Wireless LAN Mobility System Wireless LAN Switch and Controller Command Reference 3CRWXR10095A, 3CRWX120695A, 3CRWX440095A http://www.3com.com/ Part No.
3Com Corporation 350 Campus Drive Marlborough, MA USA 01752-3064 Copyright © 2004, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation.
CONTENTS ABOUT THIS GUIDE Conventions 19 Documentation 20 Documentation Comments 1 21 USING THE COMMAND-LINE INTERFACE Overview 23 CLI Conventions 24 Command Prompts 24 Syntax Notation 24 Text Entry Conventions and Allowed Characters 25 MAC Address Notation 25 IP Address and Mask Notation 26 User Globs, MAC Address Globs, and VLAN Globs 26 Port Lists 28 Virtual LAN Identification 29 Command-Line Editing 29 Keyboard Shortcuts 29 History Buffer 30 Tabs 30 Single-Asterisk (*) Wildcard Character 30 Double-As
3 SYSTEM SERVICE COMMANDS Commands by Usage 37 clear banner motd 38 clear history 38 clear prompt 39 clear system 39 display banner motd 40 display base-information 41 display license 42 display system 42 help 45 history 46 set auto-config 46 set banner motd 49 set confirm 50 set length 51 set license 52 set prompt 53 set system contact 54 set system countrycode 54 set system ip-address 57 set system location 58 set system name 58 4 PORT COMMANDS Commands by Usage 61 clear dap 62 clear port counters 63 c
monitor port counters 72 reset port 77 set dap 77 set port 80 set port-group 81 set port name 82 set port negotiation 83 set port poe 84 set port preference 85 set port speed 85 set port trap 86 set port type ap 87 set port type wired-auth 91 5 VLAN COMMANDS Commands by usage 95 clear fdb 96 clear vlan 97 display fdb 98 display fdb agingtime 101 display fdb count 101 display roaming station 102 display roaming vlan 104 display tunnel 105 display vlan config 106 set fdb 107 set fdb agingtime 108 set vlan n
clear ip route 118 clear ip telnet 119 clear ntp server 119 clear ntp update-interval 120 clear snmp community 121 clear snmp notify target 121 clear snmp profile 122 clear snmp trap receiver 122 clear snmp usm 122 clear summertime 123 clear system ip-address 124 clear timezone 124 display arp 125 display interface 126 display ip alias 127 display ip dns 128 display ip https 129 display ip route 131 display ip telnet 133 display ntp 134 display snmp configuration 136 display summertime 138 display timedate
set ip ssh 153 set ip ssh absolute-timeout 154 set ip ssh idle-timeout 155 set ip ssh server 155 set ip telnet 156 set ip telnet server 157 set ntp 158 set ntp server 158 set ntp update-interval 159 set snmp community 160 set snmp notify target 162 set snmp profile 167 set snmp protocol 172 set snmp security 173 set snmp trap 174 set snmp trap receiver 174 set snmp usm 174 set summertime 177 set system ip-address 179 set timedate 180 set timezone 181 display dhcp-client 182 display dhcp-server 183 display s
clear authentication dot1x 204 clear authentication last-resort 205 clear authentication mac 205 clear authentication proxy 206 clear authentication web 207 clear location policy 208 clear mac-user 209 clear mac-user attr 209 clear mac-user group 210 clear mac-usergroup 211 clear mac-usergroup attr 212 clear mobility-profile 213 clear user 213 clear user attr 214 clear user group 215 clear usergroup 215 clear usergroup attr 216 display aaa 217 display accounting statistics 220 display location policy 222 di
set user group 258 set usergroup 259 set web-aaa 260 8 MOBILITY DOMAIN COMMANDS Commands by Usage 261 clear mobility-domain 262 clear mobility-domain member 262 display mobility-domain config 263 display mobility-domain status 263 set mobility-domain member 265 set mobility-domain mode member seed-ip 266 set mobility-domain mode seed domain-name 267 9 MANAGED ACCESS POINT COMMANDS MAP Access Point Commands by Usage clear {ap | dap} radio 272 clear radio-profile 274 clear service-profile 275 clear servic
set {ap | dap} bias 310 set {ap | dap} blink 311 set dap fingerprint 312 set {ap | dap} group 313 set {ap | dap} name 315 set {ap | dap} radio antennatype 315 set {ap | dap} radio auto-tune max-power 317 set {ap | dap} radio auto-tune max-retransmissions 318 set {ap | dap} radio channel 320 set {ap | dap} radio auto-tune min-client-rate 321 set {ap | dap} radio mode 323 set {ap | dap} radio radio-profile 324 set {ap | dap} radio tx-power 325 set dap security 326 set {ap | dap} upgrade-firmware 328 set radio
set service-profile auth-psk 354 set service-profile beacon 355 set service-profile cipher-ccmp 356 set service-profile cipher-tkip 357 set service-profile cipher-wep104 358 set service-profile cipher-wep40 359 set service-profile psk-phrase 360 set service-profile psk-raw 361 set service-profile rsn-ie 362 set service-profile shared-key-auth 363 set service-profile ssid-name 363 set service-profile ssid-type 364 set service-profile tkip-mc-time 365 set service-profile web-aaa-form 366 set service-profile w
set spantree maxage 391 set spantree portcost 392 set spantree portfast 393 set spantree portpri 394 set spantree portvlancost 395 set spantree portvlanpri 396 set spantree priority 397 set spantree uplinkfast 397 11 IGMP SNOOPING COMMANDS Commands by usage 399 clear igmp statistics 400 display igmp 400 display igmp mrouter 404 display igmp querier 405 display igmp receiver-table 407 display igmp statistics 409 set igmp 411 set igmp lmqi 412 set igmp mrouter 413 set igmp mrsol 414 set igmp mrsol mrsi 414
display security acl hits 430 display security acl info 431 display security acl map 432 display security acl resource-usage hit-sample-rate 437 rollback security acl 438 set security acl 439 set security acl map 444 13 433 CRYPTOGRAPHY COMMANDS Commands by Usage 447 crypto ca-certificate 448 crypto certificate 449 crypto generate key 451 crypto generate request 452 crypto generate self-signed 454 crypto otp 456 crypto pkcs12 457 display crypto ca-certificate 459 display crypto certificate 460 display cr
15 802.
17 RF DETECTION COMMANDS Commands by Usage 511 clear rfdetect 512 clear rfdetect attack-list 512 clear rfdetect black-list 513 clear rfdetect countermeasures mac 513 clear rfdetect ignore 513 clear rfdetect ssid-list 514 clear rfdetect vendor-list 515 display rfdetect counters 515 display rfdetect countermeasures 517 display rfdetect data 518 display rfdetect ignore 520 display rfdetect mobility-domain 521 display rfdetect ssid-list 525 display rfdetect vendor-list 525 display rfdetect visible 526 set rfde
dir 545 display boot 547 display config 548 display version 549 load config 551 mkdir 553 reset system 554 restore 555 rmdir 556 save config 557 set boot configuration-file set boot partition 559 19 558 TRACE COMMANDS Commands by Usage 561 clear log trace 562 clear trace 562 display trace 563 save trace 564 set trace authentication 564 set trace authorization 565 set trace dot1x 566 set trace sm 567 SNOOP COMMANDS clear snoop 570 clear snoop map 570 set snoop 571 set snoop map 574 set snoop mode 575 dis
21 SYSTEM LOG COMMANDS Commands by Usage 581 clear log 581 display log buffer 582 display log config 584 display log trace 585 set log 586 set log trace mbytes 589 22 BOOT PROMPT COMMANDS Boot Prompt Commands by Usage autoboot 592 boot 593 change 595 create 596 delete 597 diag 598 dir 598 display 599 fver 601 help 602 ls 602 next 603 reset 604 test 605 version 606 A 591 OBTAINING SUPPORT FOR YOUR PRODUCT Register Your Product 607 Purchase Value-Added Services 607 Troubleshoot Online 608 Access Softwar
ABOUT THIS GUIDE This command reference explains Mobility System Software (MSS™) command line interface (CLI) that you enter on a 3Com WXR100 Remote Office Wireless LAN Switch, WX1200 Wireless Switch, or WX4400 Wireless LAN Controller to configure and manage the Mobility System™ wireless LAN (WLAN). Read this reference if you are a network administrator responsible for managing WXR100, WX1200, or WX4400 wireless switches and their Managed Access Points (MAPs) in a network.
ABOUT THIS GUIDE This manual uses the following text and syntax conventions: Table 2 Text Conventions Convention Description Monospace text Sets off command syntax or sample commands and system responses. Bold text Highlights commands that you enter or items you select. Italic text Designates command variables that you replace with appropriate values, or highlights publication titles or words requiring special emphasis. [ ] (square brackets) Enclose optional parameters in command syntax.
Documentation Comments 21 Wireless LAN Switch Manager Reference Manual This manual shows you how to plan, configure, deploy, and manage a Mobility System wireless LAN (WLAN) using the 3Com Wireless LAN Switch Manager (3WXM). Wireless LAN Switch Manager User’s Guide This guide shows you how to plan, configure, deploy, and manage a Mobility System wireless LAN (WLAN) using the 3Com Wireless LAN Switch Manager (3WXM).
ABOUT THIS GUIDE Example: Wireless LAN Switch and Controller Configuration Guide Part number 730-9502-0071, Revision B Page 25 Please note that we can only respond to comments and questions about 3Com product documentation at this e-mail address. Questions related to Technical Support or sales should be directed in the first instance to your network supplier.
1 USING THE COMMAND-LINE INTERFACE This chapter discusses the 3Com Wireless Switch Manager (3WXM) command-line interface (CLI). Described are the CLI conventions (see “CLI Conventions” on page 24), editing on the command line (see “Command-Line Editing” on page 29), using the CLI help feature (see “Using CLI Help” on page 31), and information about the command descriptions in this reference (see “Understanding Command Descriptions” on page 32).
CHAPTER 1: USING THE COMMAND-LINE INTERFACE CLI Conventions Command Prompts Be aware of the following MSS CLI conventions for command entry: “Command Prompts” on page 24 “Syntax Notation” on page 24 “Text Entry Conventions and Allowed Characters” on page 25 “User Globs, MAC Address Globs, and VLAN Globs” on page 26 “Port Lists” on page 28 “Virtual LAN Identification” on page 29 By default, the MSS CLI provides the following prompt for restricted users.
CLI Conventions 25 A vertical bar (|) separates mutually exclusive options within a list of possibilities. For example, you enter either enable or disable, not both, in the following command: set port {enable | disable} port-list Text Entry Conventions and Allowed Characters Unless otherwise indicated, the MSS CLI accepts standard ASCII alphanumeric characters, except for tabs and spaces, and is case-insensitive.
CHAPTER 1: USING THE COMMAND-LINE INTERFACE IP Address and Mask Notation MSS displays IP addresses in dotted decimal notation — for example, 192.168.1.111. MSS makes use of both subnet masks and wildcard masks. Subnet Masks Unless otherwise noted, use classless interdomain routing (CIDR) format to express subnet masks — for example, 192.168.1.112/24. You indicate the subnet mask with a forward slash (/) and specify the number of bits in the mask.
CLI Conventions 27 Table 3 gives examples of user globs. Table 3 User Globs User Glob User(s) Designated jose@example.com User jose at example.com *@example.com All users at example.com whose usernames do not contain periods — for example, jose@example.com and tamara@example.com, but not nin.wong@example.com, because nin.wong contains a period *@marketing.example.com All marketing users at example.com whose usernames do not contain periods *.*@marketing.example.com All marketing users at example.
CHAPTER 1: USING THE COMMAND-LINE INTERFACE VLAN Globs A VLAN glob is a method for matching one of a set of local rules on an wireless LAN switch, known as the location policy, to one or more users. MSS compares the VLAN glob, which can optionally contain wildcard characters, against the VLAN-Name attribute returned by AAA, to determine whether to apply the rule. To match all VLANs, use the double-asterisk (**) wildcard characters with no delimiters.
Command-Line Editing 29 A hyphen-separated range of port numbers, with no spaces. For example: WX1200# reset port 1-3 Any combination of single numbers, lists, and ranges. Hyphens take precedence over commas. For example: WX1200# display port status 1-3,6 Virtual LAN Identification Command-Line Editing Keyboard Shortcuts The names of virtual LANs (VLANs), which are used in Mobility Domain™ communications, are set by you and can be changed.
CHAPTER 1: USING THE COMMAND-LINE INTERFACE Table 4 Keyboard Shortcuts (continued) History Buffer Tabs Keyboard Shortcut(s) Function Ctrl+U or Ctrl+X Deletes characters from the cursor to the beginning of the command line. Ctrl+W Deletes the last word typed. Esc B Moves the cursor back one word. Esc D Deletes characters from the cursor forward to the end of the word. Delete key or Backspace key Erases mistake made during command entry. Reenter the command after using this key.
Using CLI Help Using CLI Help 31 The CLI provides online help. To see the full range of commands available at your access level, type the help command.
CHAPTER 1: USING THE COMMAND-LINE INTERFACE To see all the variations, type one of the commands followed by a question mark (?).
2 ACCESS COMMANDS This chapter describes access commands used to control access to the Mobility Software System (MSS) command-line interface (CLI). Commands by Usage This chapter presents access services commands alphabetically. Use Table 5 to located commands in this chapter based on their use.
CHAPTER 2: ACCESS COMMANDS enable Places the CLI session in enabled mode, which provides access to all commands required for configuring and monitoring the system. Syntax — enable Access — All. History — Introduced in MSS Version 3.0. Usage — MSS displays a password prompt to challenge you with the enable password. To enable a session, your or another administrator must have configured the enable password to this WX switch with the set enablepass command.
set enablepass set enablepass 35 Sets the password that provides enabled access (for configuration and monitoring) to the WX switch. Syntax — set enablepass Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0. Usage — After typing the set enablepass command, press Enter. If you are entering the first enable password on this WX switch, press Enter at the Enter old password prompt. Otherwise, type the old password.
CHAPTER 2: ACCESS COMMANDS
3 SYSTEM SERVICE COMMANDS Use system services commands to configure and monitor system information for a WX switch. Commands by Usage This chapter presents system services commands alphabetically. Use Table 6 to located commands in this chapter based on their use.
CHAPTER 3: SYSTEM SERVICE COMMANDS Table 6 System Services Commands by Usage (continued) Type Command clear history on page 38 License display license on page 42 set license on page 52 Technical Support clear banner motd display base-information on page 41 Deletes the message-of-the-day (MOTD) banner that is displayed before the login prompt for each CLI session on the wireless LAN switch. Syntax — clear banner motd Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0.
clear prompt 39 Examples — To clear the history buffer, type the following command: WX4400# clear history success: command buffer was flushed. See Also clear prompt history on page 46 Resets the system prompt to its previously configured value. If the prompt was not configured previously, this command resets the prompt to its default. Syntax — clear prompt Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0.
CHAPTER 3: SYSTEM SERVICE COMMANDS location — Resets the location of the WX switch to null. name — Resets the name of the WX switch to the default system name, which is the model number. Defaults — None. Access — Enabled. History — —Introduced in MSS Version 3.0. Examples — To clear the location of the WX switch, type the following command: WX4400# clear system location success: change accepted.
display base-information 41 See Also display base-information clear banner motd on page 38 set banner motd on page 49 Provides an in-depth snapshot of the status of the wireless LAN switch, which includes details about the boot image, the version, ports, and other configuration values. This command also displays the last 100 log messages.
CHAPTER 3: SYSTEM SERVICE COMMANDS display license Displays information about the license currently installed on the WX switch. Syntax — display license Defaults — None. Access — All.
display system 43 System IP: 192.168.12.7 System MAC: 00:0B:0E:00:04:30 =============================================================================== Boot Time: 2003-11-07 15:45:49 Uptime: 13 days 04:29:10 =============================================================================== Fan status: fan1 OK fan2 OK fan3 OK Temperature: temp1 ok temp2 ok temp3 ok PSU Status: Lower Power Supply DC ok AC ok Upper Power Supply missing Memory: 97.04/744.03 (13%) Total Power Over Ethernet : 29.
CHAPTER 3: SYSTEM SERVICE COMMANDS Table 7 display system output (continued) Field Description Fan status Operating status of the WX switch’s three cooling fans: OK — Fan is operating. Failed — Fan is not operating. MSS sends an alert to the system log every 5 minutes until this condition is corrected. Fan 1 is located nearest the front of the chassis, and fan 3 is located nearest the back.
help help 45 Displays a list of commands that can be used to configure and monitor the WX switch. Syntax — help Defaults — None. Access — All. History — Introduced in MSS Version 3.0. Examples — Use this command to see a list of available commands. If you have restricted access, you see fewer commands than if you have enabled access.
CHAPTER 3: SYSTEM SERVICE COMMANDS history Displays the command history buffer for the current CLI session. Syntax — history Defaults — None. Access — All. History — Introduced in MSS Version 3.0.
set auto-config 47 Usage — A network administrator at the corporate office can preconfigure the switch in a 3Com Wireless Switch Manager network plan. The switch configuration must have a name for the switch, the model must be WXR100, and the serial number must match the switch’s serial number. The configuration should also include all other settings required for the deployment, including MAP configuration, SSIDs, AAA settings, and so on.
