-tune power-interval seconds Parameters name Radio profile name.
set radio-profile auto-tune power-lockdown Locks down the current power settings on all radios in a radio profile. The power settings that are in effect when the command is entered are changed into statically configured power settings on the radios. RF Auto‐Tuning of power is then disabled in the radio profile. Syntax set radio-profile name auto-tune power-lockdown Parameters name Radio profile name.
set radio-profile auto-tune power-ramp-interval Changes the interval at which power is increased or decreased, in 1 dBm increments, on radios in a radio profile until the optimum power level calculated by RF Auto‐Tuning is reached. Syntax set radio-profile name auto-tune power-ramp-interval seconds Parameters name Radio profile name. seconds Number of seconds MSS waits before increasing or decreasing radio power by another 1 dBm. You can specify from 1 to 65535.
set radio-profile beacon-interval Changes the rate at which each access point radio in a radio profile advertises its service set identifier (SSID). Syntax set radio-profile name beacon-interval interval Parameters name Radio profile name. interval Number of milliseconds (ms) between beacons. You can specify from 25 ms to 8191 ms. Defaults The beacon interval for access point radios is 100 ms by default. Mode Enabled.
set radio-profile countermeasures Caution: Countermeasures affect wireless service on a radio. When an access point radio is sending countermeasures, the radio is disabled for use by network traffic, until the radio finishes sending the countermeasures. Enables or disables countermeasures on the access point radios managed by a radio profile. Countermeasures are packets sent by a radio to prevent clients from being able to use rogue access points.
set radio-profile dtim-interval Changes the number of times after every beacon that each access point radio in a radio profile sends a delivery traffic indication map (DTIM). An access point sends the multicast and broadcast frames stored in its buffers to clients who request them in response to the DTIM. Note: The DTIM interval applies to both the beaconed SSID and the nonbeaconed SSID. Syntax set radio-profile name dtim-interval interval Parameters name Radio profile name.
set radio-profile frag-threshold Changes the fragmentation threshold for the AP radios in a radio profile. The fragmentation threshold is the threshold at which the long‐retry‐count is applicable instead of the short‐retry‐ count. The long‐retry‐count specifies the number of times a radio can send a unicast frame that is equal to or longer than the frag‐threshold without receiving an acknowledgment.
Related Commands 11-60 • set radio‐profile mode on page 11‐63 • set radio‐profile rts‐threshold on page 11‐69 • set service‐profile long‐retry‐count on page 11‐96 • set service‐profile short‐retry‐count on page 11‐104 • show radio‐profile on page 11‐157 Access Point Commands
set radio-profile max-rx-lifetime Changes the maximum receive threshold for the access point radios in a radio profile. The maximum receive threshold specifies the number of milliseconds that a frame received by a radio can remain in buffer memory. Syntax set radio-profile name max-rx-lifetime time Parameters name Radio profile name. time Number of milliseconds. You can enter a value from 500 (0.5 second) through 250,000 (250 seconds).
set radio-profile max-tx-lifetime Changes the maximum transmit threshold for the access point radios in a radio profile. The maximum transmit threshold specifies the number of milliseconds that a frame scheduled to be transmitted by a radio can remain in buffer memory. Syntax set radio-profile name max-tx-lifetime time Parameters name Radio profile name. time Number of milliseconds. You can enter a value from 500 (0.5 second) through 250,000 (250 seconds).
set radio-profile mode Creates a new radio profile, or disables or reenables all access point radios that are using a specific profile. Syntax set radio-profile name [mode {enable | disable}] Parameters radio‐profile name Radio profile name of up to 16 alphanumeric characters, with no spaces. mode enable Enables the radios that use this profile. mode disable Disables the radios that use this profile. Use this command without the mode enable or mode disable option to create a new profile.
Table 11-4 Defaults for Radio Profile Parameters (continued) Parameter Default Value Radio Behavior When Parameter Set To Default Value qos-mode wmm Classifies and marks traffic based on 802.1p and DSCP, and optimizes forwarding prioritization of AP radios for Wi-Fi Multimedia (WMM). rfid-mode disable Radio does not function as a location receiver in an AeroScout Visibility System.
Related Commands • set {ap | dap} radio mode on page 11‐38 • set {ap | dap} radio radio‐profile on page 11‐39 • show {ap | dap} config on page 11‐128 • show radio‐profile on page 11‐157 RoamAbout Mobility System Software Command Line Reference 11-65
set radio-profile preamble-length Changes the preamble length for which an 802.11b/g access point radio advertises support. This command does not apply to 802.11a. Syntax set radio-profile name preamble-length {long | short} Parameters name Radio profile name. long Advertises support for long preambles. short Advertises support for short preambles. Defaults The default is short. Mode Enabled. Usage Changing the preamble length value affects only the support advertised by the radio.
set radio-profile qos-mode Sets the prioritization mode for forwarding queues on AP radios managed by the radio profile. Syntax set radio-profile name qos-mode {svp | wmm} Parameters svp Optimizes forwarding prioritization of AP radios for SpectraLink Voice Priority (SVP). wmm Classifies and marks traffic based on 802.1p and DSCP, and optimizes forwarding prioritization of AP radios for Wi‐Fi Multimedia (WMM). Defaults The default QoS mode is wmm. Mode Enabled.
set radio-profile rfid-mode Enables AP radios managed by a radio profile to function as location receivers in an AeroScout Visibility System. An AeroScout Visibility System allows system administrators to track mobile assets using RFID tags. When you enable RFID mode on a radio profile, radios in the profile can receive and process signals transmitted by RFID tags and relay them with related information to the AeroScout Engine.
set radio-profile rts-threshold Changes the RTS threshold for the access point radios in a radio profile. The RTS threshold specifies the maximum length a frame can be before the radio uses the RTS/CTS method to send the frame. The RTS/CTS method clears the air of other traffic to avoid corruption of the frame due to a collision with another frame. Syntax set radio-profile name rts-threshold threshold Parameters name Radio profile name. threshold Maximum frame length, in bytes.
set radio-profile service-profile Maps a service profile to a radio profile. All radios that use the radio profile also use the parameter settings, including SSID and encryption settings, in the service profile. Syntax set radio-profile name service-profile name Parameters radio‐profile name Radio profile name of up to 16 alphanumeric characters, with no spaces. service‐profile name Service profile name of up to 16 alphanumeric characters, with no spaces.
Table 11-5 Defaults for Service Profile Parameters (continued) Parameter Default Value cipher-tkip enable When the WPA IE is enabled, uses Temporal Key Integrity Protocol (TKIP) to encrypt traffic sent to WPA clients. cipher-wep104 disable Does not use Wired Equivalent Privacy (WEP) with 104-bit keys to encrypt traffic sent to WPA clients. cipher-wep40 disable Does not use WEP with 40-bit keys to encrypt traffic sent to WPA clients.
Table 11-5 Defaults for Service Profile Parameters (continued) Parameter Default Value psk-raw No preshared key defined Uses dynamically generated keys rather than statically configured keys to authenticate WPA clients. rsn-ie disable Does not use the RSN IE in transmitted frames. (The RSN IE is required for 802.11i. RSN is sometimes called WPA2.) shared-key-auth disable Does not use shared-key authentication.
Table 11-5 Defaults for Service Profile Parameters (continued) Parameter Default Value user-idle-timeout 180 Allows a client to remain idle for 180 seconds (3 minutes) before MSS changes the client’s session to the Disassociated state. web-portal-acl portalacl If set to portalacl and the service profile fallthru is set to web-portal, radios use the portalacl ACL to filter traffic for Web Portal users during authentication.
Example The following command maps service‐profile wpa_clients to radio profile rp2: RBT-8100# set radio-profile rp2 service-profile wpa_clients success: change accepted.
• set service‐profile web‐portal‐session‐timeout on page 11‐123 • set service‐profile wep active‐multicast‐index on page 11‐124 • set service‐profile wep active‐unicast‐index on page 11‐125 • set service‐profile wep key‐index on page 11‐126 RoamAbout Mobility System Software Command Line Reference 11-75
set radio-profile wmm Deprecated in MSS Version 4.2. To enable or disable WMM, refer to “set radio‐profile qos‐mode” on page 11‐67.
set radio-profile wmm-powersave Enables Unscheduled Automatic Powersave Delivery (U‐APSD) on AP radios managed by the radio profile. U‐APSD enables WMM clients that use powersave mode to more efficiently request buffered unicast packets from AP radios. When U‐APSD is enabled, a client can retrieve buffered unicast packets for a traffic priority enabled for U‐APSD by sending a QoS data or QoS‐Null frame for that priority.
set service-profile attr Configures authorization attributes that are applied by default to users accessing the SSID managed by the service profile. These SSID default attributes are applied in addition to any supplied by the RADIUS server or from the local database. Syntax set service-profile name attr attribute-name value Parameters name Service profile name. attribute‐name value Name and value of an attribute you are using to authorize SSID users for a particular service or session characteristic.
Examples The following command assigns users accessing the SSID managed by service profile sp2 to VLAN blue. RBT-8100# set service-prof sp2 attr vlan-name blue success: change accepted. The following command assigns users accessing the SSID managed by service profile sp2 to the Mobility Profile tulip. RBT-8100# set service-prof sp2 attr mobility-profile tulip success: change accepted.
set service-profile auth-dot1x Disables or reenables 802.1X authentication of Wi‐Fi Protected Access (WPA) clients by access point radios, when the WPA information element (IE) is enabled in the service profile that is mapped to the radio profile that the radios are using. Syntax set service-profile name auth-dot1x {enable | disable} Parameters name Service profile name. enable Enables 802.1X authentication of WPA clients. disable Disables 802.1X authentication of WPA clients.
Related Commands • set service‐profile auth‐psk on page 11‐84 • set service‐profile psk‐phrase on page 11‐100 • set service‐profile wpa‐ie on page 11‐127 • show service‐profile on page 11‐160 RoamAbout Mobility System Software Command Line Reference 11-81
set service-profile auth-fallthru Specifies the authentication type for users who do not match an 802.1X or MAC authentication rule for an SSID managed by the service profile. When a user tries to associate with an SSID, MSS checks the authentication rules for that SSID for a userglob that matches the username. If the SSID does not have an authentication rule that matches the username, authentication for the user falls through to the fallthru type.
Example The following command sets the fallthru authentication for SSIDS managed by the service profile rnd_lab to web‐portal: RBT-8100# set service-profile rnd_lab auth-fallthru web-portal success: change accepted.
set service-profile auth-psk Enables preshared key (PSK) authentication of Wi‐Fi Protected Access (WPA) clients by access point radios in a radio profile, when the WPA information element (IE) is enabled in the service profile. Syntax set service-profile name auth-psk {enable | disable} Parameters name Service profile name. enable Enables PSK authentication of WPA clients. disable Disables PSK authentication of WPA clients.
set service-profile beacon Disables or reenables beaconing of the SSID managed by the service profile. An access point radio responds to an 802.11 probe any request with only the beaconed SSID(s). For a nonbeaconed SSID, radios respond only to directed 802.11 probe requests that match the nonbeaconed SSID’s SSID string. When you disable beaconing for an SSID, the radio still sends beacon frames, but the SSID name in the frames is blank.
set service-profile cac-mode Configures the Call Admission Control (CAC) mode. Usage set service-profile name cac-mode {none | session} Parameters name Service profile name. none CAC is not used. session CAC is based on the number of active sessions. Defaults The default CAC mode is none. Mode Enabled. Example The following command enables session‐based CAC on service profile sp1: RBT-8100# set service-profile sp1 cac-mode session success: change accepted.
set service-profile cac-session Specifies the maximum number of active sessions a radio can have when session‐based CAC is enabled. When an AP radio has reached the maximum allowed number of active sessions, the radio refuses connections from additional clients. Syntax set service-profile name cac-session max-sessions Parameters name Service profile name. max‐sessions Maximum number of active sessions allowed on the radio. Defaults The default number of sessions allowed is 14. Mode Enabled.
set service-profile cipher-ccmp Enables Counter with Cipher Block Chaining Message Authentication Code Protocol (CCMP) encryption with WPA clients, for a service profile. Syntax set service-profile name cipher-ccmp {enable | disable} Parameters name Service profile name. enable Enables CCMP encryption for WPA clients. disable Disables CCMP encryption for WPA clients. Defaults CCMP encryption is disabled by default. Mode Enabled. Usage To use CCMP, you must also enable the WPA IE.
set service-profile cipher-tkip Disables or reenables Temporal Key Integrity Protocol (TKIP) encryption in a service profile. Syntax set service-profile name cipher-tkip {enable | disable} Parameters name Service profile name. enable Enables TKIP encryption for WPA clients. disable Disables TKIP encryption for WPA clients. Defaults When the WPA IE is enabled, TKIP encryption is enabled by default. Mode Enabled. Usage To use TKIP, you must also enable the WPA IE.
set service-profile cipher-wep104 Enables dynamic Wired Equivalent Privacy (WEP) with 104‐bit keys, in a service profile. Syntax set service-profile name cipher-wep104 {enable | disable} Parameters name Service profile name. enable Enables 104‐bit WEP encryption for WPA clients. disable Disables 104‐bit WEP encryption for WPA clients. Defaults 104‐bit WEP encryption is disabled by default. Mode Enabled. Usage To use 104‐bit WEP with WPA clients, you must also enable the WPA IE.
set service-profile cipher-wep40 Enables dynamic Wired Equivalent Privacy (WEP) with 40‐bit keys, in a service profile. Syntax set service-profile name cipher-wep40 {enable | disable} Parameters name Service profile name. enable Enables 40‐bit WEP encryption for WPA clients. disable Disables 40‐bit WEP encryption for WPA clients. Defaults 40‐bit WEP encryption is disabled by default. Mode Enabled. Usage To use 40‐bit WEP with WPA clients, you must also enable the WPA IE.
set service-profile cos Sets the Class‐of‐Service (CoS) level for static CoS. Syntax set service-profile name cos level Parameters name Service profile name. level CoS value assigned by the AP to all traffic in the service profile. Defaults The default static CoS level is 0. Mode Enabled. Usage This command applies only when static CoS is enabled. If static CoS is disabled, prioritization is based on the QoS mode configured in the radio profile, and on any ACLs that set CoS.
set service-profile dhcp-restrict Enables or disables DHCP Restrict on a service profile. DHCP Restrict filters a newly associated client’s traffic to allow DHCP traffic only, until the client has been authenticated and authorized. All other traffic is captured by the RoamAbout Switch and is not forwarded. After the client is successfully authorized, the traffic restriction is removed. Syntax set service-profile name dhcp-restrict {enable | disable} Parameters name Service profile name.
set service-profile idle-client-probing Disables or reenables periodic keepalives from AP radios to clients on a service profile’s SSID. When idle‐client probing is enabled, the AP radio sends a unicast null‐data frame to each client every 10 seconds. Normally, a client that is still active sends an Ack in reply to the keepalive. If a client does not send any data or respond to any keepalives before the user idle timeout expires, MSS changes the client’s session to the Disassociated state.
set service-profile keep-initial-vlan Configures AP radios managed by the radio profile to leave a roamed user on the VLAN assigned by the switch where the user logged on. When this option is disabled, a user’s VLAN is reassigned by each RoamAbout Switch to which a user roams. Syntax set service-profile name keep-initial-vlan {enable | disable} Parameters name Service profile name. enable Enables radios to leave a roamed user on the same VLAN instead of reassigning the VLAN.
set service-profile long-retry-count Changes the long retry threshold for a service profile. The long retry threshold specifies the number of times a radio can send a long unicast frame without receiving an acknowledgment. A long unicast frame is a frame that is equal to or longer than the frag‐threshold. Syntax set service-profile name long-retry-count threshold Parameters name Service profile name. threshold Number of times the radio can send the same long unicast frame.
set service-profile no-broadcast Disables or reenables the no‐broadcast mode. The no‐broadcast mode helps reduce traffic overhead on an SSID by leaving more of an SSID’s bandwidth available for unicast traffic. The no‐ broadcast mode also helps VoIP handsets conserve power by reducing the amount of broadcast traffic sent to the phones. When enabled, the no‐broadcast mode prevents AP radios from sending DHCP or ARP broadcasts to clients on the service profile’s SSID.
Related Commands 11-98 • set service‐profile dhcp‐restrict on page 11‐93 • set service‐profile proxy‐arp on page 11‐99 • show service‐profile on page 11‐160 Access Point Commands
set service-profile proxy-arp Enables proxy ARP. When proxy ARP is enabled, the RoamAbout Switch replies to ARP requests for client IP address on behalf of the clients. This feature reduces broadcast overhead on a service profile’s SSID by eliminating ARP broadcasts from AP radios to the SSID’s clients. If the ARP request is for a client whose IP address the switch does not already know, the RoamAbout Switch allows AP radios to send the ARP request to clients.
set service-profile psk-phrase Configures a passphrase for preshared key (PSK) authentication to use for authenticating WPA clients, in a service profile. Radios use the PSK as a pairwise master key (PMK) to derive unique pairwise session keys for individual WPA clients. Syntax set service-profile name psk-phrase passphrase Parameters name Service profile name. passphrase An ASCII string from 8 to 63 characters long.
set service-profile psk-raw Configures a raw hexadecimal preshared key (PSK) to use for authenticating WPA clients, in a service profile. Radios use the PSK as a pairwise master key (PMK) to derive unique pairwise session keys for individual WPA clients. Syntax set service-profile name psk-raw hex Parameters name Service profile name. hex A 64‐bit ASCII string representing a 32‐digit hexadecimal number. Enter the two‐character ASCII form of each hexadecimal number. Defaults None. Mode Enabled.
set service-profile rsn-ie Enables the Robust Security Network (RSN) Information Element (IE). The RSN IE advertises the RSN (sometimes called WPA2) authentication methods and cipher suites supported by radios in the radio profile mapped to the service profile. Syntax set service-profile name rsn-ie {enable | disable} Parameters name Service profile name. enable Enables the RSN IE. disable Disables the RSN IE. Defaults RSN IE is disabled by default. Mode Enabled.
set service-profile shared-key-auth Enables shared‐key authentication, in a service profile. Note: Use this command only if advised to do so by Enterasys Networks. This command does not enable preshared key (PSK) authentication for Wi-Fi Protected Access (WPA). To enable PSK encryption for WPA, use set service-profile auth-psk on page 11-84. Syntax set service-profile name shared-key-auth {enable | disable} Parameters name Service profile name. enable Enables shared‐key authentication.
set service-profile short-retry-count Changes the short retry threshold for a service profile. The short retry threshold specifies the number of times a radio can send a short unicast frame without receiving an acknowledgment. A short unicast frame is a frame that is shorter than the frag‐threshold. Syntax set service-profile name short-retry-count threshold Parameters name Service profile name. threshold Number of times a radio can send the same short unicast frame.
set service-profile soda agent-directory Specifies the directory on the RoamAbout Switch where the SODA agent files for a service profile are located. Syntax set service-profile name soda agent-directory directory Parameters name Service profile name. directory Directory on the RoamAbout Switch for SODA agent files. Defaults By default, the RoamAbout Switch expects SODA agent files to be located in a directory with the same name as the service profile. Mode Enabled.
set service-profile soda enforce-checks Specifies whether a client is allowed access to the network after it has downloaded and run the SODA agent security checks. Syntax set service-profile name enforce-checks {enable | disable} Parameters name Service profile name. enable SODA agent checks are performed before the client is allowed access to the network. disable Allows the client access to the network immediately after the SODA agent is downloaded, without waiting for the checks to be run.
Related Commands • set service‐profile soda mode on page 11‐110 • show service‐profile on page 11‐160 RoamAbout Mobility System Software Command Line Reference 11-107
set service-profile soda failure-page Specifies a page on the RoamAbout Switch that is loaded when a client fails the security checks performed by the SODA agent. Syntax set service-profile name soda failure-page page Parameters name Service profile name. page Page that is loaded if the client fails the security checks performed by the SODA agent. Defaults By default, the RoamAbout Switch dynamically generates a page indicating that the SODA agent checks have failed. Mode Enabled.
set service-profile soda logout-page Specifies a page on the RoamAbout Switch that is loaded when a client logs out of the network by closing the SODA virtual desktop. Syntax set service-profile name soda logout-page page Parameters name Service profile name. page Page that is loaded when the client closes the SODA virtual desktop. Defaults None. Mode Enabled. Usage When a client closes the SODA virtual desktop, the client is automatically disconnected from the network.
set service-profile soda mode Enables or disables Sygate On‐Demand (SODA) functionality for a service profile. Syntax set service-profile name soda mode {enable | disable} Parameters name Service profile name. enable Enables SODA functionality for the service profile. disable Disables SODA functionality for the service profile. Mode Enabled.
set service-profile soda remediation-acl Specifies an ACL to be applied to a client if it fails the checks performed by the SODA agent. Syntax set service-profile name soda remediation-acl acl-name Parameters name Service profile name. acl‐name Name of an existing security ACL to use as a remediation ACL for this service profile. ACL names must start with a letter and are case‐ insensitive. Defaults None. Mode Enabled.
set service-profile soda success-page Specifies a page on the RoamAbout Switch that is loaded when a client passes the security checks performed by the SODA agent Syntax set service-profile name soda success-page page Parameters name Service profile name. page Page that is loaded if the client passes the security checks performed by the SODA agent. Defaults By default, the RoamAbout Switch generates a page indicating that the client passed the SODA agent checks. Mode Enabled.
set service-profile ssid-name Configures the SSID name in a service profile. Syntax set service-profile name ssid-name ssid-name Parameters name Service profile name. ssid‐name Name of up to 32 alphanumeric characters. You can include blank spaces in the name, if you delimit the name with single or double quotation marks. You must use the same type of quotation mark (either single or double) on both ends of the string.
set service-profile ssid-type Specifies whether the SSID managed by a service profile is encrypted or unencrypted. Syntax set service-profile name ssid-type [clear | crypto] Parameters name Service profile name. clear Wireless traffic for the service profile’s SSID is not encrypted. crypto Wireless traffic for the service profile’s SSID is encrypted. Defaults The default SSID type is crypto. Mode Enabled.
set service-profile static-cos Enables or disables static CoS on a service profile. Static CoS assigns the same CoS level to all traffic on the service profile’s SSID, regardless of 802.1p or DSCP markings in the packets themselves, and regardless of any ACLs that mark CoS. This option provides a simple way to configure an SSID for priority traffic such as VoIP traffic. When static CoS is enabled, the standard MSS prioritization mechanism is not used.
set service-profile tkip-mc-time Changes the length of time that access point radios use countermeasures if two message integrity code (MIC) failures occur within 60 seconds. When countermeasures are in effect, access point radios dissociate all TKIP and WPA WEP clients and refuse all association and reassociation requests until the countermeasures end. Syntax set service-profile name tkip-mc-time wait-time Parameters name Service profile name.
set service-profile transmit-rates Changes the data rates supported by AP radios for a service‐profile’s SSID. Syntax set service-profile name transmit-rates {11a | 11b | 11g} mandatory rate-list [disabled rate-list] [beacon-rate rate] [multicast-rate {rate | auto}] Parameters name Service profile name. 11a | 11b | 11g Radio type. mandatory rate‐list Set of data transmission rates that clients are required to support in order to associate with an SSID on an AP radio.
Defaults This command has the following defaults: • mandatory: – 11a—6.0,12.0,24.0 – 11b—1.0,2.0 – 11g—1.0,2.0,5.5,11.0 • disabled—None. All rates applicable to the radio type are supported by default. • beacon‐rate: • – 11a—6.0 – 11b—2.0 – 11g—2.0 multicast‐rate—auto for all radio types. Mode Enabled. Usage If you disable a rate, you cannot use the rate as a mandatory rate or the beacon or multicast rate.
set service-profile user-idle-timeout Changes the number of seconds MSS will leave a session up for a client that is not sending data and is not responding to keepalives (idle‐client probes). If the timer expires, the client’s session is changed to the Dissociated state. The timer is reset to 0 each time a client sends data or responds to an idle‐client probe. If the idle‐ client probe is disabled, the timer is reset each time the client sends data.
set service-profile web-portal-acl Changes the ACL name MSS uses to filter a Web‐Portal user’s traffic during authentication. Use this command if you create a custom Web‐Portal ACL to allow more than just DHCP traffic during authentication. For example, if you configure an ACL that allows a Web‐Portal user to access a credit card server, use this command to use the custom ACL for Web‐Portal users that associate with the service profile’s SSID.
set service-profile web-portal-form Specifies a custom login page to serve to WebAAA users who request the SSID managed by the service profile. Syntax set service-profile name web-portal-form url Parameters name Service profile name. url RoamAbout switch subdirectory name and HTML page name of the login page. Specify the full path. For example, corpa‐ssid/corpa.html. Defaults The Enterasys Networks Web login page is served by default. Mode Enabled.
Example The following commands create a subdirectory named corpa, copy a custom login page named corpa‐login.html and a jpg image named corpa‐logo.jpg into that subdirectory, and set the Web login page for service profile corpa‐service to corpa‐login.html: RBT-8100# mkdir corpa success: change accepted. RBT-8100# copy tftp://10.1.1.1/corpa-login.html corpa/corpa-login.html success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec] RBT-8100# copy tftp://10.1.1.1/corpa-logo.jpg corpa/corpa-logo.
set service-profile web-portal-session-timeout Changes the number of seconds MSS allows Web Portal WebAAA sessions to remain in the Deassociated state before being terminated automatically. Syntax set service-profile name web-portal-session-timeout seconds Parameters name Service profile name. seconds Number of seconds MSS allows Web Portal WebAAA sessions to remain in the Deassociated state before being terminated automatically. You can specify from 5 to 2800 seconds.
set service-profile wep active-multicast-index Specifies the static Wired‐Equivalent Privacy (WEP) key (one of four) to use for encrypting multicast frames. Syntax set service-profile name wep active-multicast-index num Parameters name Service profile name. num WEP key number. You can enter a value from 1 through 4. Defaults If WEP encryption is enabled and WEP keys are defined, access point radios use WEP key 1 to encrypt multicast frames, by default. Mode Enabled.
set service-profile wep active-unicast-index Specifies the static Wired‐Equivalent Privacy (WEP) key (one of four) to use for encrypting unicast frames. Syntax set service-profile name wep active-unicast-index num Parameters name Service profile name. num WEP key number. You can enter a value from 1 through 4. Defaults If WEP encryption is enabled and WEP keys are defined, access point radios use WEP key 1 to encrypt unicast frames, by default. Mode Enabled.
set service-profile wep key-index Sets the value of one of four static Wired‐Equivalent Privacy (WEP) keys for static WEP encryption. Syntax set service-profile name wep key-index num key value Parameters name Service profile name. key‐index num WEP key index. You can enter a value from 1 through 4. key value Hexadecimal value of the key. You can enter a 10‐character ASCII string representing a 5‐byte hexadecimal number or a 26‐character ASCII string representing a 13‐byte hexadecimal number.
set service-profile wpa-ie Enables the WPA information element (IE) in wireless frames. The WPA IE advertises the WPA authentication methods and cipher suites supported by radios in the radio profile mapped to the service profile. Syntax set service-profile name wpa-ie {enable | disable} Parameters name Service profile name. enable Enables the WPA IE. disable Disables the WPA IE. Defaults The WPA IE is disabled by default. Mode Enabled.
show {ap | dap} config Displays global and radio‐specific settings for an access point. Syntax show ap config [port-list [radio {1 | 2}] show dap config [dap-num [radio {1 | 2}]] Parameters port‐list List of ports connected to the access point(s) for which to display configuration settings. dap‐num Number of a Distributed access point for which to display configuration settings. radio 1 Shows configuration information for radio 1. radio 2 Shows configuration information for radio 2.
The following example shows configuration information for a Distributed access point configured on connection 1: RBT-8100# show dap config 1 Dap 1: serial-id: 12345678, AP model: RBT-1602, bias: high, name: DAP01 fingerprint: b4:f9:2a:52:37:58:f4:d0:10:75:43:2f:45:c9:52:c3 boot-download-enable: YES force-image-download: NO load balancing group: none location: The conference room contact: Bob the IT guy Radio 1: type: 802.
Table 11-6 Output for show ap config (continued) Output What it displays... fingerprint Hexadecimal fingerprint of the access point’s public encryption key. Note: This field is displayed only for Distributed access points. If the field is blank, the key has not been verified yet by an administrator. (See set dap fingerprint on page 11-26.
• set {ap | dap} name on page 11‐30 • set {ap | dap} upgrade‐firmware on page 11‐44 • set {ap | dap} radio mode on page 11‐38 • set {ap | dap} radio channel on page 11‐35 • set {ap | dap} radio radio‐profile on page 11‐39 • set {ap | dap} radio tx‐power on page 11‐40 • show dap connection on page 11‐151 • show dap global on page 11‐153 • show dap unconfigured on page 11‐155 • show radio‐profile on page 11‐157 RoamAbout Mobility System Software Command Line Reference 11-131
show {ap | dap} counters Displays access point and radio statistics counters. Syntax show ap counters [port-list [radio {1 | 2}]] show dap counters [dap-num [radio {1 | 2}]] Parameters port‐list List of ports connected to the access point(s) for which to display statistics counters. dap‐num Number of a Distributed access point for which to display statistics counters. radio 1 Shows statistics counters for radio 1. radio 2 Shows statistics counters for radio 2.
2.0: 603 0 248716 0 191103 4608065 5.5: 370594 52742 27616521 4445625 2427 133217 11.
Table 11-7 Output for show ap counters (continued) Output What it displays... CCMP Pkt Decrypt Err Number of times a decryption error occurred with a packet encrypted with CCMP. CCMP Pkt Transfer Ct Total number of CCMP packets sent and received by the radio. PktTxCount Number of packets transmitted by the radio. MultiPktDrop Number of multicast packets dropped by the radio. MultiBytDrop Number of multicast bytes dropped by the radio.
show {ap | dap} qos-stats Displays statistics for access point forwarding queues. Syntax show dap qos-stats [dap-num] [clear] show ap qos-stats [port-list] [clear] Parameters dap‐num Number of a Distributed access point for which to display QoS statistics counters. port‐list List of ports connected to the access point(s) for which to display QoS statistics counters. clear Clears the counters after displaying their current values. Defaults None. Mode Enabled.
Table 11-8 Output for show {ap | dap} qos-stats Output What it displays... CoS CoS value associated with the forwarding queues. Queue Forwarding queue. DAP Distributed access point number or access point port number. or Port radio Radio number. TxDrop Number of packets dropped from the queue instead of being transmitted. Some packet drops are normal, especially if the RF environment is noisy.
show {ap | dap} etherstats Displays Ethernet statistics for an access point’s Ethernet ports. Syntax show {ap | dap} etherstats [port-list | dap-num] Parameters port‐list List of RoamAbout switch ports directly connected to the access point(s) for which to display counters. dap‐num Number of a Distributed access point for which to display counters. Defaults None. Mode Enabled.
Table 11‐9 describes the fields in this display. Table 11-9 11-138 Output for show {ap | dap} etherstats Output What it displays... RxUnicast Number of unicast frames received. RxMulticast Number of multicast frames received. RxBroadcast Number of broadcast frames received. RxGoodFrames Number of frames received properly from the link. RxAlignErrs Number of received frames that were both misaligned and contained a CRC error.
show {ap | dap} group Displays configuration information and load‐balancing status for access point groups. Syntax show {ap | dap} group [name] Parameters name Name of an access point group or Distributed access point group. Defaults None. Mode Enabled.
show {ap | dap} status Displays access point and radio status information. Syntax show ap status [terse] | [port-list | all [radio {1 | 2}]] show dap status [terse] | [dap-num | all [radio {1 | 2}]] Parameters terse Displays a brief line of essential status information for each access point. port‐list List of ports connected to the access point(s) for which to display status. dap‐num Number of a Distributed access point for which to display status.
Radio 2 type: 802.
Table 11-11 Output for show ap status (continued) Output What it displays... Access point port Access point port number connected to this RoamAbout switch port. State State of the access point: • init—The access point has been recognized by the RoamAbout switch but has not yet begun booting. • booting—The access point has asked the RoamAbout switch for a boot image. • image downloading—The access point is receiving a boot image from the RoamAbout switch.
Table 11-11 Output for show ap status (continued) Output What it displays... Radio 1 type 802.11 type and configuration state of the radio. Radio 2 type • The configure succeed state indicates that the access point has received configuration parameters for the radio and the radio is ready to accept client connections. • 802.11b protect indicates that the 802.11b/g radio is sending messages to 802.11b devices, while sending 802.11g traffic at higher data rates, to inform the 802.
Table 11-11 Output for show ap status (continued) Output What it displays... RFID Reports Status of AeroScout asset tag support. • Active—The AeroScout Engine has enabled the tag report mode on the AP. • Inactive—The AeroScout Engine has not enabled, or has disabled, the tag report mode on the AP. This field is displayed only if the rfid-mode option is enabled on the radio profile that manages the radio. Table 11-12 Output for show ap status terse and show dap status terse Output What it displays..
show auto-tune attributes Displays the current values of the RF attributes RF Auto‐Tuning uses to decide whether to change channel or power settings. Syntax show auto-tune attributes [ap AP-num [radio {1 | 2| all}]] show auto-tune attributes [dap dap-num [radio {1 | 2| all}]] Parameters ap‐num AP port connected to the access point for which to display RF attributes. dap‐num Number of a Distributed access point for which to display RF attributes. radio 1 Shows RF attribute information for radio 1.
Table 11-13 Output for show auto-tune attributes (continued) Output What it displays... CRC Errors count Number of frames received by the radio on that active channel that had CRC errors. A high CRC error count can indicate a hidden node or co-channel interference. Packet Retransmission Count Number of retransmitted packets sent from the client to the radio on the active channel. Retransmissions can indicate that the client is not receiving ACKs from the access point radio.
show auto-tune neighbors Displays the other Enterasys Networks radios and third‐party 802.11 radios that an Enterasys radio can hear. Syntax show auto-tune neighbors [ap ap-num [radio {1 | 2| all}]] show auto-tune neighbors [dap dap-num [radio {1 | 2| all}]] Parameters ap‐num access point port connected to the access point for which to display neighbors. dap‐num Number of a Distributed access point for which to display neighbors. radio 1 Shows neighbor information for radio 1.
Table 11‐11 describes the fields in this display. Table 11-14 Output for show auto-tune neighbors Field Description Channel Channel on which the BSSID is detected. Neighbor BSS/MAC BSSID detected by the radio. RSSI Received signal strength indication (RSSI), in decibels referred to 1 milliwatt (dBm). A higher value indicates a stronger signal.
show dap boot-configuration Displays information about the static IP address configuration (if any) on a Distributed AP. Usage show dap boot-configuration dap-num Parameters dap‐num Number of a Distributed AP for which to display static IP configuration information. Defaults None. Mode Enabled.
Table 11-15 11-150 Output for show dap boot-configuration (continued) Field Description Enable Whether the Distributed AP is configured to use a manually specified RoamAbout Switch as its boot device. Vlan Tag The VLAN tag that the Distributed AP is configured to use (if any). IP address The static IP address assigned to this Distributed AP. IP netmask The subnet mask assigned to this Distributed AP. gateway The IP address of the default gateway assigned to this Distributed AP.
show dap connection Displays the system IP address of the RoamAbout switch that booted a Distributed AP. Syntax show dap connection [dap-num | serial-id serial-ID] Parameters dap‐num Number of a Distributed access point for which to display information about its active connection. serial‐id serial‐ID Access point serial ID. Defaults None. Mode Enabled.