CHAPTER 3: SYSTEM SERVICE COMMANDS You can enable the switch to use the MSS DHCP client to obtain this information from a DHCP server in the local network where the switch will be deployed. Alternatively, you can statically configure the information. The IP address and DNS information are configured independently. You can configure the combination of settings that work with the network resources available at the deployment site. The following examples show some of the combinations you can configure.
set banner motd 49 Self-signed cert for admin is -----BEGIN CERTIFICATE----MIICUzCCAbygAwIBAgICA+cwDQYJKoZIhvcNAQEEBQAwNjELMAkGA1UEBhMC VVMx CzAJBgNVBAgTAkNBMRowGAYDVQQDFBF0ZWNocHVic0B0cnB6LmNvbTAeFw0w MzA0 ... Lm8wmVYLxP56MpCUAm9O8C2foYgOY40= -----END CERTIFICATE----- Save the configuration changes: WX-1200# save config success: configuration saved.
CHAPTER 3: SYSTEM SERVICE COMMANDS Do not use the following characters with commands in which you set text to be displayed on the WX switch, such as message-of-the-day (MOTD) banners: Ampersand (&) Angle brackets (< >) Double quotation marks (“”) Number sign (#) Question mark (?) Single quotation mark (') Examples — To create a banner that says Update meeting at 3 p.m., type the following command: WX4400# set banner motd ^Update meeting at 3 p.m.^ success: change accepted.
set length 51 MSS displays a message requiring confirmation when you enter certain commands that can have a potentially large impact on the network. For example: WX4400# clear vlan red This may disrupt user connectivity. Do you wish to continue? (y/n) [n] Examples — To turn off these confirmation messages, type the following command: WX4400# set confirm off success: Confirm state is off set length Defines the number of lines of CLI output to display between paging prompts.
CHAPTER 3: SYSTEM SERVICE COMMANDS set license Installs an upgrade license, for managing more MAPs. Syntax — set license license-key activation-key license-key — License key, starting with WXL. You can enter the key with or without the hyphens. activation-key — Activation key, starting with WXA. You can enter the key with or without the hyphens. Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0. Usage — The license key is shipped with the switch.
set prompt set prompt 53 Changes the CLI prompt for the WX switch to a string you specify. Syntax — set prompt string string — Alphanumeric string up to 32 characters long. To include spaces in the prompt, you must enclose the string in double quotation marks (“”).
CHAPTER 3: SYSTEM SERVICE COMMANDS set system contact Stores a contact name for the WX switch. Syntax — set system contact string string — Alphanumeric string up to 256 characters long, with no blank spaces. Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0. To view the system contact string, type the display system command. Examples — The following command sets the system contact information to tamara@example.com: WX1200# set system contact tamara@example.
set system countrycode Table 8 Country Codes (continued) Country Code Austria AT Belgium BE Brazil BR Bulgaria BG Canada CA Chile CL China CN Columbia CO Croatia HR Cyprus CY Czech Republic CZ Denmark DK Estonia EE Finland FI France FR Germany DE Greece GR Hong Kong HK Hungary HU Iceland IS India IN Ireland IE Israel IL Italy IT Japan JP Latvia LV Liechtenstein LI Lithuania LT Luxembourg LU Malaysia MY Malta MT Mexico MX 55
CHAPTER 3: SYSTEM SERVICE COMMANDS Table 8 Country Codes (continued) Country Code Morocco MA Netherlands NL New Zealand NZ Norway NO Peru PE Philippines PH Poland PL Portugal PT Romania RO Russia RU Saudi Arabia SA Singapore SG Slovakia SK Slovenia SI South Africa ZA South Korea KR Spain ES Sweden SE Switzerland CH Taiwan TW Thailand TH Turkey TR United Arab Emirates AE United Kingdom GB United States US Defaults — The factory default country code is
set system ip-address 57 Examples — To set the country code to Canada, type the following command: WX1200# set system country code CA success: change accepted. See Also set system ip-address display config on page 548 Sets the system IP address so that it can be used by various services in the WX switch. CAUTION: Any currently configured Mobility Domain operations cease if you change the IP address. If you change the address, you must reset the Mobility Domain.
CHAPTER 3: SYSTEM SERVICE COMMANDS set system location Stores location information for the WX switch. Syntax — set system location string string — Alphanumeric string up to 256 characters long, with no blank spaces. Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0. Usage — You cannot include spaces in the system location string. To view the system location string, type the display system command.
set system name 59 Defaults — By default, the system name and command prompt have the same value. The factory default for both is the model number (WXR100 for the 3Com Remote Office Wireless LAN Switch WXR100, WX1200 for the 3Com Wireless LAN Switch WX1200, WX4400 for the 3Com Wireless LAN Controller WX4400) followed by the last three octets of the switch’s MAC address. Access — Enabled. History — Introduced in MSS Version 3.0.
CHAPTER 3: SYSTEM SERVICE COMMANDS
4 PORT COMMANDS Use port commands to configure and manage individual ports and load-sharing port groups. Commands by Usage This chapter presents port commands alphabetically. Use Table 9 to locate commands in this chapter based on their use.
CHAPTER 4: PORT COMMANDS Table 9 Port Commands by Usage (continued) Type Command Port Groups set port-group on page 81 display port-group on page 67 clear port-group on page 63 Statistics display port counters on page 66 monitor port counters on page 72 clear port counters on page 63 clear dap Removes a Distributed MAP. CAUTION: When you clear a Distributed MAP, MSS ends user sessions that are using the MAP.
clear port counters clear port counters 63 Clears port statistics counters and resets them to 0. Syntax — clear port counters Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0. Examples — The following command clears all port statistics counters and resets them to 0: WX4400# clear port counters success: cleared port counters See Also clear port-group display port counters on page 66 monitor port counters on page 72 Removes a port group.
CHAPTER 4: PORT COMMANDS clear port name Removes the name assigned to a port. Syntax — clear port port-list name port-list — List of physical ports. MSS removes the names from all the specified ports. Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0.
clear port type 65 Examples — The following command clears the preference set on port 2 on a WX4400 switch: WX4400# clear port preference 2 See Also clear port type display port preference on page 69 set port preference on page 85 Removes all configuration settings from a port and resets the port as a network port. CAUTION: When you clear a port, MSS ends user sessions that are using the port. Syntax — clear port type port-list port-list — List of physical ports.
CHAPTER 4: PORT COMMANDS Table 10 Network port defaults (continued) Port Parameter Setting Spanning Tree Protocol (STP) Based on the VLAN(s) you add the port to. 802.1X No authorization. Port groups None. Internet Group Management Enabled as port is added to VLANs.
display port-group 67 port port-list — List of physical ports. If you do not specify a port list, MSS shows statistics for all ports. Defaults — None. Access — All. History — Introduced in MSS Version 3.0. Usage — You can specify one statistic type with the command.
CHAPTER 4: PORT COMMANDS Table 11 describes the fields in the display port-group output. Table 11 Output for display port-group Field Description Port group Name and state (enabled or disabled) of the port group. Ports Ports contained in the port group. See Also display port poe clear port-group on page 63 set port-group on page 81 Displays status information for ports on which Power over Ethernet (PoE) is enabled.
display port preference 69 Table 12 Output for display port poe Field Description Port Port number. Name Port name. If the port does not have a name, the port number is listed. Link status Link status of the port: Port type PoE config PoE Draw up—The port is connected. down—The port is not connected. Port type: MAP —The port is an MAP access port. - (The port is not an MAP access port.) PoE state: enabled disabled Power draw on the port, in watts.
CHAPTER 4: PORT COMMANDS Examples — The following command displays the preference settings on all four ports of a WX4400 switch: WX4400# display port preference Port Preference =========================================================== 1 GBIC 2 RJ45 3 GBIC 4 GBIC Table 13 describes the fields in this display. Table 13 Output for display port preference Field Description Port Port number. Preference Preference setting: GBIC — The GBIC (fiber) interface is selected as the active interface.
display port status 71 Examples — The following command displays information for all ports on a WX1200 switch: WX1200# display port status Port Name Admin Oper Config Actual Type Media =============================================================================== 1 1 up up auto 100/full network 10/100BaseTx 2 2 up up auto 100/full ap 10/100BaseTx 3 3 up up auto 100/full network 10/100BaseTx 4 4 up down auto network 10/100BaseTx 5 5 up down auto network 10/100BaseTx 6 6 up down auto network 10/100BaseTx 7
CHAPTER 4: PORT COMMANDS Table 14 Output for display port status (continued) Field Description Media Link type: 10/100BaseTX — 10/100BASE-T. GBIC — 1000BASE-SX or 1000BASE-LX GBIC. 1000BaseT — 1000BASE-T. No connector — GBIC slot is empty.
monitor port counters 73 Defaults — All types of statistics are displayed for all ports. MSS refreshes the statistics every 5 seconds. This interval cannot be configured. Statistics types are displayed in the following order by default: Octets Packets Receive errors Transmit errors Collisions Receive Ethernet statistics Transmit Ethernet statistics Access — All. History—Introduced in MSS Version 3.0. Usage — Each type of statistic is displayed separately.
CHAPTER 4: PORT COMMANDS Examples — The following command starts the port statistics monitor beginning with octet statistics (the default): WX4400# monitor port counters As soon as you press Enter, MSS clears the window and displays statistics at the top of the window. Port Status Rx Octets Tx Octets =============================================================================== 1 Up 27965420 34886544 ... To cycle the display to the next set of statistics, press the Spacebar.
monitor port counters 75 Table 16 Output for monitor port counters (continued) Statistics Option Field Description packets Number of unicast packets received. Rx Unicast This number does not include packets that contain errors. Rx NonUnicast Number of broadcast and multicast packets received. This number does not include packets that contain errors. Tx Unicast Number of unicast packets transmitted. This number does not include packets that contain errors.
CHAPTER 4: PORT COMMANDS Table 16 Output for monitor port counters (continued) Statistics Option Field Description collisions Single Coll Total number of frames transmitted that experienced one collision before 64 bytes of the frame were transmitted on the network. Multiple Coll Total number of frames transmitted that experienced more than one collision before 64 bytes of the frame were transmitted on the network.
reset port reset port 77 Resets a port by toggling its link state and Power over Ethernet (PoE) state. Syntax — reset port port-list port-list — List of physical ports. MSS resets all the specified ports. Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0. Usage — The reset command disables the port’s link and PoE (if applicable) for at least 1 second, then reenables them.
CHAPTER 4: PORT COMMANDS dap-num — Number for the Distributed MAP. The range of valid connection numbers depends on the WX switch model: For a WX4400, you can specify a number from 1 to 256. For a WX1200, you can specify a number from 1 to 30. For a WXR100, you can specify a number from 1 to 8. serial-id serial-ID — MAP access point serial ID. The serial ID is listed on the MAP case. To show the serial ID using the CLI, use the display version details command.
set dap 79 mp-262 — Contains one 802.11a radio and one 802.11b radio, and a connector for an external antenna for the 802.11b/g radio. mp-341 — Contains one radio that can be configured through software for 802.11a or 802.11b/g, and a connector for an external antenna for the 802.11b/g radio. mp-352 — Contains one 802.11a radio and one 802.11b radio, and a connector for an external antenna for the 802.11b/g radio. mp-372 — Contains one 802.11b/g radio and one 802.
CHAPTER 4: PORT COMMANDS specify the external antenna fitted, use the set {ap | dap} radio antennatype command. Access — Enabled. History — Introduced in MSS Version 3.0. Examples — The following command configures Distributed MAP 1 for MAP model AP3750 with serial-ID M9DE48B012F00: WX4400# set dap 1 serial-id M9DE48B012F00 model ap3750 success: change accepted. The following command removes Distributed MAP 1: WX4400# clear dap 1 This will clear specified DAP devices.
set port-group 81 Usage — A port that is administratively disabled cannot send or receive packets. This command does not affect the link state of the port. Examples — The following command disables port 6: WX1200# set port disable 6 success: set "disable" on port 6 The fol1owing command reenables the port: WX1200# set port enable 6 success: set "enable" on port 6 See Also set port-group reset port on page 77 Configures a load-sharing port group.
CHAPTER 4: PORT COMMANDS To add or remove ports in a group that is already configured, change the mode to off, add or remove the ports, then change the mode to on. Examples — The following command configures a port group named server1 containing ports 1 through 5, and enables the link: WX1200# set port-group name server1 1-5 mode on success: change accepted.
set port negotiation 83 Examples — The following command sets the name of port 7 to adminpool: WX1200# set port 7 name adminpool success: change accepted. See Also set port negotiation clear port name on page 64 display port status on page 70 Disables or reenables autonegotiation on gigabit Ethernet or 10/100 Ethernet ports. Syntax — set port negotiation port-list {enable | disable} port-list — List of physical ports. MSS disables or reenables autonegotiation on all the specified ports.
CHAPTER 4: PORT COMMANDS set port poe Enables or disables Power over Ethernet (PoE) on ports connected to MAP access points. CAUTION: When you set the port type for MAP use, you can enable PoE on the port. Use the WX switch’s PoE to power 3Com MAP access points only. If you enable PoE on ports connected to other devices, damage can result. Syntax — set port poe port-list enable | disable port-list — List of physical ports. MSS disables or reenables PoE on all the specified ports.
set port preference set port preference 85 Configures a gigabit Ethernet port on a WX4400 to use the RJ-45 (copper) interface, when available, as the active link instead of the fiber interface. Syntax — set port preference port-list rj45 port-list — List of physical ports. MSS sets the preference on all the specified ports. rj45 — Prefers the copper interface.
CHAPTER 4: PORT COMMANDS 100 — Sets the port speed of a 10/100 Ethernet port to 100 Mbps and sets the operating mode to full-duplex. 1000 — Sets the port speed of a gigabit Ethernet port to 1000 Mbps and sets the operating mode to full-duplex. auto — Enables a port to detect the speed and operating mode of the traffic on the link and set itself accordingly. Defaults — All ports are set to auto. Access — Enabled. History — Introduced in MSS Version 3.0.
set port type ap 87 Examples — The following command enables SNMP linkup and linkdown traps on ports 3 and 4: WX1200# set port trap 3-4 enable See Also set port type ap display snmp configuration on page 136 set ip snmp server on page 152 set snmp community on page 160 set snmp profile on page 167 set snmp notify target on page 162 Configures an WX switch port for an MAP access point.
CHAPTER 4: PORT COMMANDS ap2750 — Contains one radio that can be configured through software for 802.11a or 802.11b/g. An external dual-mode antenna may be used in place of the supplied antenna. ap3750 — Contains one 802.11b/g radio and one 802.11a radio with connectors for optional external antennas for each radio. ap7250 — Contains one 802.11b/g radio. An external antenna may be used in place of the supplied antenna. ap8250 — Contains one 802.11b/g radio.
set port type ap 89 This option does not apply to single-radio models. The value 11g does not apply to model MP-101. Defaults — All WX ports are network ports by default. The default radio type for model MP-101 is 802.11b. The default radio type for model AP2750, AP7250, MP-241, and MP-341, and for the 802.11b/g radios in models AP3750, AP8250, AP8750, MP-52, MP-252, MP-262, and MP-352 is 802.11g in regulatory domains that support 802.11g, or 802.11b in regulatory domains that do not support 802.11g.
CHAPTER 4: PORT COMMANDS Table 17 MAP Access Port Defaults Port Parameter Setting VLAN membership Removed from all VLANs. You cannot assign an MAP access port to a VLAN. MSS automatically assigns MAP access ports to VLANs based on user traffic. Spanning Tree Protocol Not applicable (STP) 802.1X Uses authentication parameters configured for users. Port groups Not applicable IGMP snooping Enabled as users are authenticated and join VLANs.
set port type wired-auth 91 The following command resets port 5 by clearing it: WX1200# clear port type 5 This may disrupt currently authenticated users. Are you sure? (y/n) [n]y success: change accepted.
CHAPTER 4: PORT COMMANDS Defaults — The default tag-list is null (no tag values). The default number of sessions is 1. The default fallthru authentication type is none. Access — Enabled. History—Version 3.0: Options added to change the fallthru authentication type. This is the authentication type that MSS uses is the user does not support 802.1X and is not authenticated by MAC authentication. Version 4.0: Option for WebAAA fallthru authentication type changed from web-auth to web-portal.
set port type wired-auth 93 The following command sets port 7 for a wired authentication user and subdivides the port into three virtual ports to support three simultaneous user sessions: WX1200# set port type wired-auth 7 1,2,3 success: change accepted See Also clear port type on page 65 set port type ap on page 87
CHAPTER 4: PORT COMMANDS
5 VLAN COMMANDS Use virtual LAN (VLAN) commands to configure and manage parameters for individual port VLANs on network ports, and to display information about clients roaming within a mobility domain. Commands by usage This chapter presents VLAN commands alphabetically. Use Table 19 to locate commands in this chapter based on their use.
CHAPTER 5: VLAN COMMANDS clear fdb Deletes an entry from the forwarding database (FDB). Syntax — clear fdb {perm | static | dynamic | port port-list} [vlan vlan-id] [tag tag-value] perm — Clears permanent entries. A permanent entry does not age out and remains in the database even after a reboot, reset, or power cycle. You must specify a VLAN name or number with this option. static — Clears static entries.
clear vlan 97 The following command clears all dynamic forwarding database entries that match all VLANs: WX4400# clear fdb dynamic success: change accepted. The following command clears all dynamic forwarding database entries that match ports 3 and 5: WX4400# clear fdb port 3,5 success: change accepted. See Also clear vlan display fdb on page 98 set fdb on page 107 Removes physical or virtual ports from a VLAN or removes a VLAN entirely.