The following command displays connection information specifically for a Distributed access point with serial ID 223344: RBT-8100# show dap connection serial-id 223344 Total number of entries: 1 DAP Serial Id DAP IP Address RBT IP Address --- ----------- --------------- --------------9 223344 10.10.4.88 10.9.9.11 Table 11‐16 describes the fields in this display. Table 11-16 Output for show dap connection Field Description DAP Connection ID you assigned to the Distributed access point.
show dap global Displays connection information for Distributed APs configured on a RoamAbout switch. Syntax show dap global [dap-num | serial-id serial-ID] Parameters dap‐num Number of a Distributed access point for which to display configuration settings. serial‐id serial‐ID Access point serial ID. Defaults None. Mode Enabled. Usage To show information only for Distributed access points that have active connections, use the show dap connection command.
Table 11-17 Output for show dap global Field Description DAP Connection ID you assigned to the Distributed access point. Note: DAP numbers are listed only for Distributed access points configured on this RoamAbout switch. If the field contains a hyphen ( - ), the Distributed access point configuration displayed in the row of output is on another RoamAbout switch. Serial Id Serial ID of the Distributed access point.
show dap unconfigured Displays Distributed access points that are physically connected to the network but that are not configured on any RoamAbout switches. Syntax show dap unconfigured Defaults None. Mode Enabled. Usage This command also displays an access point that is directly connected to a RoamAbout switch, if the RoamAbout port to which the access point is connected is configured as a network port instead of an access point access port, and if the network port is a member of a VLAN.
Table 11-18 Output for show dap unconfigured Field Description Port Port number on which this RoamAbout switch received the access point’s Find RoamAbout message. VLAN VLAN on which this RoamAbout switch received the access point’s Find RoamAbout message.
show radio-profile Displays radio profile information. Syntax show radio-profile {name | ?} Parameters name Displays information about the named radio profile. ? Displays a list of radio profiles. Defaults None. Mode Enabled. Usage MSS contains a default radio profile. Enterasys Networks recommends that you do not change this profile but instead keep the profile for reference.
Table 11-19 Output for show radio-profile (continued) Output What it displays... Max Rx Lifetime Number of milliseconds that a frame scheduled to be transmitted by a radio in the radio profile can remain in buffer memory. RTS Threshold Minimum length (in bytes) a frame can be for a radio in the radio profile to use the RTS/CTS method to send the frame. The RTS/CTS method clears the air of other traffic to avoid corruption of the frame due to a collision with another frame.
Table 11-19 Output for show radio-profile (continued) Output What it displays... Service profiles Service profiles mapped to this radio profile. Each service profile contains an SSID and encryption information for that SSID. Note: When you upgrade from 2.x, MSS creates a default-dot1x service profile for encrypted SSIDs and a default-clear service profile for unencrypted SSIDs. These default service profiles contain the default encryption settings for crypto SSIDs and clear SSIDs, respectively.
show service-profile Displays service profile information. Syntax show service-profile {name | ?} Parameters name Displays information about the named service profile. ? Displays a list of service profiles. Defaults None. Mode Enabled.
Table 11-20 Output for show service-profile (continued) Field Description auth-fallthru Secondary (fallthru) encryption type when a user tries to authenticate but the RoamAbout switch managing the radio does not have an authentication rule with a userglob that matches the username. • last-resort—Automatically authenticates the user and allows access to the SSID requested by the user, without requiring a username and password. • none—Denies authentication and prohibits the user from accessing the SSID.
Related Commands 11-162 • set service‐profile attr on page 11‐78 • set service‐profile auth‐dot1x on page 11‐80 • set service‐profile auth‐fallthru on page 11‐82 • set service‐profile auth‐psk on page 11‐84 • set service‐profile beacon on page 11‐85 • set service‐profile cac‐mode on page 11‐86 • set service‐profile cac‐session on page 11‐87 • set service‐profile cipher‐ccmp on page 11‐88 • set service‐profile cipher‐tkip on page 11‐89 • set service‐profile cipher‐wep104 on page 11‐90 •
• set service‐profile wep key‐index on page 11‐126 • set service‐profile wpa‐ie on page 11‐127 RoamAbout Mobility System Software Command Line Reference 11-163
11-164 Access Point Commands
12 STP Commands Use Spanning Tree Protocol (STP) commands to configure and manage spanning trees on the virtual LANs (VLANs) configured on a RoamAbout switch, to maintain a loop‐free network. This chapter presents STP commands alphabetically. Use the following table to locate commands in this chapter. For information about... Refer to page...
clear spantree portcost Resets to the default value the cost of a network port or ports on paths to the STP root bridge in all VLANs on a RoamAbout switch. Syntax clear spantree portcost port-list Parameters port‐list List of ports. The port cost is reset on the specified ports. Defaults None. Mode Enabled. Usage This command resets the cost in all VLANs. To reset the cost for only specific VLANs, use the clear spantree portvlancost command.
clear spantree portpri Resets to the default value the priority of a network port or ports for selection as part of the path to the STP root bridge in all VLANs on a RoamAbout switch. Syntax clear spantree portpri port-list Parameters port‐list List of ports. The port priority is reset to 32 (the default) on the specified ports. Defaults None. Mode Enabled. Usage This command resets the priority in all VLANs. To reset the priority for only specific VLANs, use the clear spantree portvlanpri command.
clear spantree portvlancost Resets to the default value the cost of a network port or ports on paths to the STP root bridge for a specific VLAN on a RoamAbout switch, or for all VLANs. Syntax clear spantree portvlancost port-list {all | vlan vlan-id} Parameters port‐list List of ports. The port cost is reset on the specified ports. all Resets the cost for all VLANs. vlan vlan‐id VLAN name or number. MSS resets the cost for only the specified VLAN. Defaults None. Mode Enabled.
clear spantree portvlanpri Resets to the default value the priority of a network port or ports for selection as part of the path to the STP root bridge, on one VLAN or all VLANs. Syntax clear spantree portvlanpri port-list {all | vlan vlan-id} Parameters port‐list List of ports. The port priority is reset to 32 (the default) on the specified ports. all Resets the priority for all VLANs. vlan vlan‐id VLAN name or number. MSS resets the priority for only the specified VLAN. Defaults None.
clear spantree statistics Clears STP statistics counters for a network port or ports and resets them to 0. Syntax clear spantree statistics port-list [vlan vlan-id] Parameters port‐list List of ports. Statistics counters are reset on the specified ports. vlan vlan‐id VLAN name or number. MSS resets statistics counters for only the specified VLAN. Defaults None. Mode Enabled.
set spantree Enables or disables STP on one VLAN or all VLANs configured on a RoamAbout switch. Syntax set spantree {enable | disable} [{all | vlan vlan-id | port port-list vlan-id}] Parameters enable Enables STP. disable Disables STP. all Enables or disables STP on all VLANs. vlan vlan‐id VLAN name or number. MSS enables or disables STP on only the specified VLAN, on all ports within the VLAN. port port‐list vlan‐id Port number or list and the VLAN the ports are in.
set spantree backbonefast Enables or disables STP backbone fast convergence on a RoamAbout switch. This feature accelerates a port’s recovery following the failure of an indirect link. Syntax set spantree backbonefast {enable | disable} Parameters enable Enables backbone fast convergence. disable Disables backbone fast convergence. Defaults STP backbone fast path convergence is disabled by default. Mode Enabled.
set spantree fwddelay Changes the period of time after a topology change that a RoamAbout switch which is not the root bridge waits to begin forwarding Layer 2 traffic on one or all of its configured VLANs. (The root bridge always forwards traffic.) Syntax set spantree fwddelay delay {all | vlan vlan-id} Parameters delay Delay value. You can specify from 4 through 30 seconds. all Changes the forwarding delay on all VLANs. vlan vlan‐id VLAN name or number.
set spantree hello Changes the interval between STP hello messages sent by a RoamAbout switch when operating as the root bridge, on one or all of its configured VLANs. Syntax set spantree hello interval {all | vlan vlan-id} Parameters interval Interval value. You can specify from 1 through 10 seconds. all Changes the interval on all VLANs. vlan vlan‐id VLAN name or number. MSS changes the interval on only the specified VLAN. Defaults The default hello timer interval is 2 seconds. Mode Enabled.
set spantree maxage Changes the maximum age for an STP root bridge hello packet that is acceptable to a RoamAbout switch acting as a designated bridge on one or all of its VLANs. After waiting this period of time for a new hello packet, the switch determines that the root bridge is unavailable and issues a topology change message. Syntax set spantree maxage aging-time {all | vlan vlan-id} Parameters aging‐time Maximum age value. You can specify from 6 through 40 seconds.
set spantree portcost Changes the cost that transmission through a network port or ports in the default VLAN on a RoamAbout switch adds to the total cost of a path to the STP root bridge. Syntax set spantree portcost port-list cost cost Parameters port‐list List of ports. MSS applies the cost change to all the specified ports. cost cost Numeric value. You can specify a value from 1 through 65,535. STP selects lower‐cost paths over higher‐cost paths.
Related Commands • clear spantree portcost on page 12‐2 • clear spantree portvlancost on page 12‐4 • set spantree portvlancost on page 12‐16 • show spantree on page 12‐20 • show spantree portvlancost on page 12‐27 RoamAbout Mobility System Software Command Line Reference 12-13
set spantree portfast Enables or disables STP port fast convergence on one or more ports on a RoamAbout switch. Syntax set spantree portfast port port-list {enable | disable} Parameters port port‐list List of ports. MSS enables the feature on the specified ports. enable Enables port fast convergence. disable Disables port fast convergence. Defaults STP port fast convergence is disabled by default. Mode Enabled.
set spantree portpri Changes the STP priority of a network port or ports for selection as part of the path to the STP root bridge in the default VLAN on a RoamAbout switch. Syntax set spantree portpri port-list priority value Parameters port‐list List of ports. MSS changes the priority on the specified ports. priority value Priority value. You can specify a value from 0 (highest priority) through 255 (lowest priority). Defaults The default STP priority for all network ports is 128. Mode Enabled.
set spantree portvlancost Changes the cost of a network port or ports on paths to the STP root bridge for a specific VLAN on a RoamAbout switch. Syntax set spantree portvlancost port-list cost cost {all | vlan vlan-id} Parameters port‐list List of ports. MSS applies the cost change to all the specified ports. cost cost Numeric value. You can specify a value from 1 through 65,535. STP selects lower‐cost paths over higher‐cost paths. all Changes the cost on all VLANs.
set spantree portvlanpri Changes the priority of a network port or ports for selection as part of the path to the STP root bridge, on one VLAN or all VLANs. Syntax set spantree portvlanpri port-list priority value {all | vlan vlan-id} Parameters port‐list List of ports. MSS changes the priority on the specified ports. priority value Priority value. You can specify a value from 0 (highest priority) through 255 (lowest priority). all Changes the priority on all VLANs.
set spantree priority Changes the STP root bridge priority of a RoamAbout switch on one or all of its VLANs. Syntax set spantree priority value {all | vlan vlan-id} Parameters priority value Priority value. You can specify a value from 0 through 65,535. The bridge with the lowest priority value is elected to be the root bridge for the spanning tree. all Changes the bridge priority on all VLANs. vlan vlan‐id VLAN name or number. MSS changes the bridge priority on only the specified VLAN.
set spantree uplinkfast Enables or disables STP uplink fast convergence on a RoamAbout switch. This feature enables a RoamAbout switch with redundant links to the network backbone to immediately switch to the backup link to the root bridge if the primary link fails. Syntax set spantree uplinkfast {enable | disable} Parameters enable Enables uplink fast convergence. disable Disables uplink fast convergence. Defaults Disabled. Mode Enabled.
show spantree Displays STP configuration and port‐state information. Syntax show spantree [port port-list | vlan vlan-id] [active] Parameters port port‐list List of ports. If you do not specify any ports, MSS displays STP information for all ports. vlan vlan‐id VLAN name or number. If you do not specify a VLAN, MSS displays STP information for all VLANs. active Displays information for only the active (forwarding) ports. Defaults None. Mode All.
8 10 15 16 17 18 19 20 21 22 1 1 1 1 1 1 1 1 1 1 Disabled Forwarding Disabled Disabled STP Off STP Off Disabled Disabled Disabled Disabled 19 19 19 19 19 19 19 19 4 4 128 128 128 128 128 128 128 128 128 128 Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Table 12‐2 describes the fields in this display. Table 12-2 Output for show spantree Output What It Displays... VLAN VLAN number.
Table 12-2 Output for show spantree (continued) Output What It Displays... STP-State STP state of the port: or • Blocking—The port is not forwarding Layer 2 traffic but is listening to and forwarding STP control traffic. Port-State • Disabled—This state can indicate any of the following conditions: - The port is inactive. - The port is disabled. - STP is enabled on the port but the port is not forwarding traffic. (The port is active and enabled but STP has just started to come up.
show spantree backbonefast Indicates whether the STP backbone fast convergence feature is enabled or disabled. Syntax show spantree backbonefast Parameters None. Defaults None. Mode All.
show spantree blockedports Lists information about RoamAbout switch ports that STP has blocked on one or all of its VLANs. Syntax show spantree blockedports [vlan vlan-id] Parameters vlan vlan‐id VLAN name or number. If you do not specify a VLAN, MSS displays information for blocked ports on all VLANs. Defaults None. Mode All. Usage The command lists information separately for each VLAN.
show spantree portfast Displays STP uplink fast convergence information for all network ports or for one or more network ports. Syntax show spantree portfast [port-list] Parameters port‐list List of ports. If you do not specify any ports, MSS displays uplink fast convergence information for all ports. Defaults None. Mode All.
Table 12-3 Output for show spantree portfast Output What It Displays... Port Port number. VLAN VLAN number.
show spantree portvlancost Displays the cost of a port on a path to the STP root bridge, for each of the port’s VLANs. Syntax show spantree portvlancost port-list Parameters port‐list List of ports. Defaults None. Mode All.
show spantree statistics Displays STP statistics for one or more RoamAbout switch network ports. Syntax show spantree statistics [port-list [vlan vlan-id]] Parameters port‐list List of ports. If you do not specify any ports, MSS displays STP statistics for all ports. vlan vlan‐id VLAN name or number. If you do not specify a VLAN, MSS displays STP statistics for all VLANs. Defaults None. Mode All. Usage The command displays statistics separately for each port.
Port based information statistics config BPDU's xmitted(port/VLAN) config BPDU's received(port/VLAN) tcn BPDU's xmitted(port/VLAN) tcn BPDU's received(port/VLAN) forward transition count (port/VLAN) scp failure count root inc trans count (port/VLAN) inhibit loopguard loop inc trans count 0 (1) 21825 (43649) 0 (0) 2 (2) 1 (1) 0 1 (1) FALSE 0 (0) Status of Port Timers forward delay timer forward delay timer value message age timer message age timer value topology change timer topology change timer value hol
BPDU in processing num of similar BPDU's to process received_inferior_bpdu next state src MAC count total src MAC count curr_src_mac next_src_mac FALSE 0 FALSE 0 21807 21825 00-0b-0e-00-04-30 00-0b-0e-02-76-f6 Table 12‐4 describes the fields in this display. Table 12-4 Output for show spantree statistics Output What It Displays... Port Port number. VLAN VLAN ID. Spanning Tree enabled for vlan State of the STP feature on the VLAN. port spanning tree State of the STP feature on the port.
Table 12-4 Output for show spantree statistics (continued) Output What It Displays... config_pending Indicates whether a configured BPDU is to be transmitted on expiration of the hold timer for the port. port_inconsistency Indicates whether the port is in an inconsistent state. config BPDU’s xmitted Number of BPDUs transmitted from the port. A number in parentheses indicates the number of configured BPDUs transmitted by the RoamAbout switch for this VLAN’s spanning tree.
Table 12-4 Output for show spantree statistics (continued) Output What It Displays... bridge priority STP priority of this RoamAbout switch. bridge MAC address MAC address of this RoamAbout switch. bridge hello time Value of the hello timer interval, in seconds, when this RoamAbout switch is the root or is attempting to become the root. bridge forward delay Value of the forwarding delay interval, in seconds, when this RoamAbout switch is the root or is attempting to become the root.
show spantree uplinkfast Displays uplink fast convergence information for one VLAN or all VLANs. Syntax show spantree uplinkfast [vlan vlan-id] Parameters vlan vlan‐id VLAN name or number. If you do not specify a VLAN, MSS displays STP statistics for all VLANs. Defaults None. Mode All.
12-34 STP Commands
13 IGMP Snooping Commands Use Internet Group Management Protocol (IGMP) snooping commands to configure and manage multicast traffic reduction on a RoamAbout switch. This chapter presents IGMP snooping commands alphabetically. Use the following table to locate commands in this chapter. For information about... Refer to page...
clear igmp statistics Clears IGMP statistics counters on one VLAN or all VLANs on a RoamAbout switch and resets them to 0. Syntax clear igmp statistics [vlan vlan-id] Parameters vlan vlan‐id VLAN name or number. If you do not specify a VLAN, IGMP statistics are cleared for all VLANs. Defaults None. Mode Enabled.
set igmp Disables or reenables IGMP snooping on one VLAN or all VLANs on a RoamAbout switch. Syntax set igmp {enable | disable} [vlan vlan-id] Parameters enable Enables IGMP snooping. disable Disables IGMP snooping. vlan vlan‐id VLAN name or number. If you do not specify a VLAN, IGMP snooping is disabled or reenabled on all VLANs. Defaults IGMP snooping is enabled on all VLANs by default. Mode Enabled.
set igmp lmqi Changes the IGMP last member query interval timer on one VLAN or all VLANs on a RoamAbout switch. Syntax set igmp lmqi tenth-seconds [vlan vlan-id] Parameters lmqi tenth‐seconds Amount of time (in tenths of a second) that the RoamAbout switch waits for a response to a group‐specific query after receiving a leave message for that group, before removing the receiver that sent the leave message from the list of receivers for the group.
set igmp mrouter Adds or removes a port in a RoamAbout switch’s list of ports on which it forwards traffic to multicast routers. Static multicast ports are immediately added to or removed from the list of router ports and do not age out. Syntax set igmp mrouter port port-list {enable | disable} Parameters port port‐list Port list. MSS adds or removes the specified ports in the list of static multicast router ports. enable Adds the port to the list of static multicast router ports.
set igmp mrsol Enables or disables multicast router solicitation by a RoamAbout switch on one VLAN or all VLANs. Syntax set igmp mrsol {enable | disable} [vlan vlan-id] Parameters enable Enables multicast router solicitation. disable Disables multicast router solicitation. vlan vlan‐id VLAN name or number. If you do not specify a VLAN, multicast router solicitation is disabled or enabled on all VLANs. Defaults Multicast router solicitation is disabled on all VLANs by default. Mode Enabled.
set igmp mrsol mrsi Changes the interval between multicast router solicitations by a RoamAbout switch on one VLAN or all VLANs. Syntax set igmp mrsol mrsi seconds [vlan vlan-id] Parameters seconds Number of seconds between multicast router solicitations. You can specify a value from 1 through 65,535. vlan vlan‐id VLAN name or number. If you do not specify a VLAN, MSS changes the multicast router solicitation interval for all VLANs.
set igmp oqi Changes the IGMP other‐querier‐present interval timer on one VLAN or all VLANs on a RoamAbout switch. Syntax set igmp oqi seconds [vlan vlan-id] Parameters oqi seconds Number of seconds that the RoamAbout switch waits for a general query to arrive before electing itself the querier. You can specify a value from 1 through 65,535. vlan vlan‐id VLAN name or number. If you do not specify a VLAN, the timer change applies to all VLANs.
set igmp proxy-report Disables or reenables proxy reporting by a RoamAbout switch on one VLAN or all VLANs. Syntax set igmp proxy-report {enable | disable} [vlan vlan-id] Parameters enable Enables proxy reporting. disable Disables proxy reporting. vlan vlan‐id VLAN name or number. If you do not specify a VLAN, proxy reporting is disabled or reenabled on all VLANs. Defaults Proxy reporting is enabled on all VLANs by default. Mode Enabled.
set igmp qi Changes the IGMP query interval timer on one VLAN or all VLANs on a RoamAbout switch. Syntax set igmp qi seconds [vlan vlan-id] Parameters qi seconds Number of seconds that elapse between general queries sent by the RoamAbout switch when the switch is the querier for the subnet. You can specify a value from 1 through 65,535. vlan vlan‐id VLAN name or number. If you do not specify a VLAN, the timer change applies to all VLANs. Defaults The default query interval is 125 seconds.
set igmp qri Changes the IGMP query response interval timer on one VLAN or all VLANs on a RoamAbout switch. Syntax set igmp qri tenth-seconds [vlan vlan-id] Parameters qri tenth‐seconds Amount of time (in tenths of a second) that the RoamAbout switch waits for a receiver to respond to a group‐specific query message before removing the receiver from the receiver list for the group. You can specify a value from 1 through 65,535. vlan vlan‐id VLAN name or number.
set igmp querier Enables or disables the IGMP pseudo‐querier on a RoamAbout switch, on one VLAN or all VLANs. Syntax set igmp querier {enable | disable} [vlan vlan-id] Parameters enable Enables the pseudo‐querier. disable Disables the pseudo‐querier. vlan vlan‐id VLAN name or number. If you do not specify a VLAN, the pseudo‐querier is enabled or disabled on all VLANs. Defaults The pseudo‐querier is disabled on all VLANs by default. Mode Enabled.
set igmp receiver Adds or removes a network port in the list of ports on which a RoamAbout switch forwards traffic to multicast receivers. Static multicast receiver ports are immediately added to or removed from the list of receiver ports and do not age out. Syntax set igmp receiver port port-list {enable | disable} Parameters port port‐list Network port list. MSS adds the specified ports to the list of static multicast receiver ports.
set igmp rv Changes the robustness value for one VLAN or all VLANs on a RoamAbout switch. Robustness adjusts the IGMP timers to the amount of traffic loss that occurs on the network. Syntax set igmp rv num [vlan vlan-id] Parameters num Robustness value. You can specify a value from 2 through 255. Set the robustness value higher to adjust for more traffic loss. vlan vlan‐id VLAN name or number. If you do not specify a VLAN, MSS changes the robustness value for all VLANs.
show igmp Displays IGMP configuration information and statistics for one VLAN or all VLANs. Syntax show igmp [vlan vlan-id] Parameters vlan vlan‐id VLAN name or number. If you do not specify a VLAN, MSS displays IGMP information for all VLANs. Defaults None. Mode All.
IGMP message type Received Transmitted Dropped ----------------- -------- ----------- ------General-Queries 0 0 0 GS-Queries 0 0 0 Report V1 0 0 0 Report V2 5 1 4 Leave 0 0 0 Mrouter-Adv 0 0 0 Mrouter-Term 0 0 0 Mrouter-Sol 50 101 0 DVMRP 4 4 0 PIM V1 0 0 0 PIM V2 0 0 0 Topology notifications: 0 Packets with unknown IGMP type: 0 Packets with bad length: 0 Packets with bad checksum: 0 Packets dropped: 4 Table 13‐1 describes the fields in this display.
Table 13-1 Output for show igmp (continued) Output What It Displays... Type How the RoamAbout switch learned that the port is a multicast router port: • conf — Static multicast port configured by an administrator • madv—Multicast advertisement • quer—IGMP query • dvmrp—Distance Vector Multicast Routing Protocol (DVMRP) • pimv1—Protocol Independent Multicast (PIM) version 1 • pimv2—PIM version 2 TTL Number of seconds before this entry ages out if not refreshed.
Related Commands 13-18 • show igmp mrouter on page 13‐19 • show igmp querier on page 13‐21 • show igmp receiver‐table on page 13‐23 • show igmp statistics on page 13‐25 IGMP Snooping Commands
show igmp mrouter Displays the multicast routers in a RoamAbout switch’s subnet, on one VLAN or all VLANs. Routers are listed separately for each VLAN, according to the port number through which the switch can reach the router. Syntax show igmp mrouter [vlan vlan-id] Parameters vlan vlan‐id VLAN name or number. If you do not specify a VLAN, MSS displays the multicast routers in all VLANs. Defaults None. Mode All.
Table 13-2 Output for show igmp mrouter (continued) Output What It Displays... TTL Number of seconds before this entry ages out if unused. For static multicast router entries, the TTL value is undef. Static multicast router entries do not age out.
show igmp querier Displays information about the active multicast querier, on one VLAN or all VLANs. Queriers are listed separately for each VLAN. Each VLAN can have only one querier. Syntax show igmp querier [vlan vlan-id] Parameters vlan vlan‐id VLAN name or number. If you do not specify a VLAN, MSS displays querier information for all VLANs. Defaults None. Mode Enabled.
Table 13-3 Output for show igmp querier Output What It Displays... Querier for vlan VLAN containing the querier. Information is listed separately for each VLAN. Querier-IP IP address of the querier interface. Querier-MAC MAC address of the querier interface. TTL Number of seconds before this entry ages out if the RoamAbout switch does not receive a query message from the querier.
show igmp receiver-table Displays the receivers to which a RoamAbout switch forwards multicast traffic. You can display receivers for all VLANs, a single VLAN, or a group or groups identified by group address and network mask. Syntax show igmp receiver-table [vlan vlan-id] [group group-ip-addr/mask-length] Parameters vlan vlan‐id VLAN name or number. If you do not specify a VLAN, MSS displays the multicast receivers on all VLANs.
237.255.255.17 237.255.255.255 11 6 10.10.40.41 00:02:06:08:02:0c 10.10.60.61 00:05:09:0c:0a:01 12 111 Table 13‐4 describes the fields in this display. Table 13-4 Output for show igmp receiver-table Output What It Displays... VLAN VLAN that contains the multicast receiver ports. Ports are listed separately for each VLAN. Session IP address of the multicast group being received. Port Physical port through which the RoamAbout switch can reach the receiver.
show igmp statistics Displays IGMP statistics. Syntax show igmp statistics [vlan vlan-id] Parameters vlan vlan‐id VLAN name or number. If you do not specify a VLAN, MSS displays IGMP statistics for all VLANs. Defaults None. Mode All.
Table 13-5 Output for show igmp statistics Output What It Displays... IGMP statistics for vlan VLAN name. Statistics are listed separately for each VLAN. IGMP message type Type of IGMP message: • General-Queries—General group membership queries sent by the multicast querier (multicast router or pseudo-querier). • GS-Queries—Group-specific queries sent by the the multicast querier to determine whether there are receivers for a specific group.
Table 13-5 Output for show igmp statistics (continued) Output What It Displays... Packets with bad IGMP checksum Number of packets with an invalid IGMP checksum value. Packets dropped Number of multicast packets dropped by the RoamAbout switch.
13-28 IGMP Snooping Commands
14 Security ACL Commands Use security ACL commands to configure and monitor security access control lists (ACLs). Security ACLs filter packets to restrict or permit network usage by certain users or traffic types, and can assign to packets a class of service (CoS) to define the priority of treatment for packet filtering. (Security ACLs are different from the location policy on a RoamAbout Switch which helps you locally control user access. For location policy commands, see Chapter 8, AAA Commands.
clear security acl Clears a specified security ACL, an access control entry (ACE), or all security ACLs, from the edit buffer. When used with the command commit security acl, clears the ACE from the running configuration. Syntax clear security acl {acl-name | all} [editbuffer-index] Parameters acl‐name Name of an existing security ACL to clear. ACL names start with a letter and are case‐insensitive. all Clears all security ACLs.
1. deny IP source IP 192.168.1.1 0.0.0.0 destination IP any enable-hits RBT-8100# clear security acl acl_133 RBT-8100# commit security acl acl_133 configuration accepted RBT-8100# show security acl info all ACL information for all set security acl ip acl_134 (hits #3 0) --------------------------------------------------------1. permit IP source IP 192.168.0.1 0.0.0.0 destination IP any enable-hits set security acl ip acl_135 (hits #2 0) --------------------------------------------------------1.
clear security acl map Deletes the mapping between a security ACL and a virtual LAN (VLAN), one or more physical ports, or a virtual port. Or deletes all ACL maps to VLANs, ports, and virtual ports on a RoamAbout Switch. Note: Security ACLs are applied to users or groups dynamically via the Filter-Id attribute. To delete a security ACL from a user or group in the local RoamAbout Switch database, use the command clear user attr, clear mac-user attr, clear usergroup attr, or clear mac-usergroup attr.
Examples To clear the mapping of security ACL acljoe from port 4 for incoming packets, type the following command: RBT-8100# clear security acl map acljoe port 4 in clear mapping accepted To clear all physical ports, virtual ports, and VLANs on a RoamAbout Switch of the ACLs mapped for incoming and outgoing traffic, type the following command: RBT-8100# clear security acl map all success: change accepted.
commit security acl Saves a security ACL, or all security ACLs, in the edit buffer to the running configuration and nonvolatile storage on the RoamAbout Switch. Or, when used with the clear security acl command, commit security acl deletes a security ACL, or all security ACLs, from the running configuration and nonvolatile storage. Syntax commit security acl {acl-name | all} Parameters acl‐name Name of an existing security ACL to commit. ACL names must start with a letter and are case‐insensitive.
Related Commands • clear security acl on page 14‐2 • rollback security acl on page 14‐8 • set security acl on page 14‐9 • show security acl on page 14‐17 • show security acl info on page 14‐20 RoamAbout Mobility System Software Command Line Reference 14-7
rollback security acl Clears changes made to the security ACL edit buffer since it was last saved. The ACL is rolled back to its state after the last commit security acl command was entered. All uncommitted ACLs in the edit buffer are cleared. Syntax rollback security acl {acl-name | all} Parameters acl‐name Name of an existing security ACL to roll back. ACL names must start with a letter and are case‐insensitive. all Rolls back all security ACLs in the edit buffer, clearing all uncommitted ACEs.
set security acl In the edit buffer, creates a security access control list (ACL), adds one access control entry (ACE) to a security ACL, and/or reorders ACEs in the ACL. The ACEs in an ACL filter IP packets by source IP address, a Layer 4 protocol, or IP, ICMP, TCP, or UDP packet information.
Parameters acl‐name Security ACL name. ACL names must be unique within the RoamAbout Switch, must start with a letter, and are case‐insensitive. Specify an ACL name of up to 32 of the following characters: • Letters a through z and A through Z • Numbers 0 through 9 • Hyphen (‐), underscore (_), and period (.) Enterasys Networks recommends that you do not use the same name with different capitalizations for ACLs. For example, do not configure two separate ACLs with the names acl_123 and ACL_123.
operator port [port2] Operand and port number(s) for matching TCP or UDP packets to the number of the source or destination port on source‐ip‐addr or destination‐ip‐ addr. Specify one of the following operands and the associated port: • eq—Packets are filtered for only port number. • gt—Packets are filtered for all ports that are greater than port number. • lt—Packets are filtered for all ports that are less than port number. • neq—Packets are filtered for all ports except port number.
established For TCP packets only, applies the ACE only to established TCP sessions and not to new TCP sessions. before editbuffer‐ index Inserts the new ACE in front of another ACE in the security ACL. Specify the number of the existing ACE in the edit buffer. Index numbers start at 1. (To display the edit buffer, use show security acl editbuffer.) modify editbuffer‐ index Replaces an ACE in the security ACL with the new ACE. Specify the number of the existing ACE in the edit buffer.
Examples The following command adds an ACE to security acl_123 that permits packets from IP address 192.168.1.11/24 and counts the hits: RBT-8100# set security acl ip acl_123 permit 192.168.1.11 0.0.0.255 hits The following command adds an ACE to acl_123 that denies packets from IP address 192.168.2.11: RBT-8100# set security acl ip acl_123 deny 192.168.2.11 0.0.0.0 The following command creates acl_125 by defining an ACE that denies TCP packets from source IP address 192.168.0.
set security acl map Assigns a committed security ACL to a VLAN, physical port or ports, virtual port, or Distributed AP on the RoamAbout Switch. Note: To assign a security ACL to a user or group in the local RoamAbout Switch database, use the command set user attr, set mac-user attr, set usergroup attr, or set mac-usergroup attr with the Filter-Id attribute. To assign a security ACL to a user or group with Filter-Id on a RADIUS server, see the documentation for your RADIUS server.
Example The following command maps security ACL acl_133 to port 4 for incoming packets: RBT-8100 set security acl map acl_133 port 4 in success: change accepted.
set security acl hit-sample-rate Specifies the time interval, in seconds, at which the packet counter for each security ACL is sampled for display. The counter counts the number of packets filtered by the security ACL—or “hits.” Syntax set security acl hit-sample-rate seconds Parameters seconds Number of seconds between samples. A sample rate of 0 (zero) disables the sample process. Defaults By default, the hits are not sampled. Mode Enabled.
show security acl Displays a summary of the security ACLs that are mapped. Syntax show security acl Defaults None. Mode Enabled. Usage This command lists only the ACLs that have been mapped to something (a user, or VLAN, or port, and so on). To list all committed ACLs, use the show security acl info command. To list ACLs that have not yet been committed, use the show security acl editbuffer command.
show security acl editbuffer Displays a summary of the security ACLs that have not yet been committed to the configuration. Syntax show security acl [info all] editbuffer Parameters info all Displays the ACEs in each uncommitted ACL. Without this option, only the ACE names are listed. Defaults None. Mode Enabled.
show security acl hits Displays the number of packets filtered by security ACLs (“hits”) on the RoamAbout Switch. Each time a packet is filtered by a security ACL, the hit counter increments. Syntax show security acl hits Parameters None. Defaults None. Mode Enabled. Usage For MSS to count hits for a security ACL, you must specify hits in the set security acl commands that define ACE rules for the ACL.
show security acl info Displays the contents of a specified security ACL or all security ACLs that are committed—saved in the running configuration and nonvolatile storage—or the contents of security ACLs in the edit buffer before they are committed. Syntax show security acl info [acl‐name | all] [editbuffer] Parameters acl‐name Name of an existing security ACL to display. ACL names must start with a letter and are case‐insensitive. all Displays the contents of all security ACLs.
1. permit IP source IP 192.168.1.11 0.0.0.255 destination IP any enable-hits 2. deny IP source IP 192.168.2.11 0.0.0.0 destination IP any 3. deny SRC source IP 192.168.1.234 255.255.255.
show security acl map Displays the VLANs, ports, and virtual ports on the RoamAbout Switch to which a security ACL is assigned. Syntax show security acl map acl-name Parameters acl‐name Name of an existing security ACL for which to show static mapping. ACL names must start with a letter and are case‐insensitive. Defaults None. Mode Enabled.
show security acl resource-usage Displays statistics about the resources used by security ACL filtering on the RoamAbout Switch. Syntax show security acl resource-usage Parameters None. Defaults None. Mode Enabled. Usage Use this command with the help of the Enterasys Global Technical Assistance Center (GTAC) to diagnose an ACL resource problem. (To contact GTAC, see “Getting Help” on page xxiii.
Default action pointer L4 global No rules Non-IP rules Root in first Static default action No per-user (MAC) mapping Out mapping In mapping No VLAN or PORT mapping No VPORT mapping : : : : : : : : : : : c8007dc True False False True False True False True False True Table 14‐1 explains the fields in the show security acl resource‐usage output. Table 14-1 show security acl resource-usage Output Field Description Number of rules Number of security ACEs currently mapped to ports or VLANs.
Table 14-1 show security acl resource-usage Output (continued) Field Description Port number Control value for handling fragmented IP packets. Note: The current MSS version filters only the first packet of a fragmented IP packet and passes the remaining fragments. Number of action types Number of actions that can be performed by ACLs. This value is always 2, because ACLs can either permit or deny. LUdef in use Number of the lookup definition (LUdef) table currently in use for packet handling.
Table 14-1 show security acl resource-usage Output (continued) Field Description No VLAN or PORT mapping Application of security ACLs to RoamAbout Switch VLANs or ports on the RoamAbout Switch: • True—No security ACLs are mapped to VLANs or ports. • False—Security ACLs are mapped to VLANs or ports. No VPORT mapping Application of security ACLs to RoamAbout Switch virtual ports on the RoamAbout Switch: • True—No security ACLs are mapped to virtual ports.