CHAPTER 5: VLAN COMMANDS Usage — If you do not specify a port-list, the entire VLAN is removed from the configuration. You cannot delete the default VLAN but you can remove ports from it. To remove ports from the default VLAN, use the port port-list option. Examples — The following command removes port 1 from VLAN green: WX4400# clear vlan green port 1 This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y success: change accepted.
display fdb 99 perm — Displays permanent entries. A permanent entry does not age out and remains in the database even after a reboot, reset, or power cycle. static — Displays static entries. A static entry does not age out, but is removed from the database after a reboot, reset, or power cycle. dynamic — Displays dynamic entries. A dynamic entry is automatically removed through aging or after a reboot, reset, or power cycle. system — Displays system entries.
CHAPTER 5: VLAN COMMANDS The following command displays all entries that begin with the MAC address glob 00: WX4400# display fdb 00:* * = Static Entry. + = Permanent Entry. # = System Entry. VLAN TAG Dest MAC/Route Des [CoS] Destination Ports [Protocol Type] ---- ---- ------------------ ----- ----------------------------------------1 00:01:97:13:0b:1f 1 [ALL] 1 00:0b:0e:02:76:f5 1 [ALL] Total Matching FDB Entries Displayed = 2 Table 20 describes the fields in the display fdb output.
display fdb agingtime display fdb agingtime 101 Displays the aging timeout period for forwarding database entries. Syntax — display fdb agingtime [vlan vlan-id] vlan vlan-id — VLAN name or number. If you do not specify a VLAN, the aging timeout period for each VLAN is displayed. Defaults — None. Access — All. History —Introduced in MSS Version 3.0.
CHAPTER 5: VLAN COMMANDS vlan vlan-id — VLAN name or number. Entries are listed for only the specified VLAN. Defaults — None. Access — All. History —Introduced in MSS Version 3.0. The following command lists the number of dynamic entries that the forwarding database contains: WX1200# display fdb count dynamic Total Matching Entries = 2 See Also display roaming station display fdb on page 98 Shows a list of the stations roaming to the wireless LAN switch through a VLAN tunnel.
display roaming station 103 Table 21 describes the fields in the display. Table 21 Output for display roaming station Field Description User Name Name of the user. This is the name used for authentication. The name resides in a RADIUS server database or the local user database on a wireless LAN switch. Station IP Addr IP address of the user WX switch. Old AP MAC MAC address of the access point from which the station is roaming or attempting to roam.
CHAPTER 5: VLAN COMMANDS display roaming vlan Shows all VLANs in the mobility domain, the WX switches servicing the VLANs, and their tunnel affinity values configured on each switch for the VLANs. Syntax — display roaming vlan Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Examples — The following command shows the current roaming VLANs: WX4400# display roaming vlan VLAN WX Affinity ---------------- --------------- -------vlan-cs 192.168.14.2 5 vlan-eng 192.168.14.
display tunnel display tunnel 105 Shows the tunnels from the wireless LAN switch where you type the command. Syntax — display tunnel Defaults — None. Access — Enabled History —Introduced in MSS Version 3.0. Examples — To display all tunnels from a WX switch to other WX switches in the Mobility Domain, type the following command. WX4400# display VLAN --------------vlan-eng tunnel Local Address Remote Address State Port LVID RVID --------------- --------------- ------- ----- ----- ----192.168.14.2 192.
CHAPTER 5: VLAN COMMANDS display vlan config Shows VLAN information. Syntax — display vlan config [vlan-id] vlan-id — VLAN name or number. If you do not specify a VLAN, information for all VLANs is displayed. Defaults — None. Access — All. History —Introduced in MSS Version 3.0.
set fdb 107 Table 24 Output for display vlan config (continued) Field Description Tunl Affin Tunnel affinity value assigned to the VLAN. Port Member port of the VLAN. The port can be a physical port or a virtual port. Physical ports are 10/100 Ethernet or gigabit Ethernet ports on the WX switch, and are listed by port number.
CHAPTER 5: VLAN COMMANDS vlan vlan-id — Name or number of a VLAN of which the port is a member. The entry is added only for the specified VLAN. tag tag-value — VLAN tag value that identifies a virtual port. You can specify a number from 1 through 4095. If you do not specify a tag value, an entry is created for an untagged interface only. If you specify a tag value, an entry is created only for the specified tagged interface. Defaults — None. Access — Enabled.
set vlan name 109 Defaults — The aging timeout period is 300 seconds (5 minutes). Access — Enabled. History —Introduced in MSS Version 3.0. Examples — The following command changes the aging timeout period to 600 seconds for entries that match VLAN orange: WX4400# set fdb agingtime orange age 600 success: change accepted. See Also set vlan name display fdb agingtime on page 101 Creates a VLAN and assigns a number and name to it. Syntax — set vlan vlan-num name name vlan-num — VLAN number.
CHAPTER 5: VLAN COMMANDS VLAN names are case-sensitive for RADIUS authorization when a client roams to a wireless LAN switch. If the WX switch is not configured with the VLAN the client is on, but is configured with a VLAN that has the same spelling but different capitalization, authorization for the client fails. For example, if the client is on VLAN red but the WX switch to which the client roams has VLAN RED instead, RADIUS authorization fails.
set vlan tunnel-affinity 111 If you do specify a tag value, 3Com recommends that you use the same value as the VLAN number. MSS does not require the VLAN number and tag value to be the same but some other switches do. Examples — The following command assigns the name beige to VLAN 11 and adds ports 1 through 3 to the VLAN: WX1200# set vlan 11 name beige port 1-3 success: change accepted.
CHAPTER 5: VLAN COMMANDS If more than one WX switch has the highest affinity value, MSS randomly selects one of the WX switches for the tunnel. Examples — The following command changes the VLAN affinity for VLAN beige to 10: WX4400# set vlan beige tunnel-affinity 10 success: change accepted.
6 IP SERVICES COMMANDS Use IP services commands to configure and manage IP interfaces, management services, the Domain Name Service (DNS), Network Time Protocol (NTP), and aliases, and to ping a host or trace a route. Commands by Usage This chapter presents IP services commands alphabetically. Use Table 25 to locate commands in this chapter based on their use.
CHAPTER 6: IP SERVICES COMMANDS Table 25 IP Services Commands by Usage (continued) Type Command display ip telnet on page 133 clear ip telnet on page 119 HTTPS Management set ip https server on page 150 display ip https on page 129 DNS set ip dns on page 147 set ip dns domain on page 148 set ip dns server on page 149 display ip dns on page 128 clear ip dns domain on page 117 clear ip dns server on page 117 IP Alias set ip alias on page 147 display ip alias on page 127 clear ip alias on page 116
clear interface Table 25 IP Services Commands by Usage (continued) Type Command set snmp community on page 160 set snmp usm on page 174 set snmp profile on page 167 set snmp notify target on page 162 set ip snmp server on page 152 display snmp status on page 191 display snmp community on page 186 display snmp usm on page 193 display snmp notify profile on page 188 display snmp notify target on page 189 display snmp counters on page 187 clear snmp community on page 121 clear snmp usm on page 122 clear snmp
CHAPTER 6: IP SERVICES COMMANDS Usage — If the interface you want to remove is configured as the system IP address, removing the address can interfere with system tasks that use the system IP address, including the following: Mobility domain operations Topology reporting for dual-homed MAP access points Default source IP address used in unsolicited communications such as AAA accounting reports and SNMP traps Examples — The following command removes the IP interface configured on VLAN mauve
clear ip dns domain clear ip dns domain 117 Removes the default DNS domain name. Syntax — clear ip dns domain Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0. Examples — The following command removes the default DNS domain name from a WX switch: WX1200# clear ip dns domain Default DNS domain name cleared.
CHAPTER 6: IP SERVICES COMMANDS See Also clear ip route clear ip dns domain on page 117 display ip dns on page 128 set ip dns on page 147 set ip dns domain on page 148 set ip dns server on page 149 Removes a route from the IP route table. Syntax — clear ip route {default | ip-addr mask | ip-addr/mask-length} gateway default — Default route. default is an alias for IP address 0.0.0.0/0.
clear ip telnet clear ip telnet 119 Resets the Telnet server’s TCP port number to its default value. A WX switch listens for Telnet management traffic on the Telnet server port. Syntax — clear ip telnet Defaults — The default Telnet port number is 23. Access — Enabled. History — Introduced in MSS Version 3.0. Examples — The following command resets the TCP port number for Telnet management traffic to its default: WX4400# clear ip telnet success: change accepted.
CHAPTER 6: IP SERVICES COMMANDS Examples — The following command removes NTP server 192.168.40.240 from a WX switch configuration: WX4400# clear ntp server 192.168.40.240 success: change accepted. See Also clear ntp update-interval clear ntp update-interval on page 120 display ntp on page 134 set ntp on page 158 set ntp server on page 158 set ntp update-interval on page 159 Resets the NTP update interval to the default value.
clear snmp community clear snmp community 121 Clears an SNMP community string. Syntax — clear snmp community name comm-string comm-string — Name of the SNMP community you want to clear. Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0. Examples — The following command clears community string setswitch2: WX-1200# clear snmp community name setswitch2 success: change accepted.
CHAPTER 6: IP SERVICES COMMANDS See Also clear snmp profile set snmp notify target on page 162 display snmp notify target on page 189 Clears an SNMP notification profile. Syntax — clear snmp profile profile-name profile-name — Name of the notification profile you are clearing. Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0.
clear summertime 123 Access — Enabled. History —Introduced in MSS Version 4.0. Examples — The following command clears SNMPv3 user snmpmgr1: WX-1200# clear snmp usm snmpmgr1 success: change accepted. See Also clear summertime set snmp usm on page 174 display snmp usm on page 193 Clears the summertime setting from a wireless LAN switch. Syntax — clear summertime Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0.
CHAPTER 6: IP SERVICES COMMANDS clear system ip-address Clears the system IP address. CAUTION: Clearing the system IP address disrupts the system tasks that use the address. Syntax — clear system ip-address Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0.
display arp 125 History — Introduced in MSS Version 3.0. Examples — To return the WX switch’s real-time clock to UTC, type the following command: WX4400# clear timezone success: change accepted. See Also display arp clear snmp usm on page 122 set summertime on page 177 set timedate on page 180 set timezone on page 181 display summertime on page 138 display timedate on page 138 display timezone on page 139 Shows the ARP table.
CHAPTER 6: IP SERVICES COMMANDS Table 26 Output for display arp Field Description ARP aging time Number of seconds a dynamic entry can remain unused before MSS removes the entry from the ARP table. Host IP address, hostname, or alias. HW Address MAC address mapped to the IP address, hostname, or alias. VLAN VLAN the entry is for. Type Entry type: State DYNAMIC — Entry was learned from network traffic and ages out if unused for longer than the ARP aging timeout.
display ip alias 127 Examples — The following command displays all the IP interfaces configured on a WX switch: WX4400# display interface VLAN Name Address ---- --------------- --------------1 default 10.10.10.10 2 mauve 10.10.20.10 Mask --------------255.255.255.0 255.255.255.0 Enabled ------YES NO State ----Up Down Table 27 describes the fields in this display.
CHAPTER 6: IP SERVICES COMMANDS Examples — The following command displays all the aliases configured on a WX switch: WX4400# display ip alias Name IP Address --------------------------------------HR1 192.168.1.2 payroll 192.168.1.3 radius1 192.168.7.2 Table 28 describes the fields in this display. Table 28 Output for display ip alias Field Description Name Alias string. IP Address IP address associated with the alias.
display ip https Table 29 describes the fields in this display.
CHAPTER 6: IP SERVICES COMMANDS Examples — The following command shows the status and port number for the HTTPS management interface to the WX switch: WX4400# display ip https HTTPS is enabled HTTPS is set to use port 443 Last 10 Connections: IP Address Last Connected Time Ago (s) ---------------------------------- -----------10.10.10.56 2003/05/09 15:51:26 pst 349 Table 30 describes the fields in this display.
display ip route display ip route 131 Shows the IP route table. Syntax — display ip route [destination] destination — Route destination IP address, in dotted decimal notation. Defaults — None. Access — All. History —Introduced in MSS Version 3.0. Usage — When you add an IP interface to a VLAN that is up, MSS adds direct and local routes for the interface to the route table. If the VLAN is down, MSS does not add the routes.
CHAPTER 6: IP SERVICES COMMANDS Table 31 Output of display ip route Field Description Destination/Mask IP address and subnet mask of the route destination. The 244.0.0.0 route is automatically added by MSS and supports the IGMP snooping feature. Proto Protocol that added the route to the IP route table. The protocol can be one of the following: IP — MSS added the route. Static — An administrator added the route. Metric Cost for using the route.
display ip telnet display ip telnet 133 Shows information about the Telnet management port. Syntax — display ip telnet Defaults — None. Access — All. History —Introduced in MSS Version 3.0. Examples — The following command shows the status and port number for the Telnet management interface to the WX switch: WX4400> display ip telnet Server Status Port ---------------------------------Enabled 23 Table 32 describes the fields in this display.
CHAPTER 6: IP SERVICES COMMANDS display ntp Shows NTP client information. Syntax — display ntp Defaults — None. Access — All. History —Introduced in MSS Version 3.0. Examples — To display NTP information for a WX switch, type the following command: WX4400> display ntp NTP client: enabled Current update-interval: 20(secs) Current time: Fri Feb 06 2004, 12:02:57 Timezone is set to 'PST', offset from UTC is -8:0 hours. Summertime is enabled.
display ntp 135 Table 33 Output for display ntp (continued) Field Description Summertime Summertime period configured on the WX switch. MSS offsets the system time +1 hour and returns it to standard time for daylight savings time or a similar summertime period that you set. This field is displayed only if you enable summertime. Last NTP update Time when the WX switch received the most recent update from an NTP server. NTP Server IP address of the NTP server.
CHAPTER 6: IP SERVICES COMMANDS display snmp configuration Shows SNMP settings on a wireless LAN switch. Syntax — display snmp configuration Defaults — None. Access — All. History —Introduced in MSS Version 3.0.
display snmp configuration CounterMeasureStopTraps ClientDot1xFailureTraps Community Access ---------------read-only read-write YES YES Community Name -------------public private Table 34 describes the fields in this display. Table 34 Output of display snmp configuration Field Description Snmp agent is State of the SNMP agent on the WX switch: Enabled Disabled System Name String configured by the set system name command. System location String configured by the set system location command.
CHAPTER 6: IP SERVICES COMMANDS display summertime Shows a wireless LAN switch’s offset from its real-time clock. Syntax — display summertime Defaults — There is no summertime offset by default. Access — All. History —Introduced in MSS Version 3.0. Examples — To display the summertime setting on a WX switch, type the following command: WX1200# display summertime Summertime is enabled, and set to 'PDT'.
display timezone 139 Examples — To display the time and date set on a WX switch’s real-time clock, type the following command: WX1200# display timedate Sun Feb 29 2004, 23:59:02 PST See Also display timezone clear snmp usm on page 122 clear timezone on page 124 display summertime on page 138 display timezone on page 139 set summertime on page 177 set timedate on page 180 set timezone on page 181 Shows the time offset for the real-time clock from UTC on a wireless LAN switch.
ping CHAPTER 6: IP SERVICES COMMANDS set timedate on page 180 set timezone on page 181 Tests IP connectivity between a wireless LAN switch and another device. MSS sends an Internet Control Message Protocol (ICMP) echo packet to the specified WX switch and listens for a reply packet. Syntax — ping host [count num-packets ] [dnf] [flood] [interval time] [size size] [source-ip ip-addr | vlan-name] host — IP address, MAC address, hostname, alias, or user to ping.
set arp 141 size — 56. Access — Enabled. History — Introduced in MSS Version 3.0. Usage — To stop a ping command that is in progress, press Ctrl+C. Examples — The following command pings a WX switch that has IP address 10.1.1.1: WX1200# ping 10.1.1.1 PING 10.1.1.1 (10.1.1.1) from 10.9.4.34 : 56(84) bytes of data. 64 bytes from 10.1.1.1: icmp_seq=1 ttl=255 time=0.769 ms 64 bytes from 10.1.1.1: icmp_seq=2 ttl=255 time=0.628 ms 64 bytes from 10.1.1.1: icmp_seq=3 ttl=255 time=0.676 ms 64 bytes from 10.1.
CHAPTER 6: IP SERVICES COMMANDS Access — Enabled. History— Introduced in MSS Version 3.0. Examples — The following command adds a static ARP entry that maps IP address 10.10.10.1 to MAC address 00:bb:cc:dd:ee:ff: WX1200# set arp static 10.10.10.1 00:bb:cc:dd:ee:ff success: added arp 10.10.10.1 at 00:bb:cc:dd:ee:ff on VLAN 1 See Also set arp agingtime set arp agingtime on page 142 telnet on page 195 Changes the aging timeout for dynamic ARP entries.
set interface 143 See Also set interface set arp on page 141 telnet on page 195 Configures an IP interface on a VLAN. Syntax — set interface vlan-id ip {ip-addr mask | ip-addr/mask-length} vlan-id — VLAN name or number. ip-addr mask — IP address and subnet mask in dotted decimal notation (for example, 10.10.10.10 255.255.255.0). ip-addr/mask-length — IP address and subnet mask length in CIDR format (for example, 10.10.10.10/24). Defaults — None. Access — Enabled.