15 Cryptography Commands A digital certificate is a form of electronic identification for computers. The RoamAbout Switch requires digital certificates to authenticate its communications to RoamAbout Switch Manager and WebView, to WebAAA clients, and to Extensible Authentication Protocol (EAP) clients for which the RoamAbout switch performs all EAP processing. Certificates can be generated on the RoamAbout or obtained from a certificate authority (CA).
crypto ca-certificate Installs a certificate authority’s own PKCS #7 certificate into the RoamAbout Switch certificate and key storage area. Syntax crypto ca-certificate {admin | eap | web} PEM-formatted-certificate Parameters admin Stores the certificate authority’s certificate that signed the administrative certificate for the RoamAbout Switch. The administrative certificate authenticates the RoamAbout Switch to RASM or WebView.
Example The following command adds the certificate authority’s certificate to RoamAbout Switch certificate and key storage: RBT-8100# crypto ca-certificate admin Enter PEM-encoded certificate -----BEGIN CERTIFICATE----MIIDwDCCA2qgAwIBAgIQL2jvuu4PO5FAQCyewU3ojANBgkqhkiG9wOBAQUFADCB mzerMClaweVQQTTooewi\wpoer0QWNFNkj90044mbdrl1277SWQ8G7DiwYUtrqoQplKJvxz .....
crypto certificate Installs one of the RoamAbout switch’s PKCS #7 certificates into the certificate and key storage area on the RoamAbout. The certificate, which is issued and signed by a certificate authority, authenticates the RoamAbout Switch either to RASM or WebView, or to 802.1X supplicants (clients).
Example The following command installs a certificate: RBT-8100# crypto certificate admin Enter PEM-encoded certificate -----BEGIN CERTIFICATE----MIIBdTCP3wIBADA2MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQOExGjAYBgNVBAMU EXR1Y2hwdWJzQHRycHouY29tMIGfMAOGCSqGSIb3DQEBAQAA4GNADCBiQKBgQC4 .....
crypto generate key Generates an RSA public‐private encryption key pair that is required for a Certificate Signing Request (CSR) or a self‐signed certificate. For SSH, generates an authentication key. Syntax crypto generate key {admin | domain | eap | ssh | web}{128 | 512 | 1024 | 2048} Parameters admin Generates an administrative key pair for authenticating the RoamAbout Switch to RASM or WebView.
crypto generate request Generates a Certificate Signing Request (CSR). This command outputs a PEM‐formatted PKCS #10 text string that you can cut and paste to another location for delivery to a certificate authority. This command generates either an administrative CSR for use with RASM and WebView, or an EAP CSR for use with 802.1X clients.
Usage To use this command, you must already have generated a public‐private encryption key pair with the crypto generate key command. Enter crypto generate request admin, crypto generate request eap, or crypto generate request web authentication and press Enter. When you are prompted, type the identifying values in the fields, or press Enter if the field is optional. You must enter a common name for the RoamAbout Switch.
crypto generate self-signedweb Generates a self‐signed certificate for either an administrative certificate for use with RASM or an EAP certificate for use with 802.1X wireless users. Syntax crypto generate self-signed {admin | eap | web} Parameters admin Generates an administrative certificate to authenticate the RoamAbout Switch to RASM or WebView. eap Generates an EAP certificate to authenticate the RoamAbout Switch to 802.1X supplicants (clients).
Usage To use this command, you must already have generated a public‐private encryption key pair with the crypto generate key command. Example To generate a self‐signed administrative certificate, type the following command: RBT-8100# crypto generate self-signed admin Country Name: State Name: Locality Name: Organizational Name: Organizational Unit: Common Name: RBT1@example.
crypto otp Sets a one‐time password (OTP) for use with the crypto pkcs12 command. Syntax crypto otp {admin | eap | web} one-time-password Parameters admin Creates a one‐time password for installing a PKCS #12 object file for an administrative certificate and key pair—and optionally the certificate authority’s own certificate—to authenticate the RoamAbout Switch to RASM or WebView.
Example The following command creates the one‐time password hap9iN#ss for installing an EAP certificate and key pair: RBT-8100# crypto generate otp eap hap9iN#ss OTP set Related Commands crypto pkcs12 on page 15‐13 15-12 Cryptography Commands
crypto pkcs12 Unpacks a PKCS #12 object file into the certificate and key storage area on the RoamAbout Switch. This object file contains a public‐private key pair, a RoamAbout certificate signed by a certificate authority, and the certificate authority’s certificate.
Example The following commands copy a PKCS #12 object file for an EAP certificate and key pair—and optionally the certificate authority’s own certificate—from a TFTP server to nonvolatile storage on the RoamAbout Switch, create the one‐time password hap9iN#ss, and unpack the PKCS #12 file: RBT-8100# copy tftp://192.168.253.1/2048full.p12 2048full.p12 success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec] RBT-8100# crypto otp eap hap9iN#ss OTP set RBT-8100# crypto pkcs12 eap 2048full.
show crypto ca-certificate Displays information about the certificate authority’s PEM‐encoded PKCS #7 certificate. Syntax show crypto ca-certificate {admin | eap | web} Parameters admin Displays information about the certificate authority’s certificate that signed the administrative certificate for the RoamAbout Switch. The administrative certificate authenticates the RoamAbout Switch to RASM or WebView.
Related Commands 15-16 • crypto ca‐certificate on page 15‐2 • show crypto certificate on page 15‐17 Cryptography Commands
show crypto certificate Displays information about one of the cryptographic certificates installed on the RoamAbout Switch. Syntax show crypto certificate {admin | eap | web} Parameters admin Displays information about the administrative certificate that authenticates the RoamAbout Switch to RASM or WebView. eap Displays information about the EAP certificate that authenticates the RoamAbout Switch to 802.1X supplicants (clients).
show crypto key domain Displays the checksum (also called a fingerprint) of the public key used to authenticate management traffic between RoamAbout Switches. Syntax show crypto key domain Defaults None. Mode Enabled.
show crypto key ssh Displays SSH authentication key information. This command displays the checksum (also called a fingerprint) of the public key. When you connect to the RoamAbout Switch with an SSH client, you can compare the SSH key checksum displayed by the RoamAbout Switch with the one displayed by the client to verify that you really are connected to the RoamAbout Switch and not another device.
15-20 Cryptography Commands
16 RADIUS and Server Groups Commands Use RADIUS commands to set up communication between a RoamAbout switch and groups of up to four RADIUS servers for remote authentication, authorization, and accounting (AAA) of administrators and network users. This chapter presents RADIUS commands alphabetically. Use the following table to locate commands in this chapter. For information about... Refer to page...
clear radius Resets parameters that were globally configured for RADIUS servers to their default values. Syntax clear radius {deadtime | key | retransmit | timeout} Parameters deadtime Number of minutes to wait after declaring an unresponsive RADIUS server unavailable before retrying the RADIUS server. key Password (shared secret key) used to authenticate to the RADIUS server. retransmit Number of transmission attempts made before declaring an unresponsive RADIUS server unavailable.
Related Commands • set radius on page 16‐9 • set radius server on page 16‐14 • show aaa on page 8‐62 RoamAbout Mobility System Software Command Line Reference 16-3
clear radius client system-ip Removes the RoamAbout switch’s system IP address from use as the permanent source address in RADIUS client requests from the switch to its RADIUS server(s). Syntax clear radius client system-ip Parameters None. Defaults None. Mode Enabled. Usage The clear radius client system‐ip command causes the RoamAbout switch to use the IP address of the interface through which it sends a RADIUS client request as the source IP address.
clear radius proxy client Removes RADIUS proxy client entries for third‐party APs. Syntax clear radius proxy client all Parameters None. Defaults None. Mode Enabled. Example The following command clears all RADIUS proxy client entries from the switch: RBT-8100# clear radius proxy client all success: change accepted.
clear radius proxy port Removes RADIUS proxy ports configured for third‐party APs. Syntax clear radius proxy port all Parameters None. Defaults None. Mode Enabled. Example The following command clears all RADIUS proxy port entries from the switch: RBT-8100# clear radius proxy port all success: change accepted.
clear radius server Removes the named RADIUS server from the RoamAbout switch configuration. Syntax clear radius server server-name Parameters server‐name Name of a RADIUS server configured to perform remote AAA services for the RoamAbout switch. Defaults None. Mode Enabled. Example The following command removes the RADIUS server rs42 from a list of remote AAA servers: RBT-8100# clear radius server rs42 success: change accepted.
clear server group Removes a RADIUS server group from the configuration, or disables load balancing for the group. Syntax clear server group group-name [load-balance] Parameters group‐name Name of a RADIUS server group configured to perform remote AAA services for RoamAbout switches. load‐balance Ability of group members to share demand for services among servers. Defaults None. Mode Enabled. Usage Deleting a server group removes the server group from the configuration.
set radius Configures global defaults for RADIUS servers that do not explicitly set these values themselves. By default, the RoamAbout switch automatically sets all these values except the password (key). Syntax set radius {deadtime minutes | encrypted-key string | key string | retransmit number | timeout seconds} Parameters deadtime minutes Number of minutes the RoamAbout switch waits after declaring an unresponsive RADIUS server unavailable before retrying the RADIUS server.
Mode Enabled. Usage You can specify only one parameter per command line. Example The following commands sets the dead time to 5 minutes, the RADIUS key to goody, the number of retransmissions to 1, and the timeout to 21 seconds on all RADIUS servers connected to the RoamAbout switch: RBT-8100# set radius deadtime 5 success: change accepted. RBT-8100# set radius key goody success: change accepted. RBT-8100# set radius retransmit 1 success: change accepted.
set radius client system-ip Causes all RADIUS requests to be sourced from the IP address specified by the set system ip‐ address command, providing a permanent source IP address for RADIUS packets sent from the RoamAbout switch. Syntax set radius client system-ip Defaults None. If you do not use this command, RADIUS packets leaving the RoamAbout switch have the source IP address of the outbound interface, which can change as routing conditions change. Mode Enabled.
set radius proxy client Adds a RADIUS proxy entry for a third‐party AP. The proxy entry specifies the IP address of the AP and the UDP port on which the RoamAbout switch listens for RADIUS traffic from the AP. Syntax set radius proxy client address ip-address [port udp-port-number] key string Parameters address ip‐address IP address of the third‐party AP. Enter the address in dotted decimal notation. port udp‐ port‐number UDP port on which the RoamAbout switch listens for RADIUS traffic from the AP.
set radius proxy port Configures the RoamAbout switch port connected to a third‐party AP as a RADIUS proxy for the SSID supported by the AP. Syntax set radius proxy port port-list [tag tag-value] ssid ssid-name Parameters port port‐list RoamAbout switch port(s) connected to the third‐party AP. tag tag‐value 802.1Q tag value in packets sent by the third‐party AP for the SSID. ssid ssid‐name SSID supported by the third‐party AP. Defaults None. Mode Enabled.
set radius server Configures RADIUS servers and their parameters. By default, the RoamAbout switch automatically sets all these values except the password (key). Syntax set radius server server-name [address ip-address] [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit number] [deadtime minutes] [[key string] | [encrypted-key string]] [author-password password] Parameters server‐name Unique name for this RADIUS server.
Defaults Default values are listed below: • auth‐port—UDP port 1812 • acct‐port—UDP port 1813 • timeout—5 seconds • retransmit—3 (the total number of attempts, including the first attempt) • deadtime—0 (zero) minutes (The RoamAbout switch does not designate unresponsive RADIUS servers as unavailable.) • key—No key • encrypted‐key—No key • author‐password—nopassword Mode Enabled.
set server group Configures a group of one to four RADIUS servers. Syntax set server group group-name members server-name1 [server-name2] [server-name3] [server-name4] Parameters group‐name Server group name of up to 32 characters, with no spaces or tabs. members server‐ name1 The names of one or more configured RADIUS servers. You can enter up to four server names. server‐name2 server‐name3 server‐name4 Defaults None. Mode Enabled.
set server group load-balance Enables or disables load balancing among the RADIUS servers in a server group. Syntax set server group group-name load-balance {enable | disable} Parameters group‐name Server group name of up to 32 characters. load‐balance enable | disable Enables or disables load balancing of authentication requests among the servers in the group. Defaults Load balancing is disabled by default. Mode Enabled.
16-18 RADIUS and Server Groups Commands
17 802.1X Management Commands Use 802. IEEE X management commands to modify the default settings for IEEE 802.1X sessions on a RAS. For best results, change the settings only if you are aware of a problem with the RoamAbout switch’s 802.1X performance. This chapter presents 802.1X commands alphabetically. Use the following table to locate commands in this chapter. For information about configuring 802.1X commands for user authentication, see Chapter 8, AAA Commands. Caution: 802.
17-2 For information about... Refer to page... set dot1x timeout supplicant 17-22 set dot1x tx-period 17-23 set dot1x wep-rekey 17-24 set dot1x wep-rekey-period 17-25 show dot1x 17-26 802.
clear dot1x bonded-period Resets the Bonded Auth period to its default value. Syntax clear dot1x max-req Parameters None. Defaults The default bonded authentication period is 0 seconds. Mode Enabled. Example To reset the Bonded period to its default, type the following command: RBT-8100# clear dot1x bonded-period success: change accepted.
clear dot1x max-req Resets to the default setting the number of Extensible Authentication Protocol (EAP) requests that the RoamAbout switch retransmits to a supplicant (client). Syntax clear dot1x max-req Parameters None. Defaults The default number is 20. Mode Enabled. Example To reset the number of 802.1X requests the RoamAbout switch can send to the default setting, type the following command: RBT-8100# clear dot1x max-req success: change accepted.
clear dot1x port-control Resets all wired authentication ports on the RoamAbout switch to default 802.1X authentication. Syntax clear dot1x port‐control Defaults By default, all wired authentication ports are set to auto and they process authentication requests as determined by the set authentication dot1X command. Mode Enabled. Usage This command is overridden by the set dot1x authcontrol command. The clear dot1x port‐control command returns port control to the method configured.
clear dot1x quiet-period Resets the quiet period after a failed authentication to the default setting. Syntax clear dot1x quiet-period Parameters None. Defaults The default is 60 seconds. Mode Enabled. Example Type the following command to reset the 802.1X quiet period to the default: RBT-8100# clear dot1x quiet-period success: change accepted. Related Commands 17-6 • set dot1x quiet‐period on page 17‐17 • show dot1x on page 17‐26 802.
clear dot1x reauth-max Resets the maximum number of reauthorization attempts to the default setting. Syntax clear dot1x reauth-max Parameters None. Defaults The default is 2 attempts. Mode Enabled. Example Type the following command to reset the maximum number of reauthorization attempts to the default: RBT-8100# clear dot1x reauth-max success: change accepted.
clear dot1x reauth-period Resets the time period that must elapse before a reauthentication attempt, to the default time period. Syntax clear dot1x reauth-period Parameters None. Defaults The default is 3600 seconds (1 hour). Mode Enabled. Example Type the following command to reset the default reauthentication time period: RBT-8100# clear dot1x reauth-period success: change accepted. Related Commands 17-8 • set dot1x reauth‐period on page 17‐20 • show dot1x on page 17‐26 802.
clear dot1x timeout auth-server Resets to the default setting the number of seconds that must elapse before the RoamAbout switch times out a request to a RADIUS server. Syntax clear dot1x timeout auth-server Parameters None. Defaults The default is 30 seconds. Mode Enabled. Example To reset the default timeout for requests to an authentication server, type the following command: RBT-8100# clear dot1x timeout auth-server success: change accepted.
clear dot1x timeout supplicant Resets to the default setting the number of seconds that must elapse before the RoamAbout switch times out an authentication session with a supplicant (client). Syntax clear dot1x timeout supplicant Parameters None. Defaults The default for the authentication timeout sessions is 30 seconds. Mode Enabled. Example Type the following command to reset the timeout period for an authentication session: RBT-8100# clear dot1x timeout supplicant success: change accepted.
clear dot1x tx-period Resets to the default setting the number of seconds that must elapse before the RoamAbout switch retransmits an EAP over LAN (EAPoL) packet. Syntax clear dot1x tx-period Parameters None. Defaults The default is 5 seconds. Mode Enabled. Example Type the following command to reset the EAPoL retransmission time: RBT-8100# clear dot1x tx-period success: change accepted.
set dot1x authcontrol Provides a global override mechanism for 802.1X authentication configuration on wired authentication ports. Syntax set dot1x authcontrol {enable | disable} Parameters enable Allows all wired authentication ports running 802.1X to use the authentication specified per port by the set dot1X port‐control command. disable Forces all wired authentication ports running 802.1X to unconditionally accept all 802.1X authentication attempts with an EAP Success message (ForceAuth).
set dot1x bonded-period Changes the Bonded Auth™ (bonded authentication) period. The Bonded Auth period is the number of seconds MSS allows a Bonded Auth user to reauthenticate. Syntax set dot1x bonded-period seconds Parameters seconds Number of seconds MSS retains session information for an authenticated machine while waiting for a client to (re)authenticate on the same machine. You can change the bonded authentication period to a value from 1 to 300 seconds.
set dot1x key-tx Enables or disables the transmission of encryption key information to the supplicant (client) in EAP over LAN (EAPoL) key messages, after authentication is successful. Syntax set dot1x key-tx {enable | disable} Parameters enable Enables transmission of encryption key information to clients. disable Disables transmission of encryption key information to clients. Defaults Key transmission is enabled by default. Mode Enabled.
set dot1x max-req Sets the maximum number of times the RoamAbout switch retransmits an EAP request to a supplicant (client) before ending the authentication session. Syntax set dot1x max-req number-of-retransmissions Parameters number‐of‐retransmissions Specify a value between 0 and 10. Defaults The default number of EAP retransmissions is 2. Mode Enabled. Usage To support SSIDs that have both 802.