CHAPTER 6: IP SERVICES COMMANDS The following command configures IP interface 10.10.20.10 255.255.255.0 on VLAN mauve: WX1200# set interface mauve ip 10.10.20.10 255.255.255.0 success: set ip address 10.10.20.10 netmask 255.255.255.0 on vlan mauve See Also set interface dhcp-client clear interface on page 115 display interface on page 126 set interface status on page 146 Configures the DHCP client on a VLAN, to allow the VLAN to obtain its IP interface from a DHCP server.
set interface dhcp-server 145 Examples — The following command enables the DHCP client on VLAN corpvlan: WX-1200# set interface corpvlan ip dhcp-client enable success: change accepted. See Also set interface dhcp-server clear interface on page 115 display dhcp-client on page 182 display interface on page 126 Configures the MSS DHCP server. Use of the MSS DHCP server to allocate client addresses is intended for temporary, demonstration deployments and not for production networks.
CHAPTER 6: IP SERVICES COMMANDS Usage — By default, all addresses except the host address of the VLAN, the network broadcast address, and the subnet broadcast address are included in the range. If you specify the range, the start address must be lower than the stop address, and all addresses must be in the same subnet. The IP interface of the VLAN must be within the same subnet but is not required to be within the range.
set ip alias set ip alias 147 Configures an alias, which maps a name to an IP address. You can use aliases as shortcuts in CLI commands. Syntax — set ip alias name ip-addr name — String of up to 32 alphanumeric characters, with no spaces. ip-addr — IP address in dotted decimal notation. Defaults — None. Access — Enabled. History— Introduced in MSS Version 3.0. Examples — The following command configures the alias HR1 for IP address 192.168.1.2: WX4400# set ip alias HR1 192.168.1.
CHAPTER 6: IP SERVICES COMMANDS See Also set ip dns domain clear ip dns domain on page 117 clear ip dns server on page 117 display ip dns on page 128 set ip dns domain on page 148 set ip dns server on page 149 Configures a default domain name for DNS queries. The wireless LAN switch appends the default domain name to domain names or hostnames you enter in commands.
set ip dns server set ip dns server 149 Specifies a DNS server to use for resolving hostnames you enter in CLI commands. Syntax — set ip dns server ip-addr {primary | secondary} ip-addr — IP address of a DNS server, in dotted decimal or CIDR notation. primary — Makes the server the primary server, which MSS always consults first for resolving DNS queries. secondary — Makes the server a secondary server. MSS consults a secondary server only if the primary server does not reply. Defaults — None.
CHAPTER 6: IP SERVICES COMMANDS set ip https server Enables the HTTPS server on a WX switch. The HTTPS server is required for Web Manager access to the switch. CAUTION: If you disable the HTTPS server, Web Manager access to the WX switch is disabled. Syntax — set ip https server {enable | disable} enable — Enables the HTTPS server. disable — Disables the HTTPS server. Defaults — The HTTPS server is disabled by default. Access — Enabled. History — The default is changed to disabled in 3.1.
set ip route 151 ip-addr mask — IP address and subnet mask for the route destination, in dotted decimal notation (for example, 10.10.10.10 255.255.255.0). ip-addr/mask-length — IP address and subnet mask length in CIDR format (for example, 10.10.10.10/24). gateway — IP address, DNS hostname, or alias of the next-hop router. metric — Cost for using the route. You can specify a value from 0 through 2,147,483,647. Lower-cost routes are preferred over higher-cost routes.
CHAPTER 6: IP SERVICES COMMANDS Examples — The following command adds a default route that uses gateway 10.5.4.1 and gives the route a cost of 1: WX4400# set ip route default 10.5.4.1 1 success: change accepted. The following commands add two default routes, and configure MSS to always use the route through 10.2.4.69 when the interface to that gateway router is up: WX4400# set ip route default 10.2.4.69 1 success: change accepted. WX4400# set ip route default 10.2.4.17 2 success: change accepted.
set ip ssh 153 History — Introduced in MSS Version 3.0. Examples — The following command enables the SNMP server on a WX switch: WX4400# set ip snmp server enable success: change accepted.
CHAPTER 6: IP SERVICES COMMANDS See Also set ip ssh absolute-timeout set ip ssh absolute-timeout on page 154 set ip ssh idle-timeout on page 155 set ip ssh server on page 155 Changes the number of minutes an SSH session can remain open. The absolute-timeout value applies regardless of whether the session is active or idle. Syntax — set ip ssh absolute-timeout minutes minutes — Number of minutes an SSH session can remain open.
set ip ssh idle-timeout set ip ssh idle-timeout 155 Changes the number of minutes an SSH session can remain idle. Syntax — set ip ssh idle-timeout minutes minutes — Number of minutes an SSH session can remain idle. You can set the idle timeout to a value from 0 (disabled) to 2,147,483,647 minutes. Defaults — The default idle timeout is 30 minutes. Access — Enabled. History —Introduced in MSS Version 3.0.
CHAPTER 6: IP SERVICES COMMANDS Access — Enabled. History —Introduced in MSS Version 3.0. Usage — You must generate an SSH authentication key to use SSH. The maximum number of SSH sessions supported on a WX switch is eight. If Telnet is also enabled, the WX switch can have up to eight Telnet or SSH sessions, in any combination, and one Console session.
set ip telnet server 157 See Also set ip telnet server clear ip telnet on page 119 display ip https on page 129 display ip telnet on page 133 set ip https server on page 150 set ip telnet server on page 157 Enables the Telnet server on a wireless LAN switch. CAUTION: If you disable the Telnet server, Telnet access to the WX switch is also disabled. Syntax — set ip telnet server {enable | disable} enable — Enables the Telnet server. disable — Disables the Telnet server.
CHAPTER 6: IP SERVICES COMMANDS set ntp Enables or disables the NTP client on a wireless LAN switch. Syntax — set ntp {enable | disable} enable — Enables the NTP client. disable — Disables the NTP client. Defaults — The NTP client is disabled by default. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — If NTP is configured on a system whose current time differs from the NTP server time by more than 10 minutes, convergence of the WX time can take many NTP update intervals.
set ntp update-interval 159 History —Introduced in MSS Version 3.0. Usage — You can configure up to three NTP servers. MSS queries all the servers and selects the best response based on the method described in RFC 1305, Network Time Protocol (Version 3) Specification, Implementation and Analysis. To use NTP, you also must enable the NTP client with the set ntp command. Examples — The following command configures a WX switch to use NTP server 192.168.1.5: WX4400# set ntp server 192.168.1.
CHAPTER 6: IP SERVICES COMMANDS See Also set snmp community clear ntp server on page 119 clear ntp update-interval on page 120 display ntp on page 134 set ntp on page 158 set ntp server on page 158 Configures a community string for SNMPv1 or SNMPv2c. For SNMPv3, use the set snmp usm command to configure an SNMPv3 user. SNMPv3 does not use community strings.
set snmp community 161 History — Introduced in MSS Version 3.0. In Version 4.0, new access types were added for SNMPv3:read-notify, notify-only, notify-read-write SNMP community strings are passed as clear text in SNMPv1 and SNMPv2c. 3Com recommends that you use strings that cannot easily be guessed by unauthorized users. For example, do not use the well-known strings public and private. If you are using SNMPv3, you can configure SNMPv3 users to use authentication and to encrypt SNMP data.
CHAPTER 6: IP SERVICES COMMANDS set snmp notify target Configures a notification target for informs from SNMP. A notification target is a remote device to which MSS sends SNMP notifications. You can configure the MSS SNMP engine to send confirmed notifications (informs) or unconfirmed notifications (traps). Some of the command options differ depending on the SNMP version and the type of notification you specify. You can configure up to 10 notification targets.
set snmp notify target 163 security — Specifies the security level, and is applicable only when the SNMP version is usm: unsecured — Message exchanges are not authenticated, nor are they encrypted. This is the default. authenticated — Message exchanges are authenticated, but are not encrypted. encrypted — Message exchanges are authenticated and encrypted.
CHAPTER 6: IP SERVICES COMMANDS unsecured — Message exchanges are not authenticated, nor are they encrypted. This is the default. authenticated — Message exchanges are authenticated, but are not encrypted. encrypted — Message exchanges are authenticated and encrypted.
set snmp notify target 165 SNMPv2c with Traps To configure a notification target for traps from SNMPv2c, use the following command: Syntax — set snmp notify target target-num ip-addr[:udp-port-number] v2c community-string trap [profile profile-name] target-num — ID for the target. This ID is local to the WX switch and does not need to correspond to a value on the target itself. You can specify a number from 1 to 10. ip-addr[:udp-port-number] — IP address of the server.
CHAPTER 6: IP SERVICES COMMANDS Defaults — The default UDP port number on the target is 162. The default minimum required security level is unsecured. The default number of retries is 0 and the default timeout is 2 seconds. Access — Enabled. History —Introduced in MSS Version 4.0. Usage — The inform or trap option specifies whether the MSS SNMP engine expects the target to acknowledge notifications sent to the target by the WX switch. Use inform if you want acknowledgements.
set snmp profile set snmp profile 167 Configures an SNMP notification profile. A notification profile is a named list of all the notification types that can be generated by a switch, and for each notification type, the action to take (drop or send) when an event occurs. You can configure up to 10 notification profiles. Syntax — set snmp profile {default | profile-name} {drop | send} {notification-type | all} default | profile-name — Name of the notification profile you are creating or modifying.
CHAPTER 6: IP SERVICES COMMANDS Table 35 SNMP notification types (continued) ClientDot1xFailureTraps Generated when a client experiences an 802.1X failure. ClientRoamingTraps Generated when a client roams. CounterMeasureStartTraps Generated when MSS begins countermeasures against a rogue access point. CounterMeasureStopTraps Generated when MSS stops countermeasures against a rogue access point.
set snmp profile 169 Table 35 SNMP notification types (continued) RFDetectRogueDisappearTraps Generated when a rogue access point is no longer being detected. RFDetectClientViaRogueWiredAPTraps Generated when MSS detects, on the wired part of the network, the MAC address of a wireless client associated with a third-party AP. RFDetectDoSPortTraps Generated when MSS detects an associate request flood, reassociate request flood, or disassociate request flood.
CHAPTER 6: IP SERVICES COMMANDS Table 35 SNMP notification types (continued) RFDetectUnAuthorizedOuiTraps Generated when a wireless device that is not on the list of permitted vendors is detected. RFDetectUnAuthorizedSsidTraps Generated when an SSID that is not on the permitted SSID list is detected. all — Sends or drops all notifications. Defaults — A default notification profile (named default) is already configured in MSS. All notifications in the default profile are dropped by default.
set snmp profile WX-1200# set snmp notify profile RFDetectRogueAPTraps success: change accepted. WX-1200# set snmp notify profile RFDetectRogueDisappearTraps success: change accepted. WX-1200# set snmp notify profile RFDetectSpoofedMacAPTraps success: change accepted. WX-1200# set snmp notify profile RFDetectSpoofedSsidAPTraps success: change accepted. WX-1200# set snmp notify profile RFDetectUnAuthorizedAPTraps success: change accepted.
CHAPTER 6: IP SERVICES COMMANDS set snmp protocol Enables an SNMP protocol. MSS supports SNMPv1, SNMPv2c, and SNMPv3. Syntax — set snmp protocol {v1 | v2c | usm | all} {enable | disable} v1 — SNMPv1 v2c — SNMPv2c usm — SNMPv3 (with the user security model) all — Enables all supported versions of SNMP. enable — Enables the specified SNMP version(s). disable — Disables the specified SNMP version(s). Defaults — All SNMP versions are disabled by default. Access — Enabled.
set snmp security set snmp security 173 Sets the minimum level of security MSS requires for SNMP message exchanges. Syntax — set snmp security {unsecured | authenticated | encrypted | auth-req-unsec-notify} unsecured — SNMP message exchanges are not secure. This is the only value supported for SNMPv1 and SNMPv2c. authenticated — SNMP message exchanges are authenticated but are not encrypted. encrypted — SNMP message exchanges are authenticated and encrypted.
CHAPTER 6: IP SERVICES COMMANDS set snmp protocol on page 172 set snmp usm on page 174 display snmp status on page 191 set snmp trap This command is deprecated in MSS Version 4.0. To enable or disable SNMP notifications, configure a notification profile. See set snmp profile on page 167. set snmp trap receiver This command is deprecated in MSS Version 4.0. To configure an SNMP notification target (also called trap receiver), see set snmp notify target on page 162.
set snmp usm 175 ip ip-addr — ID is based on the IP address of the station running the management application. Enter the IP address of the station. MSS calculates the engine ID based on the address. local — Uses the value computed from the switch’s system IP address.
CHAPTER 6: IP SERVICES COMMANDS To specify a passphrase, use the auth-pass-phrase string option. The string can be from 8 to 32 alphanumeric characters long, with no spaces. To specify a key, use the auth-key hex-string option. encrypt-type {none | des | 3des | aes} {encrypt-pass-phrase string | encrypt-key hex-string} — Specifies the encryption type used for SNMP traffic. You can specify one of the following: none—No encryption is used. This is the default.
set summertime 177 WX-1200# set snmp usm securesnmpmgr1 snmp-engine-id ip 192.168.40.2 auth-type sha auth-pass-phrase myauthpword encrypt-type 3des encrypt-pass-phrase mycryptpword success: change accepted.
CHAPTER 6: IP SERVICES COMMANDS min — Minute to start or end the time change — a value between 0 and 59. end — End of the time change period. Defaults — If you do not specify a start and end time, the system implements the time change starting at 2:00 a.m. on the first Sunday in April and ending at 2:00 a.m. on the last Sunday in October, according to the North American standard. Access — Enabled. History —Introduced in MSS Version 3.0.
set system ip-address set system ip-address 179 Configures the system IP address. The system IP address determines the interface or source IP address MSS uses for system tasks, including the following: Mobility domain operations Topology reporting for dual-homed MAP access points Default source IP address used in unsolicited communications such as AAA accounting reports and SNMP traps Syntax — set system ip-address ip-addr ip-addr — IP address, in dotted decimal notation.
CHAPTER 6: IP SERVICES COMMANDS set timedate Sets the time of day and date on the wireless LAN switch. Syntax — set timedate {date mmm dd yyyy [time hh:mm:ss]} date mmm dd yyyy — System date: mmm — month dd — day yyyy — year time hh:mm:ss — System time, in hours, minutes, and seconds. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — The day of week is automatically calculated from the day you set.
set timezone set timezone 181 Sets the number of hours, and optionally the number of minutes, that the wireless LAN switch’s real-time clock is offset from Coordinated Universal Time (UTC). These values are also used by Network Time Protocol (NTP), if it is enabled. Syntax — set timezone zone-name {-hours [minutes]} zone-name — Time zone name of up to 32 alphabetic characters. You can use a standard name or any name you like.
CHAPTER 6: IP SERVICES COMMANDS display dhcp-client Displays DHCP client information for all VLANs. Syntax — display dhcp-client Defaults — None. Access — All. History —Introduced in MSS Version 4.0. Examples — The following command displays DHCP client information: WX-1200# display dhcp-client Interface: corpvlan(4) Configuration Status: Enabled DHCP State: IF_UP Lease Allocation: 65535 seconds Lease Remaining: 65532 seconds IP Address: 10.3.1.110 Subnet Mask: 255.255.255.0 Default Gateway: 10.3.1.
display dhcp-server 183 Table 36 Output for display dhcp-client (continued) Field Description Subnet Mask Network mask of the IP address received from the DHCP server. Default Gateway Default gateway IP address received from the DHCP server. If the address is 0.0.0.0, the server did not provide an address. DHCP Server IP address of the DHCP server. DNS Servers DNS server IP address(es) received from the DHCP server. DNS Domain Name Default DNS domain name received from the DHCP server.
CHAPTER 6: IP SERVICES COMMANDS The following command displays configuration and status information for each VLAN on which the DHCP server is configured: WX-1200# display dhcp-server Interface: 0 (Direct AP) Status: UP Address Range: 10.0.0.1-10.0.0.253 Interface: Status: Address Range: DHCP Clients: Hardware Address: State: Lease Allocation: Lease Remaining: IP Address: Subnet Mask: Default Gateway: DNS Servers: DNS Domain Name: default(1) UP 10.10.20.2-10.10.20.
display dhcp-server 185 Table 38 Output for display dhcp-client verbose Field Description Interface VLAN name and number. Status Status of the interface: UP DOWN Address Range Range from which the server can lease addresses. Hardware Address MAC address of the DHCP client. State State of the address lease: SUSPEND—MSS is checking for the presence of another DHCP server on the subnet. This is the initial state of the MSS DHCP server.
CHAPTER 6: IP SERVICES COMMANDS display snmp community Displays the configured SNMP community strings. Syntax — display snmp community Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0. Examples — To display the configured SNMP community strings, use the following command: WX-1200# display snmp community Communities: "wireless_switch", access=read-write-notify, notify target use cnt=0 Table 39 describes the fields in this display.
display snmp counters See Also display snmp counters clear snmp community on page 121 set snmp community on page 160 Displays SNMP statistics counters. Syntax — display snmp counters Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0.
CHAPTER 6: IP SERVICES COMMANDS display snmp notify profile Displays SNMP notification profiles. Syntax — display snmp notify profile Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0.
display snmp notify target 189 RFDSPOOFSSIDAP, drop RFDDETECTDOS, drop RFDCLNTROGUEWAP, drop RFDINTROGUEAP, drop RFDINTROGUEDISAP, drop RFDUNAUTHORSSID, drop RFDUNAUTHOROUI, drop RFDUNAUTHORAP, drop DAPCONNWARN, drop RFDDETECTDOSPORT, drop The command lists settings separately for each notification profile. The use count indicates how many notification targets use the profile.
CHAPTER 6: IP SERVICES COMMANDS retry count=snmp-engine-id timeout=1 Table 40 describes the fields in this display. Table 40 Output for display snmp notification target Field Description user Name of the SNMP user. engineID SNMP engine ID associated with the user. For traps, the engine ID is local. For informs, the engine ID is that of the notification receiver. notify profile Name of the notification profile used by the target.
display snmp status display snmp status 191 Displays SNMP version and status information. Syntax — display snmp status Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0.
CHAPTER 6: IP SERVICES COMMANDS Table 41 Output for display SNMP status (continued) Field Description SNMP minimum security Lowest (least secure) security level set on the switch: authenticated—SNMP message exchanges are authenticated but are not encrypted. auth-req-unsec-notify—SNMP message exchanges are authenticated but are not encrypted, and notifications are neither authenticated nor encrypted. encrypted—SNMP message exchanges are authenticated and encrypted.
display snmp usm display snmp usm display snmp notify target on page 189 display snmp usm on page 193 193 Displays information about SNMPv3 users. Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0. Examples — To display USM settings, use the following command: WX-1200# display snmp usm USM users: "nmsuser", engineID=localSnmpID access=read-notify auth=NONE encrypt=NONE notify target use cnt=0 Table 42 describes the fields in this display.
CHAPTER 6: IP SERVICES COMMANDS Table 42 Output for display snmp usm (continued) Field Description access Access settings for the string: auth encrypt notify target use cnt read-only—An SNMP management application using the string can get (read) object values on the switch but cannot set (write) them. read-notify—An SNMP management application using the string can get object values on the switch but cannot set them. The switch can use the string to send notifications.
telnet telnet 195 Opens a Telnet client session with a remote device. Syntax — telnet {ip-addr | hostname} [port port-num] ip-addr — IP address of the remote device. hostname — Hostname of the remote device. port port-num — TCP port number on which the TCP server on the remote device listens for Telnet connections. Defaults — MSS attempts to establish Telnet connections with TCP port 23 by default. Access — Enabled. History —Introduced in MSS Version 3.0.
CHAPTER 6: IP SERVICES COMMANDS 3 red 10 backbone Up Up Up Up 5 5 1 2 none Up none Up When the administrator presses Ctrl+t to end the Telnet connection, the management session returns to the local prompt: WX1200-remote> Session 0 pty tty2.d terminated tt name tty2.d WX1200# See Also traceroute clear sessions on page 497 display sessions on page 500 Traces the route to an IP host.
traceroute no-dns — Disabled port — 33434 queries — 3 size — 38 ttl — 30 wait — 5000 197 Access — All. History —Introduced in MSS Version 3.0. Usage — To stop a traceroute command that is in progress, press Ctrl+C. Examples — The following example traces the route to host server1: WX4400# traceroute server1 traceroute to server1.example.com (192.168.22.7), 30 hops max, 38 byte packets 1 engineering-1.example.com (192.168.192.206) 2 ms 1 ms 1 ms 2 engineering-2.example.com (192.
CHAPTER 6: IP SERVICES COMMANDS If Traceroute receives an ICMP error message other than a Time Exceeded or Port Unreachable message, MSS displays one of the error codes described in Table 43 instead of displaying the round-trip time or an asterisk (*). Table 43 describes the traceroute error messages. Table 43 Error messages for traceroute Field Description !N No route to host. The network is unreachable. !H No route to host. The host is unreachable. !P Connection refused.
7 AAA COMMANDS Use authentication, authorization, and accounting (AAA) commands to provide a secure network connection and a record of user activity. Location policy commands override any virtual LAN (VLAN) or security ACL assignment by AAA or the local WX database to help you control access locally. (Security ACLs are packet filters. For command descriptions, see Chapter 12.) Commands by Usage This chapter presents AAA commands alphabetically.
CHAPTER 7: AAA COMMANDS Table 44 AAA Commands by Usage (continued) Type Command clear authentication web on page 207 Local Authorization set user on page 256 for Password Users clear user on page 213 set user attr on page 257 clear user attr on page 214 set usergroup on page 259 clear usergroup on page 215 set user group on page 258 clear user group on page 215 clear usergroup attr on page 216 Local Authorization set mac-user on page 245 for MAC Users clear mac-user on page 209 set mac-user attr on
clear accounting clear accounting 201 Removes accounting services for specified wireless users with administrative access or network access. Syntax — clear accounting {admin | dot1x} {user-glob} admin — Users with administrative access to the WX switch through a console connection or through a Telnet or Web Manager connection. dot1x — Users with network access through the WX switch. Users with network access are authorized to use the network through either an IEEE 802.
CHAPTER 7: AAA COMMANDS clear authentication admin Removes an authentication rule for administrative access through Telnet or Web Manager. Syntax — clear authentication admin user-glob user-glob — A single user or set of users. Specify a username, use the double-asterisk wildcard character (**) to specify all usernames, or use the single-asterisk wildcard character (*) to specify a set of usernames up to or following the first delimiter character, either an at sign (@) or a period (.).
clear authentication console clear authentication console 203 Removes an authentication rule for administrative access through the Console. Syntax — clear authentication console user-glob user-glob — A single user or set of users. Specify a username, use the double-asterisk wildcard character (**) to specify all usernames, or use the single-asterisk wildcard character (*) to specify a set of usernames up to or following the first delimiter character, either an at sign (@) or a period (.).
CHAPTER 7: AAA COMMANDS clear authentication dot1x Removes an 802.1X authentication rule. Syntax — clear authentication dot1x {ssid ssid-name | wired} user-glob ssid ssid-name — SSID name to which this authentication rule applies. wired — Clears a rule used for access over an WX switch’s wired-authentication port. user-glob — User-glob associated with the rule you are removing.
clear authentication last-resort clear authentication last-resort 205 Removes a last-resort authentication rule. Syntax — clear authentication last-resort {ssid ssid-name | wired} ssid ssid-name —SSID name to which this authentication rule applies. wired — Clears a rule used for access over an WX switch’s wired-authentication port. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0.
CHAPTER 7: AAA COMMANDS mac-addr-glob — MAC address glob associated with the rule you are removing. Specify a MAC address, or use the wildcard (*) character to specify a set of MAC addresses. (For details, see “MAC Address Globs” on page 27.) Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0.
clear authentication web 207 Examples — The following command removes the proxy rule for SSID mycorp and userglob **: WX-1200# clear authentication proxy ssid mycorp ** See Also clear authentication web set authentication proxy on page 238 on page 260 Removes a WebAAA rule. Syntax — clear authentication web {ssid ssid-name | wired} user-glob ssid ssid-name — SSID name to which this authentication rule applies.
CHAPTER 7: AAA COMMANDS clear location policy clear authentication dot1x on page 204 clear authentication last-resort on page 205 clear authentication mac on page 205 display aaa on page 217 set authentication web on page 239 Removes a rule from the location policy on a WX switch. Syntax — clear location policy rule-number rule-number — Index number of a location policy rule to remove from the location policy. Defaults — None. Access — Enabled.
clear mac-user clear mac-user 209 Removes a user profile from the local database on the WX switch, for a user who is authenticated by a MAC address. (To remove a user profile in RADIUS, see the documentation for your RADIUS server.) Syntax — clear mac-user mac-addr mac-addr — MAC address of the user, in hexadecimal numbers separated by colons (:). You can omit leading zeros. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0.
CHAPTER 7: AAA COMMANDS attribute-name — Name of an attribute used to authorize the MAC user for a particular service or session characteristic. (For a list of authorization attributes, see Table 47 on page 247.) Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Examples — The following command removes an access control list (ACL) from the profile of a user at MAC address 01:02:03:04:05:06: WX4400# clear mac-user 01:02:03:04:05:06 attr filter-id success: change accepted.
clear mac-usergroup 211 Examples — The following command deletes the user profile for a user at MAC address 01:02:03:04:05:06 from its user group: WX4400# clear mac-user 01:02:03:04:05:06 group success: change accepted. See Also clear mac-usergroup clear mac-usergroup on page 211 display aaa on page 217 set mac-user on page 245 Removes a user group from the local database on the WX switch, for a group of users who are authenticated by a MAC address.
CHAPTER 7: AAA COMMANDS clear mac-usergroup attr Removes an authorization attribute from a MAC user group in the local database on the WX switch, for a group of users who are authenticated by a MAC address. (To unconfigure an authorization attribute in RADIUS, see the documentation for your RADIUS server.) Syntax — clear mac-usergroup group-name attr attribute-name group-name — Name of an existing MAC user group.
clear mobility-profile clear mobility-profile 213 Removes a Mobility Profile entirely. Syntax — clear mobility-profile name name — Name of an existing Mobility Profile. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Examples — The following command removes the Mobility Profile for user Nin: WX1200# clear mobility-profile Nin success: change accepted.
CHAPTER 7: AAA COMMANDS Examples — The following command deletes the user profile for user Nin: WX4400# clear user Nin success: change accepted. See Also clear user attr display aaa on page 217 set user on page 256 Removes an authorization attribute from the user profile in the local database on the WX switch, for a user with a password. (To remove an authorization attribute from a RADIUS user profile, see the documentation for your RADIUS server.
clear user group clear user group 215 Removes a user with a password from membership in a user group in the local database on the WX switch. (To remove a user from a user group in RADIUS, see the documentation for your RADIUS server.) Syntax — clear user username group username — Username of a user with a password. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0.
CHAPTER 7: AAA COMMANDS Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — Removing a user group from the local WX database does not remove the user profiles of the group’s members from the database. Examples — The following command deletes the cardiology user group from the local database: WX4400# clear usergroup cardiology success: change accepted.
display aaa 217 Examples — The following command removes the members of the user group cardiology from a network access time restriction by deleting the Time-Of-Day attribute from the group: WX4400# clear usergroup cardiology attr time-of-day success: change accepted. See Also display aaa clear usergroup on page 215 display aaa on page 217 set usergroup on page 259 Displays all current AAA settings. Syntax — display aaa Defaults — None. Access — Enabled.
CHAPTER 7: AAA COMMANDS set set set set set set set set set authentication admin Jose sg3 authentication console * none authentication mac ssid mycorp * local authentication dot1x ssid mycorp Geetha eap-tls authentication dot1x ssid mycorp * peap-mschapv2 sg1 sg2 sg3 authentication dot1x ssid any ** peap-mschapv2 sg1 sg2 sg3 accounting dot1x Nin ssid mycorp stop-only sg2 accounting admin Natasha start-stop local authentication last-resort ssid guestssid local user Nin Password = 082c6c64060b (encryp
display aaa 219 Table 45 display aaa Output (continued) deadtime Number of minutes the WX switch waits after determining a RADIUS server is unresponsive before trying to reconnect with this server. During the dead time, the RADIUS server is ignored by the WX switch. The default is 0 minutes. key Shared secret key, or password, used to authenticate to a RADIUS server. The default is no key.
CHAPTER 7: AAA COMMANDS display accounting statistics set authentication last-resort on page 234 set authentication mac on page 236 set authentication web on page 239 Displays the AAA accounting records for wireless users. The records are stored in the local database on the WX switch. (To display RADIUS accounting records, see the documentation for your RADIUS server.) Syntax — display accounting statistics Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0.
display accounting statistics 221 Table 46 display accounting statistics Output (continued) Acct-Status-Type Acct-Authentic User-Name Type of accounting record: START STOP UPDATE Location where the user was authenticated (if authentication took place) for the session: 1 — RADIUS server 2 — Local WX database Username of a user with a password. Acct-Multi-Session-Id Unique accounting ID for multiple related sessions in a log file.
CHAPTER 7: AAA COMMANDS display location policy Displays the list of location policy rules that make up the location policy on an WX switch. Syntax — display location policy Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Examples — The following command displays the list of location policy rules in the location policy on an WX switch: WX4400 display location policy Id Clauses ---------------------------------------------------------------1) deny if user eq *.theirfirm.
set accounting {admin | console} 223 Mobility Profiles Name Ports ========================= magnolia AP 2 See Also set accounting {admin | console} clear mobility-profile on page 213 set mobility-profile on page 253 Sets up accounting services for specified wireless users with administrative access, and defines the accounting records and where they are sent.
CHAPTER 7: AAA COMMANDS A method can be one of the following: local — Stores accounting records in the local database on the WX switch. When the local accounting storage space is full, MSS overwrites older records with new ones. server-group-name — Stores accounting records on one or more Remote Authentication Dial-In User Service (RADIUS) servers. You can also enter the names of existing RADIUS server groups as methods. Defaults — Accounting is disabled for all users by default.
set accounting {dot1x | mac | web} 225 web — Users with network access through the WX switch who are authenticated by WebAAA ssid ssid-name — SSID name to which this accounting rule applies. To apply the rule to all SSIDs, type any. wired — Applies this accounting rule specifically to users who are authenticated on a wired authentication port. user-glob — Single user or set of users with administrative access or network access.
CHAPTER 7: AAA COMMANDS Defaults — Accounting is disabled for all users by default. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — For network users with start-stop accounting whose records are sent to a RADIUS server, MSS sends interim updates to the RADIUS server when the user roams. Examples — The following command issues stop-only records to the RADIUS server group sg2 for network user Nin, who is authenticated by 802.
set authentication admin 227 server-group-name — Uses the defined group of RADIUS servers for authentication. You can enter up to four names of existing RADIUS server groups as methods. none — For users with administrative access only, MSS performs no authentication, but prompts for a username and password and accepts any combination of entries, including blanks.
CHAPTER 7: AAA COMMANDS If a AAA rule specifies local as a secondary AAA method, to be used if the RADIUS servers are unavailable, and MSS authenticates a client with the local method, MSS starts again at the beginning of the method list when attempting to authorize the client. This can cause unexpected delays during client processing and can cause the client to time out before completing logon.
set authentication console 229 A method can be one of the following: local — Uses the local database of usernames and user groups on the WX switch for authentication. server-group-name — Uses the defined group of RADIUS servers for authentication. You can enter up to four names of existing RADIUS server groups as methods.
CHAPTER 7: AAA COMMANDS However, if local appears first, followed by a RADIUS server group, MSS ignores any failed searches in the local WX database and sends an authentication request to the RADIUS server group. Examples — To set the console port so that it does not enforce username-password authentication for administrators, type the following command: WX4400# set authentication console * none success: change accepted.
set authentication dot1x 231 bonded — Enables Bonded Auth™ (bonded authentication). When this feature is enabled, MSS authenticates the user only if the machine the user is on has already been authenticated. protocol — Protocol used for authentication. Specify one of the following: eap-md5 — Extensible Authentication Protocol (EAP) with message-digest algorithm 5.
CHAPTER 7: AAA COMMANDS A method can be one of the following: local — Uses the local database of usernames and user groups on the WX switch for authentication. server-group-name — Uses the defined group of RADIUS servers for authentication. You can enter up to four names of existing RADIUS server groups as methods. RADIUS servers cannot be used with the EAP-TLS protocol. For more information, see “Usage.
set authentication dot1x 233 However, if local appears first, followed by a RADIUS server group, MSS overrides any failed searches in the local WX database and sends an authentication request to the server group. If the user does not support 802.1X, MSS attempts to perform MAC authentication for the user.
CHAPTER 7: AAA COMMANDS set authentication last-resort Configures an authentication rule to grant network access to a user who is not otherwise granted or denied access by 802.1X, or granted access by MAC authentication. Syntax — set authentication last-resort {ssid ssid-name | wired} method1 [method2] [method3] [method4] ssid ssid-name — SSID name to which this authentication rule applies. To apply the rule to all SSIDs, type any.
set authentication last-resort 235 You can configure a rule either for wireless access to an SSID, or for wired access through a WX switch’s wired authentication port. If the rule is for wireless access to an SSID, specify the SSID name or specify any to match on all SSID names. If the rule is for wired access, specify wired instead of an SSID name.
CHAPTER 7: AAA COMMANDS See Also set authentication mac clear authentication last-resort on page 205 display aaa on page 217 set authentication admin on page 226 set authentication console on page 228 set authentication dot1x on page 230 set authentication mac on page 236 set authentication web on page 239 Configures authentication and defines where it is performed for specified non-802.1X users with network access through a media access control (MAC) address.
set authentication mac 237 Defaults — By default, authentication is deactivated for all MAC users, which means MAC address authentication fails by default. When using RADIUS for authentication, a MAC user’s MAC address is also used as the authorization password for that user, and no global authorization password is set. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — You can configure different authentication methods for different groups of MAC addresses by “globbing.
CHAPTER 7: AAA COMMANDS See Also set authentication proxy clear authentication mac on page 205 display aaa on page 217 set authentication admin on page 226 set authentication console on page 228 set authentication dot1x on page 230 set authentication last-resort on page 234 set authentication web on page 239 Configures a proxy authentication rule for a third-party AP’s wireless users.
set authentication web 239 Examples — The following command configures a proxy authentication rule that matches on all usernames associated with SSID mycorp. MSS uses RADIUS server group srvrgrp1 to proxy RADIUS requests and hence to authenticate and authorize the users.