set dot1x port-control Determines the 802.1X authentication behavior on individual wired authentication ports or groups of ports. Syntax set dot1x port-control {forceauth | forceunauth | auto} port-list Parameters forceauth Forces the specified wired authentication port(s) to unconditionally authorize all 802.1X authentication attempts, with an EAP success message. forceunauth Forces the specified wired authentication port(s) to unconditionally reject all 802.
set dot1x quiet-period Sets the number of seconds a RoamAbout switch remains quiet and does not respond to a supplicant after a failed authentication. Syntax set dot1x quiet-period seconds Parameters seconds Specify a value between 0 and 65,535. Defaults The default is 60 seconds. Mode Enabled. Example Type the following command to set the quiet period to 90 seconds: RBT-8100# set dot1x quiet-period 90 success: dot1x quiet period set to 90.
set dot1x reauth Determines whether the RoamAbout switch allows the reauthentication of supplicants (clients). Syntax set dot1x reauth {enable | disable} Parameters enable Permits reauthentication. disable Denies reauthentication. Defaults Reauthentication is enabled by default. Mode Enabled. Example Type the following command to enable reauthentication of supplicants (clients): RBT-8100# set dot1x reauth enable success: dot1x reauthentication enabled.
set dot1x reauth-max Sets the number of reauthentication attempts that the RoamAbout switch makes before the supplicant (client) becomes unauthorized. Syntax set dot1x reauth-max number-of-attempts Parameters number‐of‐attempts Specify a value between 1 and 10. Defaults The default number of reauthentication attempts is 2. Mode Enabled.
set dot1x reauth-period Sets the number of seconds that must elapse before the RoamAbout switch attempts reauthentication. Syntax set dot1x reauth-period seconds Parameters seconds Specify a value between 60 (1 minute) and 1,641,600 (19 days). Defaults The default is 3600 seconds (1 hour). Mode Enabled. Example Type the following command to set the number of seconds to 100 before reauthentication is attempted: RBT-8100# set dot1x reauth-period 100 success: dot1x auth-server timeout set to 100.
set dot1x timeout auth-server Sets the number of seconds that must elapse before the RoamAbout switch times out a request to a RADIUS authentication server. Syntax set dot1x timeout auth-server seconds Parameters seconds Specify a value between 1 and 65,535. Defaults The default is 30 seconds. Mode Enabled. Example Type the following command to set the authentication server timeout to 60 seconds: RBT-8100# set dot1x timeout auth-server 60 success: dot1x auth-server timeout set to 60.
set dot1x timeout supplicant Sets the number of seconds that must elapse before the RoamAbout switch times out an authentication session with a supplicant (client). Syntax set dot1x timeout supplicant seconds Parameters seconds Specify a value between 1 and 65,535. Defaults The default is 30 seconds. Mode Enabled.
set dot1x tx-period Sets the number of seconds that must elapse before the RoamAbout switch retransmits an EAPoL packet. Syntax set dot1x tx-period seconds Parameters seconds Specify a value between 1 and 65,535. Defaults The default is 5 seconds. Mode Enabled. Example Type the following command to set the number of seconds before the RoamAbout switch retransmits an EAPoL packet to 300: RBT-8100# set dot1x tx-period 300 success: dot1x tx-period set to 300.
set dot1x wep-rekey Enables or disables Wired Equivalency Privacy (WEP) rekeying for broadcast and multicast encryption keys. Syntax set dot1X wep-rekey {enable | disable} Parameters enable Causes the broadcast and multicast keys for WEP to be rotated at an interval set by the set dot1x wep‐rekey‐period for each radio, associated VLAN, and encryption type. The RoamAbout switch generates the new broadcast and multicast keys and pushes the keys to the clients via EAPoL key messages.
set dot1x wep-rekey-period Sets the interval for rotating the WEP broadcast and multicast keys. Syntax set dot1x wep-rekey-period seconds Parameters seconds Specify a value between 30 and 1,641,600 (19 days). Defaults The default is 1800 seconds (30 minutes). Mode Enabled.
show dot1x Displays 802.1X client information for statistics and configuration settings. Syntax show dot1x {clients | stats | config} Parameters clients Displays information about active 802.1X clients, including client name, MAC address, and state. stats Displays global 802.1X statistics associated with connecting and authenticating. config Displays a summary of the current configuration. Defaults None. Mode Enabled. Example Type the following command to display the 802.
'host/bob-laptop.mycorp.com' on ssid 'mycorp' doing PASSTHRU 'bob.mycorp.com' on ssid 'mycorp' doing PASSTHRU (bonded) 802.
Table 17‐1 explains the counters in the show dot1x stats output. Table 17-1 17-28 Output for show dot1x stats Output What It Displays... Enters Connecting Number of times that the RoamAbout switch state transitions to the CONNECTING state from any other state. Logoffs While Connecting Number of times that the RoamAbout switch state transitions from CONNECTING to DISCONNECTED as a result of receiving an EAPoLLogoff message. Enters Authenticating Number of times that the state wildcard transitions.
18 Session Management Commands Use session management commands to display and clear administrative and network user sessions. This chapter presents session management commands alphabetically. Use the following table to locate commands in this chapter. For information about... Refer to page...
clear sessions Clears all administrative sessions, or clears administrative console or Telnet sessions. Syntax clear sessions {admin | console | telnet [client [session-id]]} Parameters admin Clears sessions for all users with administrative access to the RoamAbout switch through a Telnet or SSH connection or a console plugged into the switch. console Clears sessions for all users with administrative access to the RoamAbout switch through a console plugged into the switch.
clear sessions network Clears all network sessions for a specified username or set of usernames, MAC address or set of MAC addresses, virtual LAN (VLAN) or set of VLANs, or session ID. Syntax clear sessions network {user user-glob | mac-addr mac-addr-glob | vlan vlan-glob | session-id local-session-id} Parameters user user‐glob Clears all network sessions for a single user or set of users.
flags 0000012fh, to change state to KILLING Localid 9, globalid SESSION-9-893249336 moved from ACTIVE to KILLING (client=00:06:25:09:39:5d) To clear the session of user Natasha, type the following command: RBT-8100# clear sessions network user Natasha To clear the sessions of users whose name begins with the characters Jo, type the following command: RBT-8100# clear sessions network user Jo* To clear the sessions of all users on VLAN red, type the following command: RBT-8100# clear sessions network vlan
show sessions Displays session information and statistics for all users with administrative access to the RoamAbout switch, or for administrative users with either console or Telnet access. Syntax show sessions {admin | console | telnet [client]} Parameters admin Displays sessions for all users with administrative access to the RoamAbout switch through a Telnet or SSH connection or a console plugged into the switch.
To view information about Telnet users sessions, type the following command: RBT-8100> show sessions telnet Tty Username -------------------------tty2 sea Time (s) -------7395 To view information about Telnet client sessions, type the following command: RBT-8100# show sessions telnet client Session Server Address Server Port ------------------------------0 192.168.1.81 23 1 10.10.1.
show sessions network Displays summary or verbose information about all network sessions, or network sessions for a specified username or set of usernames, MAC address or set of MAC addresses, VLAN or set of VLANs, or session ID. Syntax show sessions network [user user-glob | mac-addr mac-addr-glob | ssid ssid-name | vlan vlan-glob | session-id session-id | wired] [verbose] Parameters user user‐glob Displays all network sessions for a single user or set of users.
Usage MSS displays information about network sessions in three types of displays. See the following tables for field descriptions. Summary display See Table 18-3 on page 18-10. Verbose display See Table 18-4 on page 18-10. show sessions network session-id display See Table 18-5 on page 18-13. Examples To display summary information for all network sessions, type show sessions network.
The following command displays detailed (verbose) session information about user nin@example.com: RBT-8100> show sessions network user nin@example.com verbose User Sess IP or MAC VLAN Port/ Name ID Address Name Radio ----------------------------- ---- ----------------- --------------- ----nin@example.com 5* 10.20.30.40 vlan-eng 1/1 Client MAC: 00:02:2d:6e:ab:a5 GID: SESS-5-000430-686792-d8b3c564 State: ACTIVE (prev AUTHORIZED) now on: RBT 192.168.12.
Multicast packets in: 317 Multicast bytes in: 10144 Number of packets with encryption errors: 0 Number of bytes with encryption errors: 0 Last packet data rate: 2 Last packet signal strength: -67 dBm Last packet data S/N ratio: 55 For descriptions of the fields of show sessions network session‐id output, see Table 18‐5 on page 18‐13. Table 18-3 Output What It Displays... User Name Up to 30 characters of the name of the authenticated user of this session.
Table 18-4 Output for Additional show sessions network verbose (continued) Output What It Displays... State Status of the session: • AUTH, ASSOC REQ—Client is being associated by the 802.1X protocol. • AUTH AND ASSOC—Client is being associated by the 802.1X protocol, and the user is being authenticated. • AUTHORIZING—User has been authenticated (for example, by the 802.1X protocol and an AAA method), and is entering AAA authorization. • AUTHORIZED—User has been authorized by an AAA method.
Table 18-4 Output for Additional show sessions network verbose (continued) Output What It Displays... Vlan-Name Authorization attributes for the user and how they were assigned (the sources of the attribute values). (and other attributes if set) For Vlan-Name, the source of the attribute value can be one of the following: • AAA—VLAN is from RADIUS or the local database.
Table 18-5 Output for show sessions network session-id Output What It Displays... Global Id A unique session identifier within the Mobility Domain. State Status of the session: • AUTH, ASSOC REQ—Client is being associated by the 802.1X protocol. • AUTH AND ASSOC—Client is being associated by the 802.1X protocol, and the user is being authenticated. • AUTHORIZING—User has been authenticated (for example, by the 802.1X protocol and an AAA method), and is entering AAA authorization.
Table 18-5 Output for show sessions network session-id (continued) Output What It Displays... Unicast bytes out Total number of unicast bytes sent by the RoamAbout switch to the user (64-bit counter). Multicast packets in Total number of multicast packets received from the user by the RoamAbout switch (64-bit counter). Multicast bytes in Total number of multicast bytes received from the user by the RoamAbout switch (64-bit counter).
19 RF Detection Commands MSS automatically performs RF detection scans on enabled and disabled radios to detect rogue access points. A rogue access point is a BSSID (MAC address associated with an SSID) that does not belong to an Enterasys Networks device and is not a member of the ignore list configured on the seed switch of the Mobility Domain. MSS can issue countermeasures against rogue devices to prevent clients from being able to use them.
For information about... 19-2 Refer to page...
clear rfdetect attack-list Removes a MAC address from the attack list. Syntax clear rfdetect attack-list mac-addr Parameters mac‐addr MAC address you want to remove from the attack list. Defaults None. Mode Enabled. Example The following command clears MAC address 11:22:33:44:55:66 from the attack list: RBT-8100# clear rfdetect attack-list 11:22:33:44:55:66 success: 11:22:33:44:55:66 is no longer in attacklist.
clear rfdetect black-list Removes a MAC address from the client black list. Syntax clear rfdetect black-list mac-addr Parameters mac‐addr MAC address you want to remove from the black list. Defaults None. Mode Enabled. Example The following command removes MAC address 11:22:33:44:55:66 from the black list: RBT-8100# clear rfdetect black-list 11:22:33:44:55:66 success: 11:22:33:44:55:66 is no longer blacklisted.
clear rfdetect countermeasures mac Removes a rogue BSSID from the list configured by the set rfdetect countermeasures mac command. Syntax set rfdetect countermeasures mac Parameters None. Defaults None. Mode Enabled. Usage This command applies only to rogue devices that you explicitly started countermeasures against using the set rfdetect countermeasures mac command.
clear rfdetect ignore Removes a device from the ignore list for RF scans. MSS does not generate log messages or traps for the devices in the ignore list. Syntax clear rfdetect ignore mac-addr Parameters mac‐addr Basic service set identifier (BSSID), which is a MAC address, of the device to remove from the ignore list. Defaults None. Mode Enabled.
clear rfdetect ssid-list Removes an SSID from the permitted SSID list. Syntax clear rfdetect ssid-list ssid-name Parameters ssid‐name SSID name you want to remove from the permitted SSID list. Defaults None. Mode Enabled. Example The following command clears SSID mycorp from the permitted SSID list: RBT-8100# clear rfdetect ssid-list mycorp success: mycorp is no longer in ssid-list.
clear rfdetect vendor-list Removes an entry from the permitted vendor list. Syntax clear rfdetect vendor-list {client | ap | all} mac-addr | all-macs Parameters client | ap | all Specifies whether the entry is for an AP brand or a client brand, or both types. mac‐addr | all‐macs Organizationally Unique Identifier (OUI) to remove, or all of them. Defaults None. Mode Enabled.
set rfdetect attack-list Adds an entry to the attack list. The attack list specifies the MAC addresses of devices that MSS should issue countermeasures against whenever the devices are detected on the network. The attack list can contain the MAC addresses of APs and clients. Syntax set rfdetect attack-list mac-addr Parameters mac-addr MAC address you want to attack. Defaults The attack list is empty by default. Mode Enabled.
set rfdetect black-list Adds an entry to the client black list. The client black list specifies clients that are not allowed on the network. MSS drops all packets from the clients on the black list. Syntax set rfdetect black-list mac-addr Parameters mac‐addr MAC address you want to place on the black list. Defaults The client black list is empty by default. Mode Enabled. Usage In addition to manually configured entries, the list can contain entries added by MSS.
set rfdetect ignore Configures a list of known devices to ignore during an RF scan. MSS does not generate log messages or traps for the devices in the ignore list. Syntax set rfdetect ignore mac-addr Parameters mac‐addr BSSID (MAC address) of the device to ignore. Defaults MSS reports all non‐Enterasys Networks BSSIDs detected during an RF scan. Mode Enabled. Usage Use this command to identify third‐party APs and other devices you are already aware of and do not want MSS to report following RF scans.
set rfdetect log Disables or reenables generation of log messages when rogues are detected or when they disappear. Syntax set rfdetect log {enable | disable} Parameters enable Enables logging of rogues. disable Disables logging of rogues. Defaults RF detection logging is enabled by default. Mode Enabled. Usage This command is valid only on the seed switch of the Mobility Domain. The log messages for rogues are generated only on the seed and appear only in the seed’s log message buffer.
set rfdetect signature Enables access point signatures. An access point signature is a set of bits in a management frame sent by an access point that identifies that access point to MSS. If someone attempts to spoof management packets from an Enterasys Networks access point, MSS can detect the spoof attempt. Syntax set rfdetect signature {enable | disable} Parameters enable Enables access point signatures. disable Disables access point signatures.
set rfdetect ssid-list Adds an SSID to the permitted SSID list.The permitted SSID list specifies the SSIDs that are allowed on the network. If MSS detects packets for an SSID that is not on the list, the AP that sent the packets is classified as a rogue. MSS issues countermeasures against the rogue if they are enabled. Syntax set rfdetect ssid-list ssid-name Parameters ssid‐name SSID name you want to add to the permitted SSID list.
set rfdetect vendor-list Adds an entry to the permitted vendor list. The permitted vendor list specifies the third‐party AP or client vendors that are allowed on the network. MSS does not list a device as a rogue or interfering device if the device’s OUI is in the permitted vendor list. Syntax set rfdetect vendor-list {client | ap} mac-addr Parameters client | ap Specifies whether the entry is for an AP brand or a client brand. mac‐addr | all Organizationally Unique Identifier (OUI) to remove.
show rfdetect attack-list Displays information about the MAC addresses in the attack list. Syntax show rfdetect attack-list Parameters None. Defaults None. Mode Enabled.
show rfdetect black-list Displays information abut the clients in the client black list. Syntax show rfdetect black-list Parameters None. Defaults None. Mode Enabled.
show rfdetect clients Displays the wireless clients detected by a RoamAbout switch. Syntax show rfdetect clients [mac mac-addr] Parameters mac mac‐addr Displays detailed information for a specific client. Defaults None. Mode Enabled.
Table 19-1 show rfdetect clients Output Output What it displays... Client MAC MAC address of the client. Client Vendor Company that manufactures or sells the client. AP MAC MAC address of the radio with which the rogue client is associated. AP Vendor Company that manufactures or sells the AP with which the rogue client is associated. Port/Radio/Channel Port number, radio number, and channel number of the radio that detected the rogue.
Table 19-2 19-20 show rfdetect clients mac Output (continued) Output What it displays... Last Rogue Status Check Number of seconds since the RoamAbout switch looked on the air for the AP with which the rogue client is associated. The switch looks for the client’s AP by sending a packet from the wired side of the network addressed to the client, and watching the air for a wireless packet containing the client’s MAC address.
show rfdetect countermeasures Displays the current status of countermeasures against rogues in the Mobility Domain. Syntax show rfdetect countermeasures Parameters None. Defaults None. Mode Enabled. Usage This command is valid only on the seed switch of the Mobility Domain.
Table 19-3 show rfdetect countermeasures Output (continued) Output What it displays... Rogue MAC BSSID of the rogue. Type Classification of the rogue device: • rogue—Wireless device that is on the network but is not supposed to be on the network. • intfr—Wireless device that is not part of your network and is not a rogue, but might be causing RF interference with access point radios. • known—Device that is a legitimate member of the network.
show rfdetect data Displays information about the APs detected by a RoamAbout switch. Displays all the BSSIDs detected by an individual RoamAbout switch during an RF detection scan. The data includes BSSIDs transmitted by other Enterasys Networks radios as well as by third‐ party access points. Syntax show rfdetect data Defaults None. Mode Enabled. Usage You can enter this command on any RoamAbout switch in the Mobility Domain. The output applies only to the switch on which you enter the command.