CHAPTER 7: AAA COMMANDS server-group-name — Uses the defined group of RADIUS servers for authentication. You can enter up to four names of existing RADIUS server groups as methods. RADIUS servers cannot be used with the EAP-TLS protocol. For more information, see “Usage.” Defaults — By default, authentication is unconfigured for all clients with network access through MAP ports or wired authentication ports on the WX switch.
set location policy 241 The fallthru method is web. (For a wireless authentication rule, the fallthru method is specified by the set service-profile auth-fallthru command. For a wired authentication rule, the fallthru method is specified by the auth-fall-thru option of the set port type wired-auth command.) Examples — The following command configures a WebAAA rule in the local WX database for SSID ourcorp and userglob rnd*: WX4400# set authentication web ssid ourcorp rnd* local success: change accepted.
CHAPTER 7: AAA COMMANDS permit — Allows access to the network or to a specified VLAN, and/or assigns a particular security ACL to users with characteristics that match the location policy rule. Action options — For a permit rule, MSS changes the attributes assigned to the user to the values specified by the following options: vlan vlan-name — Name of an existing VLAN to assign to users with characteristics that match the location policy rule.
set location policy 243 user operator user-glob — Username and condition by which to determine if the location policy rule applies. Replace operator with one of the following operands: eq — Applies the location policy rule to all usernames matching user-glob. neq — Applies the location policy rule to all usernames not matching user-glob.
CHAPTER 7: AAA COMMANDS Conditions within a rule are ANDed. All conditions in the rule must match for MSS to take the specified action. If the location policy contains multiple rules, MSS compares the user information to the rules one at a time, in the order the rules appear in the switch’s configuration file, beginning with the rule at the top of the list. MSS continues comparing until a user matches all conditions in a rule or until there are no more rules.
set mac-user 245 The following command authorizes access to users on VLANs with names matching bld4.* and applies security ACLs svcs_2 to the traffic they send and svcs_3 to the traffic they receive: WX4400# set location policy permit inacl svcs_2 outacl svcs_3 if vlan eq bldg4.
CHAPTER 7: AAA COMMANDS Users authenticated by MAC address can be authenticated only for network access through the WX switch. MSS does not support passwords for MAC users. Examples — The following command creates a user profile for a user at MAC address 01:02:03:04:05:06 and assigns the user to the eastcoasters user group: WX4400# set mac-user 01:02:03:04:05:06 group eastcoasters success: change accepted.
set mac-user attr 247 Table 47 Authentication Attributes for Local Users Attribute Description Valid Value(s) encryption-type Type of encryption One of the following numbers that required for access by identifies an encryption algorithm: the client. Clients who 1—AES_CCM (Advanced attempt to use an Encryption Standard using Counter unauthorized encryption with CBC-MAC) method are rejected.
CHAPTER 7: AAA COMMANDS Table 47 Authentication Attributes for Local Users (continued) filter-id Inbound or outbound ACL to apply to the user. If configured in the WX switch’s local database, this attribute can be an access control list (ACL) to filter outbound or inbound traffic. Use the following format: filter-id inboundacl.in or filter-id outboundacl.out If you are configuring the attribute on a RADIUS server, the value field of filter-id can specify up to two ACLs.
set mac-user attr 249 Table 47 Authentication Attributes for Local Users (continued) service-type Type of access the user is requesting. One of the following numbers: 2—Framed; for network user access 6—Administrative; for administrative access to the WX switch, with authorization to access the enabled (configuration) mode. The user must enter the enable command to access the enabled mode. 7—NAS-Prompt; for administrative access to the nonenabled mode only.
CHAPTER 7: AAA COMMANDS Table 47 Authentication Attributes for Local Users (continued) time-of-day (network access mode only) Day(s) and time(s) One of the following: during which the user is never—Access is always denied. permitted to log into the network. any—Access is always allowed. After authorization, the user’s session can last until either the Time-Of-Day range or the Session-Timeout duration (if set) expires, whichever is shorter. al—Access is always allowed.
set mac-user attr 251 Table 47 Authentication Attributes for Local Users (continued) url (network access mode only) URL to which the user is Web URL, in standard format. For redirected after example: successful WebAAA. http://www.example.com You must include the http:// portion.
CHAPTER 7: AAA COMMANDS The following command restricts a user at MAC address 06:05:04:03:02:01 to network access between 7 p.m. on Mondays and Wednesdays and 7 a.m. on Tuesdays and Thursdays: WX4400# set mac-user 06:05:04:03:02:01 attr time-of-day mo1900-1159,tu0000-0700,we1900-1159,th0000-0700 success: change accepted.
set mobility-profile 253 Examples — The following command creates the MAC user group eastcoasters and assigns the group members to VLAN orange: WX4400# set mac-usergroup eastcoasters attr vlan-name orange success: change accepted.
CHAPTER 7: AAA COMMANDS Usage — To assign a Mobility Profile to a user or group, specify it as an authorization attribute in one of the following commands: set set set set user attr mobility-profile name usergroup attr mobility-profile name mac-user attr mobility-profile name mac-usergroup attr mobility-profile name To enable the use of the Mobility Profile feature on the WX switch, use the set mobility-profile mode command.
set mobility-profile mode set mobility-profile mode set user attr on page 257 set usergroup on page 259 255 Enables or disables the Mobility Profile feature on the WX switch. CAUTION: When the Mobility Profile feature is enabled, a user is denied access if assigned a Mobility-Profile attribute in the local WX switch database or RADIUS server when no Mobility Profile of that name exists on the WX switch.
CHAPTER 7: AAA COMMANDS set user Configures a user profile in the local database on the WX switch for a user with a password. (To configure a user profile in RADIUS, see the documentation for your RADIUS server.) Syntax — set user username password string (encrypted) username — Username of a user with a password. password string — Password of up to 32 alphanumeric characters, with no spaces. encrypted — Indicates that the password string you entered is already in its encrypted form.
set user attr 257 success: User admin created The following command changes Nin’s password from goody to 29Jan04: WX4400# set user Nin password 29Jan04 See Also set user attr clear user on page 213 display aaa on page 217 Configures an authorization attribute in the local database on the WX switch for a user with a password. (To assign authorization attributes in RADIUS, see the documentation for your RADIUS server.
CHAPTER 7: AAA COMMANDS The following command assigns Tamara to the Mobility Profile tulip. WX4400# set user Tamara attr mobility-profile tulip success: change accepted. See Also set user group clear user attr on page 214 display aaa on page 217 Adds a user to a user group. The user must have a password and a profile that exists in the local database on the WX switch. (To configure a user in RADIUS, see the documentation for your RADIUS server.
set usergroup set usergroup 259 Creates a user group in the local database on the WX switch for users and assigns authorization attributes for the group. (To create user groups and assign authorization attributes in RADIUS, see the documentation for your RADIUS server.) Syntax — set usergroup group-name attr attribute-name value group-name — Name of a group for password users. Specify a name of up to 32 alphanumeric characters, with no spaces.
CHAPTER 7: AAA COMMANDS set web-aaa Globally enables or disables WebAAA on an WX switch. Syntax — set web-aaa {enable | disable} enable — Enables WebAAA on the switch. disable — Disables WebAAA on the switch. Defaults — Enabled. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — This command disables or reenables support for WebAAA. However, WebAAA has additional configuration requirements.
8 MOBILITY DOMAIN COMMANDS Use Mobility Domain commands to configure and manage Mobility Domain groups. A Mobility Domain is a system of WX switches and MAP access points working together to support a roaming user (client). One WX switch acts as a seed switch, which maintains and distributes a list of IP addresses of the domain members. 3Com recommends that you run the same MSS version on all the WX switches in a Mobility Domain.
CHAPTER 8: MOBILITY DOMAIN COMMANDS clear mobility-domain Clears all Mobility Domain configuration and information from a WX switch, regardless of whether the WX switch is a seed or a member of a Mobility Domain. Syntax — clear mobility-domain Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — This command has no effect if the WX switch is not configured as part of a Mobility Domain.
display mobility-domain config 263 Usage — This command has no effect if the WX switch member is not configured as part of a Mobility Domain or the current WX switch is not the seed. Examples — The following command clears a Mobility Domain member with the IP address 192.168.0.1: WX1200# clear mobility-domain member 192.168.0.1 See Also display mobility-domain config set mobility-domain member on page 265 Displays the configuration of the Mobility Domain.
CHAPTER 8: MOBILITY DOMAIN COMMANDS History —Introduced in MSS Version 3.0. Examples — To display Mobility Domain status, type the following command: WX4400# display mobility-domain status Mobility Domain name: Pleasanton Member State Status ---------------------------------------192.168.253.11 STATE_UP MEMBER 192.168.253.12 STATE_DOWN MEMBER 192.168.253.14 STATE_UP SEED Table 49 describes the fields in the display.
set mobility-domain member set mobility-domain member 265 On the seed WX switch, adds a member to the list of Mobility Domain members. If the current WX switch is not configured as a seed, this command is rejected. Syntax — set mobility-domain member ip-addr ip-addr — IP address of the Mobility Domain member in dotted decimal notation. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — This command must be entered from the seed WX switch.
CHAPTER 8: MOBILITY DOMAIN COMMANDS set mobility-domain mode member seed-ip On a nonseed WX switch, sets the IP address of the seed WX switch. This command is used on a member WX to configure it as a member. If the WX switch is currently part of another Mobility Domain or using another seed, this command overwrites that configuration. Syntax — set mobility-domain mode member seed-ip ip-addr ip-addr — IP address of the Mobility Domain member, in dotted decimal notation. Defaults — None.
set mobility-domain mode seed domain-name set mobility-domain mode seed domain-name 267 Creates a Mobility Domain by setting the current WX switch as the seed device and naming the Mobility Domain. Syntax — set mobility-domain mode seed domain-name mob-domain-name mob-domain-name — Name of the Mobility Domain. Specify between 1 and 16 characters with no spaces. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0.
CHAPTER 8: MOBILITY DOMAIN COMMANDS
9 MANAGED ACCESS POINT COMMANDS Use MAP access point commands to configure and manage MAP access points. Be sure to do the following before using the commands: Define the country-specific IEEE 802.11 regulations on the WX switch. (See set system countrycode on page 54.) Install the MAP access point and connect it to a port on the WX switch. Configure a MAP access port (for a directly connected MAP) or a Distributed MAP. (See set port type ap on page 87 and set dap on page 77.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS Table 50 Map Access Point Commands by Usage (continued) Type Command set {ap | dap} radio auto-tune max-power on page 317 set {ap | dap} radio auto-tune max- retransmissions on page 318 set {ap | dap} radio auto-tune min-client-rate on page 321 set {ap | dap} radio mode on page 323 set {ap | dap} radio radio-profile on page 324 set dap auto radiotype on page 309 set {ap | dap} upgrade-firmware on page 328 External Antenna set {ap | dap} radio antennatype on
MAP Access Point Commands by Usage 271 Table 50 Map Access Point Commands by Usage (continued) Type Command set service-profile web-aaa-form on page 366 set service-profile auth-psk on page 354 set service-profile wpa-ie on page 370 set service-profile rsn-ie on page 362 set service-profile cipher-ccmp on page 356 set service-profile cipher-tkip on page 357 set service-profile cipher-wep104 on page 358 set service-profile cipher-wep40 on page 359 set service-profile psk-phrase on page 360 set service-pro
CHAPTER 9: MANAGED ACCESS POINT COMMANDS Table 50 Map Access Point Commands by Usage (continued) Type Command display auto-tune neighbors on page 292 display auto-tune attributes on page 290 MAP-WX security set dap fingerprint on page 312 set dap security on page 326 Radio State set {ap | dap} radio mode on page 323 Dual Homing set {ap | dap} bias on page 310 Load Balancing set {ap | dap} group on page 313 display {ap | dap} group on page 285 MAP set {ap | dap} name on page 315 Administratio
clear {ap | dap} radio 273 radio 1 — Radio 1 of the MAP. radio 2 — Radio 2 of the MAP. (This option does not apply to single-radio models.) radio all — All radios on the MAP. Defaults — The clear ap radio command resets the radio to the default settings listed in Table 51 and in Table 66 on page 342. Table 51 Radio-Specific Parameters Parameter Default Value channel 802.11b — 6 802.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS See Also clear radio-profile set {ap | dap} radio mode on page 323 set {ap | dap} radio radio-profile on page 324 set port type ap on page 87 Removes a radio profile or resets one of the profile’s parameters to its default value. Syntax — clear radio-profile name [parameter] name — Radio profile name.
clear service-profile 275 Examples — The following commands disable the radios that are using radio profile rp1 and reset the beaconed-interval parameter to its default value: WX4400# set radio-profile rp1 mode disable WX4400# clear radio-profile rp1 beacon-interval success: change accepted. The following commands disable the radios that are using radio profile rptest and remove the profile: WX4400# set radio-profile rptest mode disable WX4400# clear radio-profile rptest success: change accepted.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS success: change accepted. WX4400# clear service-profile svcprof6 success: change accepted. See Also clear service-profile clear radio-profile on page 274 set radio-profile mode on page 342 Removes a service profile or resets one of the profile’s parameters to its default value. Syntax — clear service-profile name name — Service profile name. Defaults — None. Access — Enabled. History —Introduced in MSS 3.0.
display {ap | dap} config display {ap | dap} config 277 Displays global and radio-specific settings for an MAP access point. Syntax — display ap config [port-list [radio {1 | 2}]] Syntax — display dap config [dap-num [radio {1 | 2}]] port-list — List of ports connected to the MAP access point(s) for which to display configuration settings. dap-num — Number of a Distributed MAP for which to display configuration settings. radio 1 — Shows configuration information for radio 1.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS Table 52 Output for display ap config Field Description Port WX port number. Note: This field is applicable only if the MAP is directly connected to the WX switch and the WX switch’s port is configured as a MAP access port. DAP Connection ID for the Distributed MAP. Note: This field is applicable only if the MAP is configured on the WX switch as a Distributed MAP. Serial-Id Serial ID of the MAP access point.
display {ap | dap} config 279 Table 52 Output for display ap config (continued) Field Description mode Radio state: Enabled Disabled channel Channel number. antennatype External antenna model, if applicable. tx pwr Transmit power, in dBm. profile Radio profile that manages the radio. Until you assign the radio to a radio profile, MSS assigns the radio to the default radio profile. auto-tune max-power Maximum power level the RF Auto-Tuning feature can set on the radio.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS display {ap | dap} counters set {ap | dap} group on page 313 set {ap | dap} name on page 315 set {ap | dap} upgrade-firmware on page 328 set {ap | dap} radio mode on page 323 set {ap | dap} radio antennatype on page 315 set {ap | dap} radio channel on page 320 set {ap | dap} radio radio-profile on page 324 set {ap | dap} radio tx-power on page 325 Displays MAP access point and radio statistics counters.
display {ap | dap} counters NumCntInPwrSave LastPktRxSigStrength LastPktSigNoiseRatio TKIP Pkt Transfer Ct TKIP Pkt Replays CCMP Pkt Decrypt Err CCMP Pkt Transfer Ct 4294966683MultiPktDrop -54 MultiBytDrop 40 User Sessions 0 MIC Error Ct 0 TKIP Decrypt Err 0 CCMP Pkt Replays 0 RadioResets TxUniPkt TxUniByte RxPkt TxMultiPkt TxMultiByte 281 0 0 5 0 0 0 0 RxByte 1.0: 164492 0 9631741 0 405041 2.0: 603 0 248716 0 191103 5.5: 370594 52742 27616521 4445625 2427 11.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS Table 53 Output for display ap counters (continued) Field Description MultiPktDrop Number of multicast packets dropped by the radio. MultiBytDrop Number of multicast bytes dropped by the radio. User Sessions Number of users currently associated with the radio. MIC Error Ct Number of times the radio received a TKIP-encrypted frame with an invalid MIC. TKIP Decrypt Err Number of times a decryption error occurred with a packet encrypted with TKIP.
display {ap | dap} qos-stats 283 port-list — List of ports connected to the MAP access point(s) for which to display QoS statistics counters. Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS display {ap | dap} etherstats Displays Ethernet statistics for a MAP’s Ethernet ports. Syntax — display {ap | dap} etherstats [port-list | dap-num] port-list — List of WX switch ports directly connected to the MAPs for which to display counters. dap-num — Number of a Distributed MAP for which to display counters. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0.
display {ap | dap} group 285 Table 55 Output of display ap etherstats (continued) display {ap | dap} group Field Description RxShortFrames Number of received frames that were shorter than the minimum frame length. RxCrcErrors Number of received frames that were discarded due to CRC errors. RxOverruns Number of frames known to be lost due to a temporary lack of hardware resources. RxDiscards Number of frames known to be lost due to a temporary lack of software resources.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS Examples — The following command displays information for MAP access point group loadbalance1: WX1200# display ap group loadbalance1 Load Balance Grp Port Clients ---------------- ---- ------loadbalance1 1 1 loadbalance1 6 6 Status Refused --------- ------Accepting 0 Refusing 2 Table 56 describes the fields in this display. Table 56 Output for display ap group Field Description Load Balance Grp Name of the MAP access point group. Port WX port number.
display {ap | dap} status display {ap | dap} status 287 Displays MAP access point and radio status information. Syntax — display ap status [terse] [port-list | all [radio {1 | 2}]] Syntax — display dap status [terse] [dap-num [radio {1 | 2}]] terse — Displays a brief line of essential status information for each MAP. port-list — List of ports connected to the MAP access point(s) for which to display status. dap-num — Number of a Distributed MAP for which to display status.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS Uptime: id=0x28f10158a47f0408 ram=33554432 s/n=0332600444 hw_rev=A3 21 hours, 27 minutes, 51 seconds Radio 1 type: 802.
display {ap | dap} status 289 Table 57 Output for display ap status (continued) Field Description AP model MAP access point model number. manufacturer Company that made the MAP access point. name MAP access point name. Link Status of this link with the MAP access point and the MAP port at the other end of the link. The status can be up or down. MAP port MAP port number connected to this WX port.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS Table 57 Output for display ap status (continued) Field Description CPU info Specifications and identification of the CPU. For MAP models MAP-352, MAP-341, and MAP-52, the ID portion of this field is not applicable. Uptime Amount of time since the MAP last rebooted using this link. Note: This field is displayed only when this link is the MAP access point’s primary link. display auto-tune attributes Radio 1 type 802.
display auto-tune attributes 291 radio 1 — Shows RF attribute information for radio 1. radio 2 — Shows RF attribute information for radio 2. (This option does not apply to single-radio models.) radio all — Shows RF attribute information for both radios. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS display auto-tune neighbors display radio-profile on page 298 set {ap | dap} radio auto-tune max-power on page 317 set {ap | dap} radio auto-tune max- retransmissions on page 318 set radio-profile auto-tune channel-config on page 330 set radio-profile auto-tune channel-holddown on page 331 set radio-profile auto-tune channel-interval on page 332 set radio-profile auto-tune power-backoff- timer on page 333 set radio-profile auto-t
display auto-tune neighbors 293 Usage — For simplicity, this command displays a single entry for each 3Com radio, even if the radio is supporting multiple BSSIDs. However, BSSIDs for third-party 802.11 radios are listed separately, even if a radio is supporting more than one BSSID. Information is displayed for a radio if the radio sends beacon frames or responds to probe requests.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS display dap connection set radio-profile auto-tune channel-interval on page 332 set radio-profile auto-tune power-backoff- timer on page 333 set radio-profile auto-tune power-config on page 334 set radio-profile auto-tune power-interval on page 335 Displays the system IP address of the WX switch that has the active data connection for a Distributed MAP.
display dap global 295 The following command displays connection information specifically for a Distributed MAP with serial ID M9DE48B6EAD00: WX1200# display dap connection serial-id M9DE48B6EAD00 Total number of entries: 1 DAP Serial Id DAP IP Address WX IP Address --- ------------------------- --------------9 M9DE48B6EAD00 10.10.4.88 10.9.9.11 Table 60 describes the fields in this display.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS Usage — To show information only for Distributed MAPs that have active connections, use the display dap connection command. Examples — The following command displays configuration information for all Distributed MAPs configured on WX switches in the Mobility Domain: WX4400# display dap global Total number of entries: 8 DAP Serial Id WX IP Address --- ------------------------1 M9DE48B012F00 10.3.8.111 M9DE48B012F00 10.4.3.2 2 M9DE48B123400 10.3.8.
display dap unconfigured 297 See Also display dap unconfigured display {ap | dap} config on page 277 display dap connection on page 294 display dap unconfigured on page 297 set dap on page 77 set {ap | dap} bias on page 310 Displays Distributed MAPs that are physically connected to the network but that are not configured on any WX switches. Syntax — display dap unconfigured Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS Table 62 describes the fields in this display. Table 62 Output for display dap unconfigured Field Description Serial Id Serial ID of the Distributed MAP. Model MAP model number. IP Address IP address of the MAP. This is the address that the MAP receives from a DHCP server. The MAP uses this address to send a Find WX message to request configuration information from WX switches.
display radio-profile WX4400# display radio-profile default Beacon Interval: 100 DTIM Interval: Max Tx Lifetime: 2000 Max Rx Lifetime: RTS Threshold: 2346 Frag Threshold: Short Retry Limit: 5 Long Retry Limit: Long Preamble: NO Allow 802.11g clients only: Tune Channel: no Tune Power: Tune Channel Interval: 3600 Tune Power Interval: Client Backoff Timer: 10 Channel Holddown: Service profiles: default-dot1x, default-clear 299 1 2000 2346 5 NO no 600 300 Table 63 describes the fields in this display.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS Table 63 Output for display radio-profile (continued) Field Description Long Preamble Indicates whether an 802.11b radio that uses this radio profile advertises support for frames with long preambles only: Allow 802.11g clients only YES — Advertises support for long preambles only. NO — Advertises support for long and short preambles. Indicates whether the 802.11b/g radios in the radio profile restrict associations to 802.
display radio-profile 301 Table 63 Output for display radio-profile (continued) Field Description Service profiles Service profiles mapped to this radio profile. Each service profile contains an SSID and encryption information for that SSID. Note: When you upgrade from 2.x, MSS creates a default-dot1x service profile for encrypted SSIDs and a default-clear service profile for unencrypted SSIDs.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS display service-profile Displays service profile information. Syntax — display service-profile {name | ?} name — Displays information about the named service profile. ? — Displays a list of service profiles. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0.
display service-profile 303 Table 64 Output for display service-profile (continued) Field Description auth-fallthru Secondary (fallthru) encryption type when a user tries to authenticate but the WX switch managing the radio does not have an authentication rule with a userglob that matches the username. WEP Key 1 value last-resort — Automatically authenticates the user and allows access to the SSID requested by the user, without requiring a username and password.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS Table 64 Output for display service-profile (continued) Field Description WPA enabled Indicates that the Wi-Fi Protected Access (WPA) information element (IE) is enabled. Additional fields display the settings of other WPA parameters: ciphers — Lists the WPA cipher suites advertised by radios in the radio profile mapped to this service profile. authentication — Lists the authentication methods supported for WPA clients: 802.
reset {ap | dap} reset {ap | dap} set service-profile wep active-multicast- index on page 367 set service-profile wep active-unicast- index on page 368 set service-profile wep key-index on page 369 set service-profile wpa-ie on page 370 305 Restarts an MAP access point. Syntax — reset {ap port-list | dap dap-num} ap port-list — List of ports connected to the MAP access points to restart. dap dap-num — Number of a Distributed MAP to reset. Defaults — None. Access — Enabled.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS set dap auto Creates a template for automatic configuration of Distributed MAPs. Syntax — set dap auto Defaults — None. Access — Enabled. History —Introduced in MSS 4.0. Usage — Table 65 lists the configurable template parameters and their defaults. The only parameter that requires configuration is the template mode. The template is disabled by default.
set dap auto 307 Table 65 Configurable Template Parameters for Distributed MAPs (continued) Parameter Default Value tx-pwr Highest setting allowed for the country of operation radio-profile (profile) default max-power default min-client-rate 5.5 for 802.11b/g 24 for 802.11a max-retransmissions 10 Examples — The following command creates a template for automatic Distributed MAP configuration: WX1200# set dap auto success: change accepted.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS set dap auto mode Enables an WX switch’s template for automatic Distributed MAP configuration. Syntax — set dap auto mode {enable | disable} enable — Enables the MAP configuration template. disable — Disables the MAP configuration template. Defaults — The MAP configuration template is disabled by default. Access — Enabled. History —Introduced in MSS 4.0. Usage — You must use the set dap auto command to create the template before you can enable it.
set dap auto radiotype set dap auto radiotype 309 Sets the radio type for single-MAP radios that use the MAP configuration template. Syntax — set dap auto [radiotype {11a | 11b| 11g}] radiotype {11a | 11b| 11g Radio type: 11a—802.11a 11b—802.11b 11g—802.11g This option applies only to single-radio models. The value 11g does not apply to model MAP-101. Defaults — The default radio type for model MAP-101 is 802.11b.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS set {ap | dap} bias Changes the bias for a MAP. Bias is the priority of one WX switch over other WX switches for booting and configuring the MAP. Syntax — set {ap port-list | dap (dap-num | auto)} bias {high | low} ap port-list — List of ports on which to change the bias for directly connected MAPs. dap dap-num — Number of a Distributed MAP for which to change the bias. dap auto — Configures bias for the MAP configuration template.
set {ap | dap} blink 311 MAP selection of an WX switch is sticky. After a MAP selects an WX switch to boot from, the MAP continues to use that switch for its active data link even if another switch configured with high bias for the MAP becomes available. Examples — The following command changes the bias for a Distributed MAP to low: WX4400# set dap 1 bias low success: change accepted.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS Syntax — set {ap port-list | dap (dap-num | auto)} blink {enable | disable} ap port-list — List of ports connected to the MAP access points on which to turn blink mode on or off. dap dap-num — Number of a Distributed MAP on which to turn blink mode on or off. dap auto —Configures blink mode for the MAP configuration template. (See set dap auto on page 306.) enable — Enables blink mode. disable — Disables blink mode.
set {ap | dap} group 313 Defaults — None. Access — Enabled. History —Introduced in MSS 4.0. Usage — MAPs are configured with an encryption key pair at the factory. The fingerprint for the public key is displayed on a label on the back of the MAP, in the following format: RSA aaaa:aaaa:aaaa:aaaa: aaaa:aaaa:aaaa:aaaa If a MAP is already installed and operating, you can use the display dap status command to display the fingerprint.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS dap dap-num — Number of a Distributed MAP to add to the group. dap auto —Configures blink mode for the MAP configuration template. (See set dap auto on page 306.) name — MAP access point group name of up to 16 alphanumeric characters, with no spaces. Defaults — MAP access points are not grouped by default. Access — Enabled. History —Introduced in MSS Version 3.0. MSS Version 4.0 added auto option for configuration of the MAP configuration template.
set {ap | dap} name set {ap | dap} name 315 Changes an MAP name. Syntax — set {ap port-list | dap dap-num} name name ap port-list — List of ports connected to the MAP access point to rename. dap dap-num — Number of a Distributed MAP to rename. name — Alphanumeric string of up to 16 characters, with no spaces. Defaults — The default name of a directly attached MAP is based on the port number of the MAP access port attached to the MAP.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS radio 1 — Radio 1 of the MAP. radio 2 — Radio 2 of the MAP. (This option does not apply to single-radio models or to the AP8750.) antennatype {ANT1060 | ANT1120 | ANT1180 | internal} — 802.11b/g external antenna models: ANT1060 — 60° 802.11b/g antenna ANT1120 — 120° 802.11b/g antenna ANT1180 — 180° 802.11b/g antenna internal — uses the internal antenna instead antennatype {ANT5060 | ANT5120 | ANT5180 | internal} — 802.
set {ap | dap} radio auto-tune max-power 317 Usage — This command applies only to MAP models that support external antennas. External 802.11b/g antennas are supported on MAP-372, MAP-341, MAP-352, and MAP-262. External 802.11a antennas are supported only on model MAP-372. External dual-mode antennas are supported on AP2750, AP3750, AP7250, AP8250 and AP8750. Examples — The following command configures the 802.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS Access — Enabled. History —Introduced in MSS Version 3.0. MSS Version 4.0 added auto option for configuration of the MAP configuration template. Examples — The following command sets the maximum power that RF Auto-Tuning can set on radio 1 on the MAP access point on port 6 to 12 dBm. WX1200# set ap 6 radio 1 auto-tune max-power 12 success: change accepted.
set {ap | dap} radio auto-tune max- retransmissions 319 Defaults — The default is 10 percent. Access — Enabled. History —Introduced in MSS Version 3.0. MSS Version 4.0 added auto option for configuration of the MAP configuration template. Usage — A retransmission is a packet sent from a client to a MAP radio that the radio receives more than once. This can occur when the client does not receive an 802.11 acknowledgement for a packet sent to the radio.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS A radio also can increase power, in 1 dBm increments, if a client falls below the minimum allowed data rate. After a radio increases power, all clients must be at the minimum data rate or higher and the maximum retransmissions must be within the allowed percentile, before the radio begins reducing power again.
set {ap | dap} radio auto-tune min-client-rate 321 History —Introduced in MSS Version 3.0. Usage — You can configure a radio’s transmit power on the same command line. Use the tx-power option. This command is not valid if dynamic channel tuning (RF Auto-Tuning) is enabled. Examples — The following command configures the channel on the 802.11a radio on the MAP access point connected to port 5: WX1200# set ap 5 radio 1 channel 36 success: change accepted.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS rate — Minimum data rate, in megabits per second (Mbps). The valid values depend on the radio type: For 802.11g radios—54, 48, 36, 24, 18, 12, 11, 9, 6, 5.5, 2, or 1 For 802.11b radios—11, 5.5, 2, or 1 For 802.11a radios—54, 48, 36, 24, 18, 12, 9, or 6 Defaults — The default minimum data transmit rate depends on the radio type: The default minimum data rate for 802.11b/g and 802.11b radios is 5.5 Mbps.
set {ap | dap} radio mode set {ap | dap} radio mode 323 Enables or disables a radio on an MAP access point. Syntax — set {ap port-list | dap {dap-num | auto}} radio {1 | 2} mode {enable | disable} ap port-list — List of ports connected to the MAP access point(s) on which to turn a radio on or off. dap dap-num — Number of a Distributed MAP on which to turn a radio on or off. dap auto — Sets the radio mode for radios configured by the MAP configuration template.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS See Also set {ap | dap} radio radio-profile clear {ap | dap} radio on page 272 display {ap | dap} config on page 277 set {ap | dap} radio radio-profile on page 324 set radio-profile mode on page 342 Assigns a radio profile to a MAP radio and enables or disables the radio. Syntax — set {ap port-list | dap {dap-num | auto}} radio {1 | 2} radio-profile name mode {enable | disable} ap port-list — List of ports.
set {ap | dap} radio tx-power 325 Examples — The following command enables radio 1 on ports 3 through 6 assigned to radio profile rp1: WX1200# set ap 3-6 radio 1 radio-profile rp1 mode enable success: change accepted. See Also set {ap | dap} radio tx-power clear {ap | dap} radio on page 272 display radio-profile on page 298 set {ap | dap} radio mode on page 323 set radio-profile mode on page 342 Sets an MAP radio’s transmit power.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS Access — Enabled. History —Introduced in MSS Version 3.0. Usage — You also can configure a radio’s channel on the same command line. Use the channel option. This command is not valid if dynamic power tuning (RF Auto-Tuning) is enabled. Examples — The following command configures the transmit power on the 802.11a radio on the MAP access point connected to port 5: WX1200# set ap 5 radio 1 tx-power 10 success: change accepted.
set dap security 327 require — Require all Distributed MAPs to have encryption keys that have been verified in the CLI by an administrator. If a MAP does not have an encryption key or the key has not been verified, the WX does not establish a management session with the MAP. optional — Allows MAPs to be managed by the switch even if they do not have encryption keys or their keys have not been verified by an administrator. Encryption is used for MAPs that support it.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS set {ap | dap} upgrade-firmware Disables or reenables automatic upgrade of an MAP access point’s boot firmware. Syntax — set {ap port-list | dap {dap-num | auto}} upgrade-firmware {enable | disable} ap port-list — List of ports connected to the MAP access point(s) on which to allow automatic firmware upgrades. dap dap-num — Number of a Distributed MAP on which to allow automatic firmware upgrades.
set radio-profile 11g-only set radio-profile 11g-only 329 Configures each 802.11b/g radio in a radio profile to allow associations with 802.11g clients only. Syntax — set radio-profile name 11g-only {enable | disable} name — Radio profile name. enable — Configures radios to allow associations with 802.11g clients only. disable — Configures radios to allow associations with 802.11g clients and 802.11b clients. Defaults — The default setting is disable. 3Com 802.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS set radio-profile active-scan Disables or reenables active RF detection scanning on the MAP radios managed by a radio profile. When active scanning is enabled, MAP radios look for rogue devices by sending probe any requests (probe requests with a null SSID name), to solicit probe responses from other access points. Passive scanning is always enabled and cannot be disabled.
set radio-profile auto-tune channel-holddown 331 enable — Configures radios to dynamically select their channels when the radios are started. disable — Configures radios to use their statically assigned channels, or the default channels if unassigned, when the radios are started. Defaults — Dynamic channel assignment is enabled by default. Access — Enabled. History —Introduced in MSS Version 3.0.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS holddown — Minimum number of seconds a radio must remain on its current channel setting before RF Auto-Tuning is allowed to change the channel. You can specify from 0 to 65535 seconds. Defaults — The default RF Auto-Tuning channel holddown is 900 seconds. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — The channel holddown applies even if RF anomalies occur that normally cause an immediate channel change.
set radio-profile auto-tune power-backoff- timer 333 Usage — 3Com recommends that you use an interval of at least 300 seconds (5 minutes). RF Auto-Tuning can change a radio’s channel before the channel interval expires in response to RF anomalies. Even in this case, channel changes cannot occur more frequently than the channel holddown interval. If you set the interval to 0, RF Auto-Tuning does not reevaluate the channel at regular intervals.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS A radio can increase power again if required to preserve the minimum data rate for an associated client. Examples — The following command changes the power-backoff interval for radios in radio profile rp2 to 15 seconds: WX4400# set radio-profile rp2 auto-tune power-backoff-timer 15 success: change accepted.
set radio-profile auto-tune power-interval 335 Examples — The following command enables dynamic power tuning for radios in the rp2 radio profile: WX4400# set radio-profile rp2 auto-tune power-config enable success: change accepted.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS Examples — The following command sets the power interval for radios in radio profile rp2 to 240 seconds: WX4400# set radio-profile rp2 auto-tune power-interval 240 success: change accepted.