Table 19‐4 describes the fields in this display. Table 19-4 show rfdetect data Output Output What it displays... BSSID MAC address of the SSID used by the detected device. Vendor Company that manufactures or sells the rogue device. Type Classification of the rogue device: • rogue—Wireless device that is not supposed to be on the network. The device has an entry in a RoamAbout switch’s FDB and is therefore on the network. • intfr—Wireless device that is not part of your network but is not a rogue.
show rfdetect ignore Displays the BSSIDs of third‐party devices that MSS ignores during RF scans. MSS does not generate log messages or traps for the devices in the ignore list. Syntax show rfdetect ignore Parameters None. Defaults None. Mode Enabled.
show rfdetect mobility-domain Displays the rogues detected by all RoamAbout switches in the Mobility Domain during RF detection scans. Syntax show rfdetect mobility-domain [ssid ssid-name | bssid mac-addr] Parameters ssid ssid‐name Displays rogues that are using the specified SSID. bssid mac‐addr Displays rogues that are using the specified BSSID. Defaults None. Mode Enabled. Usage This command is valid only on the seed switch of the Mobility Domain.
The following command displays detailed information for rogues using SSID ets‐webaaa. RBT-8100# show rfdetect mobility-domain ssid ets-webaaa BSSID: 00:0a:5e:4b:4a:ca Vendor: 3Com SSID: ets-webaaa Type: intfr Adhoc: no Crypto-types: clear RBT-IPaddress: 10.8.121.
Table 19‐5 and Table 19‐6 describe the fields in these displays. Table 19-5 show rfdetect mobility-domain Output Output What it displays... BSSID MAC address of the SSID used by the detected device. Vendor Company that manufactures or sells the rogue device. Type Classification of the rogue device: • rogue—Wireless device that is not supposed to be on the network. The device has an entry in a RoamAbout switch’s FDB and is therefore on the network.
Table 19-6 show rfdetect mobility-domain ssid or bssid Output (continued) Field Description Port/Radio/Channel Port number, radio number, and channel number of the radio that detected the rogue. For a Distributed access point, the connection number is labeled dap. (This stands for distributed ap.) Mac MAC address of the radio that detected the rogue. Device-type Device type detected by the access point radio. Adhoc Ad-hoc status (yes or no) detected by the access point radio.
show rfdetect ssid-list Displays the entries in the permitted SSID list. Syntax show rfdetect ssid-list Parameters None. Defaults None. Mode Enabled.
show rfdetect vendor-list Displays the entries in the permitted vendor list. Syntax show rfdetect vendor-list Parameters None. Defaults None. Mode Enabled.
show rfdetect visible Displays the BSSIDs discovered by a specific Enterasys Networks radio. The data includes BSSIDs transmitted by other Enterasys Networks radios as well as by third‐party access points. Syntax show rfdetect visible mac-addr show rfdetect visible dap dap-num [radio {1 | 2}] Parameters mac‐addr Base MAC address of the Enterasys Networks radio. Note: To display the base MAC address of an Enterasys Networks radio, use the show {ap | dap} status command.
00:0a:5e:4b:4a:c4 00:0a:5e:4b:4a:c6 00:0a:5e:4b:4a:c8 00:0a:5e:4b:4a:ca ... 3Com 3Com 3Com 3Com intfr intfr intfr intfr 11 11 11 11 -85 -85 -83 -85 ic---i-t--i----w i----- ets-ccmp ets-tkip ets-voip ets-webaaa Table 19‐7 describes the fields in this display. Table 19-7 show rfdetect visible Output Output What it displays... Transmit MAC MAC address the rogue device that sent the 802.11 packet detected by the access point radio. Vendor Company that manufactures or sells the rogue device.
The following command displays the devices detected by Enterasys Networks radio 1 on the access point connected to RoamAbout port 3: RBT-8100# show rfdetect visible ap 3 radio 1 Total number of entries: 3 Transmit MAC Chan RSS ----------------- -------- ------00:06:25:51:e9:ff 10 -77 00:0b:0e:00:03:80 1 -79 00:0b:0e:00:a6:00 1 -71 Related Commands 19-34 • show rfdetect data on page 19‐23 • show rfdetect mobility‐domain on page 19‐26 RF Detection Commands
test rflink Provides information about the RF link between the RoamAbout Switch and the client based on sending test packets to the client. Syntax test rflink {mac mac‐addr | session‐id session‐id} Parameters mac‐addr Tests the RF link between the RoamAbout Switch and the client with the specified MAC address. session‐id Tests the RF link between the RoamAbout Switch and the client with the specified local session ID. Defaults None. Mode Enabled.
Table 19-8 test rflink Output (continued) Field Description SNR Signal-to-noise ratio (SNR), in decibels (dB), of the data received from the client. RTT (micro-secs) The round-trip time, in microseconds, for the client response to the test packets.
20 File Management Commands Use file management commands to manage system files and to display software and boot information. This chapter presents file management commands alphabetically. Use the following table to locate commands in this chapter. For information about... Refer to page...
backup Creates an archive of RoamAbout system files and optionally, user file, in Unix tape archive (tar) format. Syntax backup system [tftp:/ip-addr/]filename [all | critical] Parameters [tftp:/ip‐addr/ ]filename Name of the archive file to create. You can store the file locally in the switch’s nonvolatile storage or on a TFTP server. all Backs up system files and all the files in the user files area. The user files area contains the set of files listed in the file section of dir command output.
Example The following command creates an archive of the system‐critical files and copies the archive directly to a TFTP server. The filename in this example includes a TFTP server IP address, so the archive is not stored locally on the switch. RBT-8100# backup system tftp:/10.10.20.9/sysa_bak critical success: sent 28263 bytes in 0.
clear boot config Resets to the factory default the configuration that MSS loads during a reboot. Syntax clear boot config Defaults None. Mode Enabled. Example The following commands back up the configuration file on a RoamAbout switch, reset the switch to its factory default configuration, and reboot the switch: RBT-8100# copy configuration tftp://10.1.1.1/backupcfg success: sent 365 bytes in 0.401 seconds [ 910 bytes/sec] RBT-8100# clear boot config success: Reset boot config to factory defaults.
copy Performs the following copy operations: • Copies a file from a TFTP server to nonvolatile storage. • Copies a file from nonvolatile storage or temporary storage to a TFTP server. • Copies a file from one area in nonvolatile storage to another. • Copies a file to a new filename in nonvolatile storage. Syntax copy source-url destination-url Parameters source‐url Name and location of the file to copy.
Usage The filename and file:filename URLs are equivalent. You can use either URL to refer to a file in a RoamAbout switch’s nonvolatile memory. The tftp://ip‐addr/filename URL refers to a file on a TFTP server. If DNS is configured on the RoamAbout switch, you can specify a TFTP server’s hostname as an alternative to specifying the IP address. The tmp:filename URL specifies a file in temporary storage. You can copy a file out of temporary storage but you cannot copy a file into temporary storage.
delete Deletes a file. Caution: MSS does not prompt you to verify whether you want to delete a file. When you press Enter after typing a delete command, MSS immediately deletes the specified file. Note: MSS does not allow you to delete the currently running software image file or the running configuration. Syntax delete url Parameters url Filename. Specify between 1 and 128 alphanumeric characters, with no spaces.
dir Displays a list of the files in nonvolatile storage and temporary files. Syntax dir [subdirname] Parameters subdirname Subdirectory name. If you specify a subdirectory name, the command lists the files in that subdirectory. Otherwise, the command lists the files in the root directory and also lists the subdirectories. Defaults None. Mode Enabled.
file: Filename Size file:configuration.txt 3541 bytes file:configuration.xml 24 KB Total: 27 Kbytes used, 207824 Kbytes free Created Sep 22 2003, 22:55:44 Sep 22 2003, 22:55:44 Table 20‐1 describes the fields in the dir output. Table 20-1 Output for dir Output What It Displays... Filename Filename or subdirectory name. For files, the directory name is shown in front of the filename (for example, file:configuration). The file: directory is the root directory.
install soda agent Installs Sygate On‐Demand (SODA) agent files in a directory on the RoamAbout Switch. Syntax install soda agent agent-file agent-directory directory Parameters agent‐file Name of a .zip file on the RoamAbout Switch containing SODA agent files. directory Directory on the RoamAbout Switch where SODA agent files are to be installed. The command automatically creates this directory. Defaults None. Mode Enabled. Usage Use this command to install a .
load config Caution: This command completely removes the running configuration and replaces it with the configuration contained in the file. Enterasys Networks recommends that you save a copy of the current running configuration to a backup configuration file before loading a new configuration. Loads configuration commands from a file and replaces the RoamAbout switch’s running configuration with the commands in the loaded file. Syntax load config [url] Parameters url Filename.
The following command loads configuration file testconfig1: RBT-8100# load config testconfig1 Reloading configuration may result in lost of connectivity, do you wish to continue? (y/n) [n]y success: Configuration reloaded Related Commands 20-12 • save config on page 20‐20 • show boot on page 20‐24 • show config on page 20‐26 File Management Commands
md5 Calculates the MD5 checksum for a file in the switch’s nonvolatile storage. Syntax md5 [boot0: | boot1:]filename Parameters boot0: | boot1: Boot partition into which you copied the file. filename Name of the file. Defaults None. Mode Enabled. Example You must include the boot partition name in front of the filename. If you specify only the filename, the CLI displays a message stating that the file does not exist. The following command calculates the checksum for image file RBT040003.
mkdir Creates a new subdirectory in nonvolatile storage. Syntax mkdir [subdirname] Parameters subdirname Subdirectory name. Specify between 1 and 32 alphanumeric characters, with no spaces. Defaults None. Mode Enabled. Example The following commands create a subdirectory called corp2 and display the root directory to verify the result: RBT-8100# mkdir corp2 success: change accepted.
Related Commands • dir on page 20‐8 • rmdir on page 20‐19 RoamAbout Mobility System Software Command Line Reference 20-15
reset system Restarts a RoamAbout switch and reboots the software. Syntax reset system [force] Parameters force Immediately restarts the system and reboots, without comparing the running configuration to the configuration file. Defaults None. Mode Enabled. Usage If you do not use the force option, the command first compares the running configuration to the configuration file.
restore Unzips a system archive created by the backup command and copies the files from the archive onto the switch. Syntax restore system [tftp:/ip-addr/]filename [all | critical] [force] Parameters [tftp:/ip‐addr/ ]filename Name of the archive file to load. The archive can be located in the switch’s nonvolatile storage or on a TFTP server. all Restores system files and the user files from the archive.
If the configuration running on the switch is different from the one in the archive or you renamed the configuration file, and you want to retain changes that were made after the archive was created, see the “Managing System Files” chapter of the RoamAbout Mobility System Software Configuration Guide Example The following command restores system‐critical files on a switch, from archive sysa_bak: RBT-8100# restore system tftp:/10.10.20.9/sysa_bak success: received 11908 bytes in 0.
rmdir Removes a subdirectory from nonvolatile storage. Syntax rmdir [subdirname] Parameters subdirname Subdirectory name. Specify between 1 and 32 alphanumeric characters, with no spaces. Defaults None. Mode Enabled. Usage MSS does not allow the subdirectory to be removed unless it is empty. Delete all files from the subdirectory before attempting to remove it. Example The following example removes subdirectory corp2: RBT-8100# rmdir corp2 success: change accepted.
save config Saves the running configuration to a configuration file. Syntax save config [filename] Parameters filename Name of the configuration file. Specify between 1 and 128 alphanumeric characters, with no spaces. To save the file in a subdirectory, specify the subdirectory name, followed by a forward slash, in front of the filename. For example: backup_configs/ config_c. Defaults By default, MSS saves the running configuration as the configuration filename used during the last reboot.
set boot configuration-file Changes the configuration file to load after rebooting. Syntax set boot configuration-file filename Parameters filename Filename. Specify between 1 and 128 alphanumeric characters, with no spaces. To load the file from a subdirectory, specify the subdirectory name, followed by a forward slash, in front of the filename. For example: backup_configs/config_c. Defaults The default configuration filename is configuration. Mode Enabled.
set boot image Changes the software image to load after rebooting a RoamAbout switch running MSS Version 1.0. Note: This command applies only when upgrading from MSS Version 1.0 to 1.1. The command is deprecated in 1.1. Syntax set boot image filename Parameters filename Filename. Specify between 1 and 128 alphanumeric characters, with no spaces. Defaults None. Mode Enabled. Example The following command sets the boot image to 1_0_upgrade_RBT010101.020: RBT-8100# set boot image 1_0_upgrade_RBT010101.
set boot partition Specifies the boot partition in which to look for the system image file following the next system reset, software reload, or power cycle. Syntax set boot partition {boot0 | boot1} Parameters boot0 Boot partition 0. boot1 Boot partition 1. Defaults By default, a RoamAbout switch uses the same boot partition for the next software reload that was used to boot the currently running image. Mode Enabled.
show boot Displays the system image and configuration filenames used after the last reboot and configured for use after the next reboot. Syntax show boot Parameters None. Defaults None. Mode Access. Example The following command shows the boot information for a RoamAbout switch: RBT-8100# show boot Configured boot image: Configured boot configuration: Booted version: Booted image: Booted configuration: Product model: boot0:RBT020003.020 file:newconfig 2.0.3 boot1:RBT020101.
Related Commands • clear boot config on page 20‐4 • reset system on page 20‐16 • set boot configuration‐file on page 20‐21 • show version on page 20‐28 RoamAbout Mobility System Software Command Line Reference 20-25
show config Displays the configuration running on the RoamAbout switch. Syntax show config [area area] [all] Parameters area area Configuration area.
Usage If you do not use one of the optional parameters, configuration commands that set nondefault values are displayed for all configuration areas. If you specify an area, commands are displayed for that area only. If you use the all option, the display also includes commands for configuration items that are set to their default values. Example The following command shows configuration information for VLANs: RBT-8100# show config area vlan # Configuration nvgen'd at 2004-5-21 19:36:48 # Image 3.0.
show version Displays software and hardware version information for a RoamAbout switch and, optionally, for any attached access points. Syntax show version [details] Parameters details Includes additional software build information and information about the access points configured on the RoamAbout switch. Defaults None Mode All. Example The following command displays version information for a RoamAbout switch: RBT-8100# show version Mobility System Software, Version: 3.0.
Flash: Kernel: BootLoader: 3.0.0.375 - md0a 3.0.0#43: Wed Jun 30 05:17:44 PDT 2004 1.19 / 1.7.4 Port/DAP AP Model Serial # Versions -------- ---------- ----------- -----------------------/23 AP3000 0123456789 H/W : A3 F/W1 : 5.6 F/W2 : 5.6 S/W : 3.0.0 /24 AP3000 9876543210 H/W : A3 F/W1 : 5.6 F/W2 : N/A S/W : 3.0.0 Table 20‐3 describes the fields in the show version output. Table 20-3 Output for show version Output What It Displays... Build Information Factory timestamp of the image file.
uninstall soda agent Removes the contents of a directory containing SODA agent files. uninstall soda agent agent-directory directory Parameters directory Directory on the RoamAbout Switch where SODA agent files are to be removed. Defaults None. Mode Enabled. Usage Use this command to remove a SODA agent directory and all of its contents. All files in the specified directory are removed. The command removes the directory and its contents, regardless of whether it contains SODA agent files.
21 Trace Commands Use trace commands to perform diagnostic routines. While MSS allows you to run many types of traces, this chapter describes commands for those traces you are most likely to use. For a complete listing of the types of traces MSS allows, type the set trace ? command. Caution: Using the set trace command can have adverse effects on system performance. Enterasys Networks, Inc.
clear log trace Deletes the log messages stored in the trace buffer. Syntax clear log trace Parameters None. Defaults None. Mode Enabled.
clear trace Deletes running trace commands and ends trace processes. Syntax clear trace {trace-area | all} Parameters trace‐area all Ends a particular trace process. Specify one of the following keywords to end the traces documented in this chapter: • authorization—Ends an authorization trace • dot1x—Ends an 802.1X trace • authentication—Ends an authentication trace • sm—Ends a session manager trace Ends all trace processes. Defaults None. Mode Enabled.
save trace Saves the accumulated trace data for enabled traces to a file in the RoamAbout switch’s nonvolatile storage. Syntax save trace filename Parameters filename Name for the trace file. To save the file in a subdirectory, specify the subdirectory name, then a slash. For example: traces/trace1 Defaults None. Mode Enabled.
set trace authentication Traces authentication information. Syntax set trace authentication [mac-addr mac-address] [port port-num] [user username] [level level] Parameters mac‐addr mac‐address Traces a MAC address. Specify a MAC address, using colons to separate the octets (for example, 00:11:22:aa:bb:cc). port port‐num Traces a port number. Specify a RoamAbout switch port number between 1 and 22. user username Traces a user. Specify a username of up to 32 alphanumeric characters with no spaces.
set trace authorization Traces authorization information. Syntax set trace authorization [mac-addr mac-address] [port port-num] [user username] [level level] Parameters mac‐addr mac‐address Traces a MAC address. Specify a MAC address, using colons to separate the octets (for example, 00:11:22:aa:bb:cc). port port‐num Traces a port number. Specify a RoamAbout switch port number between 1 and 22. user username Traces a user. Specify a username of up to 80 alphanumeric characters with no spaces.
set trace dot1x Traces 802.1X sessions. Syntax set trace dot1x [mac-addr mac-address] [port port-num] [user username] [level level] Parameters mac‐addr mac‐address Traces a MAC address. Specify a MAC address, using colons to separate the octets (for example, 00:11:22:aa:bb:cc). port port‐num Traces a port number. Specify a RoamAbout switch port number between 1 and 22. user username Traces a user. Specify a username of up to 80 alphanumeric characters with no spaces.
set trace sm Traces session manager activity. Syntax set trace sm [mac-addr mac-address] [port port-num] [user username] [level level] Parameters mac‐addr mac‐address Traces a MAC address. Specify a MAC address, using colons to separate the octets (for example, 00:11:22:aa:bb:cc). port port‐num Traces a port number. Specify a RoamAbout switch port number between 1 and 22. user username Traces a user. Specify a username of up to 80 alphanumeric characters, with no spaces.
show trace Displays information about traces that are currently configured on the RoamAbout switch, or all possible trace options. Syntax show trace [all] Parameters all Displays all possible trace options and their configuration. Defaults None. Mode Enabled. Example To view the traces currently running, type the following command: RBT-8100# show trace milliseconds spent printing traces: 1885.
21-10 Trace Commands
22 Snoop Commands Use snoop commands to monitor wireless traffic, by using a Distributed AP (DAP) as a sniffing device. The DAP copies the sniffed 802.11 packets and sends the copies to an observer, which is typically a protocol analyzer such as Ethereal or Tethereal. For more information, including setup instructions for the monitoring station, refer to the “Remote Monitoring Traffic” section in the “Troubleshooting a RoamAbout Switch” chapter of the RoamAbout Mobility System Software Configuration Guide.
clear snoop Deletes a snoop filter. Syntax clear snoop filter‐name Parameters filter‐name Name of the snoop filter. Defaults None. Mode Enabled.
clear snoop map Removes a snoop filter from an DAP radio. Syntax clear snoop map filter-name dap dap-num radio {1 | 2} filter‐name Name of the snoop filter. dap dap‐num Number of a DAP to which to snoop filter is mapped. radio 1 Radio 1 of the DAP. radio 2 Radio 2 of the DAP. (This option does not apply to single‐radio models.) Defaults None. Mode Enabled.
set snoop Configures a snoop filter. Syntax set snoop filter-name [condition-list] [observer ip-addr] [snap-length num] Parameters filter‐name Name for the filter. The name can be up to 15 alphanumeric characters, with no spaces. condition‐list Match criteria for packets. Conditions in the list are ANDed. Therefore, to be copied and sent to an observer, a packet must match all criteria in the condition‐list.
Mode Enabled. Usage Traffic that matches a snoop filter is copied after it is decrypted. The decrypted (clear) version is sent to the observer. For best results: • Do not specify an observer that is associated with the DAP where the snoop filter is running. This configuration causes an endless cycle of snoop traffic.
set snoop map Maps a snoop filter to a radio on a DAP. A snoop filter does take effect until you map it to a radio and enable the filter. Syntax set snoop map filter-name dap dap-num radio {1 | 2} filter‐name Name of the snoop filter. dap dap‐num Number of a DAP to which to map the snoop filter. radio 1 Radio 1 of the DAP. radio 2 Radio 2 of the DAP. (This option does not apply to single‐radio models.) Defaults Snoop filters are unmapped by default. Mode Enabled.
set snoop mode Enables a snoop filter. A snoop filter does not take effect until you map it to an DAP radio and enable the filter. Syntax set snoop {filter-name | all} mode {enable [stop-after num-pkts] | disable} filter‐name | all} Name of the snoop filter. Specify all to enable all snoop filters. enable [stop‐after num‐pkts] Enables the snoop filter. disable Disables the snoop filter. The stop‐after option disables the filter after the specified number of packets match the filter.
show snoop Displays the DAP radio mapping for all snoop filters. Syntax show snoop Defaults None. Mode Enabled. Usage To display the mappings for a specific DAP radio, use the show snoop map command.
show snoop info Shows the configured snoop filters. Syntax show snoop filter-name filter‐name Name of the snoop filter. Defaults None. Mode Enabled. Example The following command shows the snoop filters configured in the examples above: RBT-8100# show snoop info snoop1: observer 10.10.30.2 snap-length 100 all packets snoop2: observer 10.10.30.
show snoop map Shows the DAP radios that are mapped to a specific snoop filter. Syntax show snoop map filter-name filter‐name Name of the snoop filter. Defaults None. Mode Enabled. Usage To display the mappings for all snoop filters, use the show snoop command.
show snoop stats Displays statistics for enabled snoop filters. Syntax show snoop stats [filter-name [dap-num [radio {1 | 2}]]] filter‐name Name of the snoop filter. dap dap‐num Number of a DAP to which the snoop filter is mapped. radio 1 Radio 1 of the DAP. radio 2 Radio 2 of the DAP. (This option does not apply to single‐radio models.) Defaults None. Mode Enabled. Usage The DAP retains statistics for a snoop filter until the filter is changed or disabled. The DAP then clears the statistics.
Table 22‐1 describes the fields in this display. Table 22-1 show snoop stats Output Field Description Filter Name of the snoop filter. Dap DAP containing the radio to which the filter is mapped. Radio Radio to which the filter is mapped. Rx Match Number of packets received by the radio that match the filter. Tx Match Number of packets sent by the radio that match the filter.
23 System Log Commands Use the system log commands to record information for monitoring and troubleshooting. MSS system logs are based on RFC 3164, which defines the log protocol. This chapter presents system log commands alphabetically. Use the following table to locate commands in this chapter based on their use. For information about... Refer to page...
clear log Clears the log messages stored in the log buffer, or removes the configuration for a syslog server and stops sending log messages to that server. Syntax clear log [buffer | server ip‐addr] Parameters buffer Deletes the log messages stored in nonvolatile storage. server ip‐addr Deletes the configuration for and stops sending log messages to the syslog server at this IP address. Specify an address in dotted decimal notation. Defaults None. Mode Enabled.
set log Enables or disables logging of RoamAbout switch and AP events to the RoamAbout switch log buffer or other logging destination and sets the level of the events logged. For logging to a syslog server only, you can also set the facility logged.
local‐facility facility‐level For messages sent to a syslog server, maps all messages of the severity you specify to one of the standard local log facilities defined in RFC 3164. You can specify one of the following values: • 0—maps all messages to local0. • 1—maps all messages to local1. • 2—maps all messages to local2. • 3—maps all messages to local3. • 4—maps all messages to local4. • 5—maps all messages to local5. • 6—maps all messages to local6. • 7—maps all messages to local7.
Defaults • Events at the error level and higher are logged to the RoamAbout switch console. • Events at the error level and higher are logged to the RoamAbout switch system buffer. • Trace logging is enabled, and debug‐level output is stored in the RoamAbout switch trace buffer. Mode Enabled. Usage Using the command with only enable or disable turns logging on or off for the target at all levels.
set log mark Configures MSS to generate mark messages at regular intervals. The mark messages indicate the current system time and date. Enterasys Networks can use the mark messages to determine the approximate time when a system restart or other event causing a system outage occurred. Syntax set log mark [enable | disable] [severity level] [interval interval] Parameters enable Enables the mark messages. disable Disables the mark messages.
show log buffer Displays system information stored in the nonvolatile log buffer or the trace buffer. Syntax show log buffer [{+|-}number-of-messages] [facility facility‐name] [matching string] [severity severity‐level] Parameters buffer Displays the log messages in nonvolatile storage. +|‐number‐of‐messages Displays the number of messages specified as follows: • A positive number (for example, +100), displays that number of log entries starting from the oldest in the log.
Examples Type the following command to see the facilities for which you can view event messages archived in the buffer: RBT-8100# show log buffer facility ? Select one of: KERNEL, AAA, SYSLOGD, ACL, APM, ARP, ASO, BOOT, CLI, CLUSTER, CRYPTO, DOT1X, NET, ETHERNET, GATEWAY, HTTPD, IGMP, IP, MISC, NOSE, NP, RAND, RESOLV, RIB, ROAM, ROGUE, SM, SNMPD, SPAN, STORE, SYS, TAGMGR, TBRIDGE, TCPSSL, TELNET, TFTP, TLS, TUNNEL, VLAN, X509, XML, AP, RAPDA, WEBVIEW, EAP, FP, STAT, SSHD, SUP, DNSD, CONFIG,
show log config Displays log configuration information. Syntax show log config Parameters None. Defaults None. Mode Enabled.
show log trace Displays system information stored in the nonvolatile log buffer or the trace buffer. Syntax show log trace [{+|-|/}number-of-messages] [facility facility‐name] [matching string] [severity severity‐level] Parameters trace Displays the log messages in the trace buffer. +|‐|/number‐of‐ messages Displays the number of messages specified as follows: • • • facility facility‐name Area of MSS that is sending the log message.
Example Type the following command to see the facilities for which you can view event messages archived in the buffer: RBT-8100# show log trace facility ? Select one of: KERNEL, AAA, SYSLOGD, ACL, APM, ARP, ASO, BOOT, CLI, CLUSTER, CRYPTO, DOT1X, ENCAP, ETHERNET, GATEWAY, HTTPD, IGMP, IP, MISC, NOSE, NP, RAND, RESOLV, RIB, ROAM, ROGUE, SM, SNMPD, SPAN, STORE, SYS, TAGMGR, TBRIDGE, TCPSSL, TELNET, TFTP, TLS, TUNNEL, VLAN, X509, XML, AP, RAPDA, WEBVIEW, EAP, PORTCONFIG, FP.
23-12 System Log Commands
24 Boot Prompt Commands Boot prompt commands enable you to perform basic tasks, including booting a system image file, from the boot prompt (boot>). A CLI session enters the boot prompt if MSS does not boot successfully or you intentionally interrupt the boot process. To interrupt the boot process, press q followed by Enter (return). Caution: Generally, boot prompt commands are used only for troubleshooting. Enterasys Networks, Inc.
autoboot Displays or changes the state of the autoboot option. The autoboot option controls whether a RoamAbout switch automatically boots a system image after initializing the hardware, following a system reset or power cycle. Syntax autoboot [ON | on | OFF | off] Parameters ON Enables the autoboot option. on Same effect as ON. OFF Disables the autoboot option. off Same effect as OFF. Defaults The autoboot option is enabled by default. Mode Boot prompt.
boot Loads and executes a system image file. Syntax boot [BT=type] [DEV=device] [FN=filename] [HA=ip-addr] [FL=num] [OPT=option] [OPT+=option] Parameters BT=type Boot type: • • DEV=device c—Compact flash. Boots using nonvolatile storage or a flash card. n—Network. Boots using a TFTP server.
Example The following command loads system image file RBT010101.020 from boot partition 1: boot> boot FN=RBT010101.020 DEV=boot1 Compact Flash load from boot1:testcfg matches RBT010101.020. unzip: Inflating ramdisk_1.1.1.. OK unzip file len 36085486 OK Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003 The NetBSD Foundation, Inc. All rights reserved. Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Power Cycle Reboot Detecting hardware..
change Changes parameters in the currently active boot profile. (For information about boot profiles, see show on page 24‐16.) Syntax change Parameters None. Defaults The default boot type is c (compact flash). The default filename is default. The default flags setting is 0x00000000 (all flags disabled) and the default options list is run=nos;boot=0.
create Creates a new boot profile. (For information about boot profiles, see show on page 24‐16.) Syntax create Parameters None. Defaults The new boot profile has the same settings as the currently active boot profile by default. Mode Boot prompt. Usage A RoamAbout switch can have up to four boot profiles. The boot profiles are stored in slots, numbered 0 through 3. When you create a new profile, the system uses the next available slot for the profile.
delete Removes the currently active boot profile. (For information about boot profiles, see show on page 24‐16.) Syntax delete Parameters None. Defaults None. Mode Boot prompt. Usage When you type the delete command, the next‐lower numbered boot profile becomes the active profile. For example, if the currently active profile is number 3, profile number 2 becomes active after you type delete to delete profile 3. You cannot delete boot profile 0.
dhcp Displays or changes the state of the DHCP option. The DHCP option controls whether an RoamAbout switch uses DCHP to obtain its IP address when it is booted using a TFTP server. Syntax dhcp [ON | on | OFF | off] Parameters ON Enables the DHCP option. on Same effect as ON. OFF Disables the DHCP option. off Same effect as OFF. Defaults The DHCP option is disabled by default. Mode Boot prompt.
diag Accesses the diagnostic mode. Syntax diag Parameters None. Defaults The diagnostic mode is disabled by default. Mode Boot prompt. Usage Access to the diagnostic mode requires a password, which is not user configurable. Use this mode only if advised to do so by Enterasys Networks.
dir Displays the boot code and system image files on a RoamAbout switch. Syntax dir [c: | d: | e: | f: | boot0 | boot1] Parameters c: Nonvolatile storage area containing boot partition 0 (primary). d: Nonvolatile storage area containing boot partition 1 (secondary). e: Primary partition of the flash card in the flash card slot. f: Secondary partition of the flash card in the flash card slot. boot0 Boot partition 0. boot1 Boot partition 1. Defaults None. Mode Boot prompt.
fver Displays the version of a system image file installed in a specific location on a RoamAbout switch. Syntax fver {c: | d: | e: | f: | boot0: | boot1:} [filename] Parameters c: Nonvolatile storage area containing boot partition 0 (primary). d: Nonvolatile storage area containing boot partition 1 (secondary). e: Primary partition of the flash card in the flash card slot. f: Secondary partition of the flash card in the flash card slot. boot0: Boot partition 0. boot1: Boot partition 1.
help Displays a list of all the boot prompt commands or detailed information for an individual command. Syntax help [command-name] Parameters command‐name Boot prompt command. Defaults None. Mode Boot prompt. Usage If you specify a command name, detailed information is displayed for that command. If you do not specify a command name, all the boot prompt commands are listed.
ls Displays a list of the boot prompt commands. Syntax ls Parameters None. Defaults None. Mode Boot prompt. Usage To display help for an individual command, type help followed by the command name (for example, help boot). Example To display a list of the commands available at the boot prompt, type the following command: boot> ls ls help autoboot boot profile. change create delete next show dir fver device:filename. version reset test diag Display a list of all commands and descriptions.
next Activates and displays the boot profile in the next boot profile slot. (For information about boot profiles, see show on page 24‐16.) Syntax next Parameters None. Defaults None. Mode Boot prompt. Usage A RoamAbout switch contains 4 boot profile slots, numbered 0 through 3. This command activates the boot profile in the next slot, in ascending numerical order. If the currently active slot is 3, the command activates the boot profile in slot 0.
reset Resets a RoamAbout switch’s hardware. Syntax reset Parameters None. Defaults None. Mode Boot prompt. Usage After resetting the hardware, the reset command attempts to load a system image file only if other boot settings are configured to do so. Example To immediately reset the system, type the following command at the boot prompt: boot> reset Enterasys Networks RBTBootstrap 1.17 Release Testing Low Memory 1 ............ Testing Low Memory 2 ............ CISTPL_VERS_1: 4.1 <5/3 0.
show Displays the currently active boot profile. A boot profile is a set of parameters that a RoamAbout switch uses to control the boot process. Each boot profile contains the following parameters: • Boot type—Either compact flash (local device on the RoamAbout switch) or network (TFTP) • Boot device—Location of the system image file • Filename—System image file • Flags—Number representing the bit settings of boot flags to pass to the booted system image.
Table 24-1 Output for show (continued) Output What It Displays... DEVICE Location of the system image file: • c:—Nonvolatile storage area containing boot partition 0 • d:—Nonvolatile storage area containing boot partition 1 • e:—Primary partition of the flash card in the flash card slot • f:—Secondary partition of the flash card in the flash card slot • boot0—boot partition 0 • boot1—boot partition 1 FILENAME System image file name.
test Displays or changes the state of the poweron test flag. The poweron test flag controls whether a RoamAbout switch performs a set of self tests prior to the boot process. Syntax test [ON | on | OFF | off] Parameters ON Enables the poweron test flag. on Same effect as ON. OFF Disables the poweron test flag. off Same effect as OFF. Defaults The poweron test flag is disabled by default. Mode Boot prompt.
version Displays version information for a RoamAbout switch’s hardware and boot code. Syntax version Parameters None. Defaults None. Mode Boot prompt. Usage This command does not list the system image file versions installed in the boot partitions. To display system image file versions, use the dir or fver command.
24-20 Boot Prompt Commands
Index A G access levels, command line 1-8 administrative access mode 1-1 all access 1-8 asterisks (*) in MAC addresses 1-3 in user globs 1-4 asterisks. See double asterisks (**); single asterisks (*) globs, VLAN defined 1-4 globs.
Index-2
Command Index A autoboot 24-2 B backup 20-2 boot 24-3 C change 24-5 clear {ap | dap} radio 11-5 clear accounting 8-3 clear authentication admin 8-4 clear authentication console 8-5 clear authentication dot1x 8-6 clear authentication mac 8-7 clear authentication proxy 8-8 clear authentication web 8-9 clear banner motd 3-2 clear boot config 20-4 clear dap 4-2 clear dap boot-configuration 11-7 clear domain security 9-2 clear dot1x max-req 17-4 clear dot1x port-control 17-5 clear dot1x quiet-period 17-6 clear
reset port 4-14 reset system 20-16 rmdir 20-19 rollback security acl 14-8 S save config 20-20 save trace 21-4 set {ap | dap} bias 11-18 set {ap | dap} blink 11-19, 11-28 set {ap | dap} contact 11-25 set {ap | dap} image 11-29 set {ap | dap} location 11-29 set {ap | dap} name 11-30 set {ap | dap} radio antenna-location 11-31 set {ap | dap} radio antennatype 11-32 set {ap | dap} radio auto-tune maxpower 11-33 set {ap | dap} radio auto-tune maxretransmissions 11-34 set {ap | dap} radio channel 11-35 set {ap |
set radius client system-ip 16-11 set radius deadtime 16-9 set radius key 16-9 set radius proxy client 16-12 set radius proxy port 16-13 set radius retransmit 16-9 set radius server 16-14 set radius timeout 16-9 set rfdetect attack-list 19-9 set rfdetect black-list 19-10 set rfdetect ignore 19-11 set rfdetect log 19-12 set rfdetect signature 19-13 set rfdetect ssid-list 19-14 set rfdetect vendor-list 19-15 set security acl 14-9 set security acl ip icmp 14-9 set security acl ip ip 14-9 set security acl ip tc
show fdb count 5-17 show igmp 13-15 show igmp mrouter 13-19 show igmp querier 13-21 show igmp receiver-table 13-23 show igmp statistics 13-25 show interface 7-75 show ip alias 7-77 show ip dns 7-78 show ip https 7-80 show ip route 7-82 show ip telnet 7-84 show licenses 3-25 show load 3-24 show location policy 8-68 show log buffer 23-7 show log config 23-9 show log trace 23-10 show mobility-domain config 9-9 show mobility-domain status 9-10 show mobility-profile 8-69 show network-domain 10-9 show ntp 7-85 sh