set radio-profile countermeasures set radio-profile countermeasures 337 CAUTION: Countermeasures affect wireless service on a radio. When a MAP radio is sending countermeasures, the radio is disabled for use by network traffic, until the radio finishes sending the countermeasures. Enables or disables countermeasures for on the MAP radios managed by a radio profile. Countermeasures are packets sent by a radio to prevent clients from being able to use rogue access points.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS set radio-profile dtim-interval Changes the number of times after every beacon that each MAP radio in a radio profile sends a delivery traffic indication map (DTIM). An MAP access point sends the multicast and broadcast frames stored in its buffers to clients who request them in response to the DTIM. The DTIM interval applies to both the beaconed SSID and the nonbeaconed SSID.
set radio-profile frag-threshold set radio-profile frag-threshold 339 Changes the fragmentation threshold for the MAP radios in a radio profile. The fragmentation threshold specifies the maximum length a frame is allowed to be without being broken into multiple frames before transmission. Syntax — set radio-profile name frag-threshold threshold name — Radio profile name. threshold — Maximum frame length, in bytes. You can enter a value from 256 through 2346.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS threshold — Number of times the radio can send the same long unicast frame. You can enter a value from 1 through 15. Defaults — The default long unicast retry threshold for MAP radios is 5 attempts. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — You must disable all radios that are using a radio profile before you can change parameters in the profile. Use the set radio-profile mode command.
set radio-profile max-tx-lifetime 341 Usage — You must disable all radios that are using a radio profile before you can change parameters in the profile. Use the set radio-profile mode command. Examples — The following command changes the maximum receive threshold for radio profile rp1 to 4000 ms: WX4400# set radio-profile rp1 max-rx-lifetime 4000 success: change accepted.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS See Also set radio-profile mode display radio-profile on page 298 set radio-profile mode on page 342 set radio-profile max-rx-lifetime on page 340 Creates a new radio profile, or disables or reenables all MAP radios that are using a specific profile. Syntax — set radio-profile name [mode {enable | disable}] radio-profile name — Radio profile name of up to 16 alphanumeric characters, with no spaces.
set radio-profile mode 343 Table 66 Defaults for Radio Profile Parameters (continued) Parameter Radio Behavior When Parameter Set to Default Value Default Value dtim-interval 1 Sends the delivery traffic indication map (DTIM) after every beacon. frag-threshold 2346 Transmits frames up to 2346 bytes long without fragmentation. long-retry 5 Sends a long unicast frame up to five times without acknowledgment.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS To change a parameter in a radio profile, you must first disable all the radios in the profile. After you complete the change, you can reenable the radios. To enable or disable specific radios without disabling all of them, use the set ap radio command. Examples — The following command configures a new radio profile named rp1: WX4400# set radio-profile rp1 success: change accepted.
set radio-profile preamble-length set radio-profile preamble-length 345 Changes the preamble length for which an 802.11b/g MAP radio advertises support. This command does not apply to 802.11a. Syntax — set radio-profile name preamble-length {long | short} name — Radio profile name. long — Advertises support for long preambles. short — Advertises support for short preambles. Defaults — The default is short. Access — Enabled. History —Introduced in MSS Version 3.0.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS set radio-profile rts-threshold Changes the RTS threshold for the MAP radios in a radio profile. The RTS threshold specifies the maximum length a frame can be before the radio uses the RTS/CTS method to send the frame. The RTS/CTS method clears the air of other traffic to avoid corruption of the frame due to a collision with another frame. Syntax — set radio-profile name rts-threshold threshold name — Radio profile name.
set radio-profile service-profile 347 service-profile name — Service profile name of up to 16 alphanumeric characters, with no spaces. Defaults — A radio profile does not have a service profile associated with it by default. In this case, the radios in the radio profile use the default settings for parameters controlled by the service profile. Table 67 lists the parameters controlled by a service profile and their default values.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS Table 67 Defaults for Service Profile Parameters (continued) Parameter Radio Behavior When Parameter Set Default Value to Default Value psk-raw No preshared key defined Uses dynamically generated keys rather than statically configured keys to authenticate WPA clients. rsn-ie disable Does not use the RSN IE in transmitted frames. (The RSN IE is required for 802.11i. RSN is sometimes called WPA2.
set radio-profile service-profile 349 You must disable all radios that use a radio profile before you can change parameters in the profile. Use the set radio-profile mode command. Examples — The following command maps service-profile wpa_clients to radio profile rp2: WX4400# set radio-profile rp2 service-profile wpa_clients success: change accepted.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS set radio-profile short-retry Changes the short retry threshold for the MAP radios in a radio profile. The short retry threshold specifies the number of times a radio can send a short unicast frame without receiving an acknowledgment. Syntax — set radio-profile name short-retry threshold name — Radio profile name. threshold — Number of times the radio can send the same short unicast frame. You can enter a value from 1 through 15.
set service-profile auth-dot1x 351 Defaults — WMM is enabled by default. Access — Enabled. History —Introduced in MSS Version 4.0. Usage — When WMM is disabled, MAP forwarding prioritization is optimized for SpectraLink Voice Priority (SVP) instead of WMM, and the MAP does not tag packets it sends to the WX. Otherwise, classification and tagging remain in effect. (For information, see the “Wi-Fi Multimedia” chapter of the Wireless LAN Switch and Controller Configuration Guide.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS Defaults — When the WPA IE is enabled, 802.1X authentication of WPA clients is enabled by default. If the WPA IE is disabled, the auth-dot1x setting has no effect. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — This command does not disable dynamic WEP for non-WPA clients.
set service-profile auth-fallthru 353 The fallthru method is a service profile parameter, and applies to all radios within the radio profiles that are mapped to the service profile. Syntax — set service-profile name auth-fallthru {last-resort | none | web-portal} last-resort — Automatically authenticates the user and allows access to the SSID requested by the user, without requiring a username and password. none — Denies authentication and prohibits the user from accessing the SSID.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS The web-portal authentication type requires additional configuration items. (See the “Configuring AAA for Network Users” chapter of the Wireless LAN Switch and Controller Configuration Guide.) Examples — The following command sets the fallthru authentication for SSIDS managed by the service profile rnd_lab to none: WX4400# set service-profile rnd_lab auth-fallthru none success: change accepted.
set service-profile beacon 355 The WebAAA fallthru authentication type is not supported in conjunction with WPA encryption using preshared keys (PSK) for the same SSID. These options are configurable together but are not compatible. WebAAA traffic is not encrypted, whereas the PSK four-way handshake requires a client to already be authenticated and for encryption to be in place.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS History —Introduced in MSS Version 3.0. Examples — The following command disables beaconing of the SSID managed by service profile sp2: WX4400# set service-profile sp2 beacon disable success: change accepted.
set service-profile cipher-tkip set service-profile cipher-tkip set service-profile cipher-wep40 on page 359 set service-profile wpa-ie on page 370 357 Disables or reenables Temporal Key Integrity Protocol (TKIP) encryption in a service profile. Syntax — set service-profile name cipher-tkip {enable | disable} name — Service profile name. enable — Enables TKIP encryption for WPA clients. disable — Disables TKIP encryption for WPA clients.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS set service-profile cipher-wep104 Enables dynamic Wired Equivalent Privacy (WEP) with 104-bit keys, in a service profile. Syntax — set service-profile name cipher-wep104 {enable | disable} name — Service profile name. enable — Enables 104-bit WEP encryption for WPA clients. disable — Disables 104-bit WEP encryption for WPA clients. Defaults — 104-bit WEP encryption is disabled by default. Access — Enabled. History —Introduced in MSS Version 3.0.
set service-profile cipher-wep40 359 See Also set service-profile cipher-wep40 set service-profile cipher-ccmp on page 356 set service-profile cipher-tkip on page 357 set service-profile cipher-wep40 on page 359 set service-profile wep key-index on page 369 set service-profile wpa-ie on page 370 Enables dynamic Wired Equivalent Privacy (WEP) with 40-bit keys, in a service profile. Syntax — set service-profile name cipher-wep40 {enable | disable} name — Service profile name.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS Examples — The following command configures service profile sp2 to use 40-bit WEP encryption: WX4400# set service-profile sp2 cipher-wep40 enable success: change accepted.
set service-profile psk-raw 361 Examples — The following command configures service profile sp3 to use passphrase “1234567890123<>?=+&% The quick brown fox jumps over the lazy sl”: WX4400# set service-profile sp3 psk-phrase "1234567890123<> ?=+&% The quick brown fox jumps over the lazy sl" success: change accepted.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS Examples — The following command configures service profile sp3 to use a raw PSK with PSK clients: WX4400# set service-profile sp3 psk-raw c25d3fe4483e867 d1df96eaacdf8b02451fa0836162e758100f5f6b87965e59d success: change accepted.
set service-profile shared-key-auth set service-profile shared-key-auth 363 Enables shared-key authentication, in a service profile. Use this command only if advised to do so by 3Com. This command does not enable preshared key (PSK) authentication for Wi-Fi Protected Access (WPA). To enable PSK encryption for WPA, use the set service-profile auth-psk command. Syntax — set service-profile name shared-key-auth {enable | disable} name — Service profile name.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS Access — Enabled. History —Introduced in MSS Version 3.0. Support added for blank spaces in the SSID name in Version 4.0. Examples — The following command applies the name guest to the SSID managed by service profile clear_wlan: WX4400# set service-profile clear_wlan ssid-name guest success: change accepted.
set service-profile tkip-mc-time 365 See Also set service-profile tkip-mc-time set service-profile ssid-name on page 363 Changes the length of time that MAP radios use countermeasures if two message integrity code (MIC) failures occur within 60 seconds. When countermeasures are in effect, MAP radios dissociate all TKIP and WPA WEP clients and refuse all association and reassociation requests until the countermeasures end.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS set service-profile web-aaa-form Specifies a custom login page to serve to WebAAA users who request the SSID managed by the service profile. Syntax — set service-profile name web-aaa-form url name — Service profile name. url — WX subdirectory name and HTML page name of the login page. Specify the full path. For example, corpa-ssid/corpa.html. Defaults — The 3Com Web login page is served by default. Access — Enabled.
set service-profile wep active-multicast- index 367 Total: 1839 bytes used, 206577 Kbytes free WX4400# set service-profile corpa-service web-aaa-form corpa-ssid/ corpa-login.html success: change accepted.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS See Also set service-profile wep active-unicastindex set service-profile wep active-unicast- index on page 368 set service-profile wep key-index on page 369 Specifies the static Wired-Equivalent Privacy (WEP) key (one of four) to use for encrypting unicast frames. Syntax — set service-profile name wep active-unicast-index num name — Service profile name. num — WEP key number. You can enter a value from 1 through 4.
set service-profile wep key-index set service-profile wep key-index 369 Sets the value of one of four static Wired-Equivalent Privacy (WEP) keys for static WEP encryption. Syntax — set service-profile name wep key-index num key value name — Service profile name. key-index num — WEP key index. You can enter a value from 1 through 4. key value — Hexadecimal value of the key.
CHAPTER 9: MANAGED ACCESS POINT COMMANDS set service-profile wpa-ie Enables the WPA information element (IE) in wireless frames. The WPA IE advertises the WPA authentication methods and cipher suites supported by radios in the radio profile mapped to the service profile. Syntax — set service-profile name wpa-ie {enable | disable} name — Service profile name. enable — Enables the WPA IE. disable — Disables the WPA IE. Defaults — The WPA IE is disabled by default. Access — Enabled.
10 STP COMMANDS Use Spanning Tree Protocol (STP) commands to configure and manage spanning trees on the virtual LANs (VLANs) configured on a wireless LAN switch or controller, to maintain a loop-free network. STP Commands by Usage This chapter presents STP commands alphabetically. Use the following table to locate commands in this chapter based on their use.
CHAPTER 10: STP COMMANDS Table 68 STP Commands by Usage (continued) Type Command Fast Convergence, cont. set spantree backbonefast on page 389 display spantree backbonefast on page 378 set spantree uplinkfast on page 397 display spantree uplinkfast on page 387 Statistics display spantree statistics on page 381 clear spantree statistics on page 375 clear spantree portcost Resets to the default value the cost of a network port or ports on paths to the STP root bridge in all VLANs on a WX switch.
clear spantree portpri clear spantree portpri 373 Resets to the default value the priority of a network port or ports for selection as part of the path to the STP root bridge in all VLANs on a wireless LAN switch or controller. Syntax — clear spantree portpri port-list port-list — List of ports. The port priority is reset to 32 (the default) on the specified ports. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — This command resets the priority in all VLANs.
CHAPTER 10: STP COMMANDS vlan vlan-id — VLAN name or number. MSS resets the cost for only the specified VLAN. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — MSS does not change a port’s cost for VLANs other than the one(s) you specify. Examples — The following command resets the STP cost for port 2 in VLAN sunflower: WX4400# clear spantree portvlancost 2 vlan sunflower success: change accepted.
clear spantree statistics 375 History —Introduced in MSS Version 3.0. Usage — MSS does not change a port’s priority for VLANs other than the one(s) you specify. Examples — The following command resets the STP priority for port 2 in VLAN avocado: WX4400# clear spantree portvlanpri 2 vlan avocado success: change accepted.
CHAPTER 10: STP COMMANDS display spantree Displays STP configuration and port-state information. Syntax — display spantree [port-list | vlan vlan-id] [active] port-list — List of ports. If you do not specify any ports, MSS displays STP information for all ports. vlan vlan-id — VLAN name or number. If you do not specify a VLAN, MSS displays STP information for all VLANs. active — Displays information for only the active (forwarding) ports. Defaults — None. Access — All.
display spantree 7 8 1 1 Disabled Disabled 19 19 128 128 377 Disabled Disabled Table 69 describes the fields in this display. Table 69 Output for display spantree Field Description VLAN VLAN number. Spanning tree mode In the current software version, the mode is always PVST+, which means Per VLAN Spanning Tree+. Spanning tree type In the current software version, the type is always IEEE, which means MSS STP is 802.1D-compatible. Spanning tree enabled State of STP on the VLAN.
CHAPTER 10: STP COMMANDS Table 69 Output for display spantree (continued) Field Description Port-State STP state of the port: Blocking — The port is not forwarding Layer 2 traffic but is listening to and forwarding STP control traffic. Disabled — The port is not forwarding any traffic, including STP control traffic. The port might be administratively disabled or the link might be disconnected. Forwarding — The port is forwarding Layer 2 traffic.
display spantree blockedports 379 Examples — The following example shows the command output on a WX switch with backbone fast convergence enabled: WX4400# display spantree backbonefast Backbonefast is enabled See Also display spantree blockedports set spantree backbonefast on page 389 Lists information about wireless LAN switch ports that STP has blocked on one or all of its VLANs. Syntax — display spantree blockedports [vlan vlan-id] vlan vlan-id — VLAN name or number.
CHAPTER 10: STP COMMANDS display spantree portfast Displays STP uplink fast convergence information for all network ports or for one or more network ports. Syntax — display spantree portfast [port-list] port-list — List of ports. If you do not specify any ports, MSS displays uplink fast convergence information for all ports. Defaults — None. Access — All. History —Introduced in MSS Version 3.0.
display spantree portvlancost display spantree portvlancost 381 Shows the cost of a port on a path to the STP root bridge, for each of the port’s VLANs. Syntax — display spantree portvlancost port-list port-list — List of ports. Defaults — None. Access — All. History —Introduced in MSS Version 3.0.
CHAPTER 10: STP COMMANDS Usage — The command displays statistics separately for each port.
display spantree statistics topology change timer value hold timer hold timer value delay root port timer delay root port timer value delay root port timer restarted is 0 INACTIVE 0 INACTIVE 0 FALSE VLAN based information & statistics spanning tree type spanning tree multicast address bridge priority bridge MAC address bridge hello time bridge forward delay topology change initiator: last topology change occured: topology change topology change time topology change detected topology change count topology
CHAPTER 10: STP COMMANDS Table 71 Output for display spantree statistics Field Description Port Port number. VLAN VLAN ID. Spanning Tree enabled State of the STP feature on the VLAN. for vlan port spanning tree State of the STP feature on the port. state STP state of the port: Blocking — The port is not forwarding Layer 2 traffic but is listening to and forwarding STP control traffic. Disabled — The port is not forwarding any traffic, including STP control traffic.
display spantree statistics 385 Table 71 Output for display spantree statistics (continued) Field Description config_pending Indicates whether a configured BPDU is to be transmitted on expiration of the hold timer for the port. port_inconsistency Indicates whether the port is in an inconsistent state. config BPDU’s xmitted Number of BPDUs transmitted from the port. A number in parentheses indicates the number of configured BPDUs transmitted by the WX switch for this VLAN’s spanning tree.
CHAPTER 10: STP COMMANDS Table 71 Output for display spantree statistics (continued) Field Description hold timer Status of the hold timer. This timer ensures that configured BPDUs are not transmitted too frequently through any bridge port. hold timer value Current value of the hold timer, in seconds. delay root port timer Status of the delay root port timer, which enables fast convergence when uplink fast convergence is enabled.
display spantree uplinkfast 387 Table 71 Output for display spantree statistics (continued) Field Description dynamic max age transition Number of times the maximum age parameter was changed dynamically. port BPDU ok count Number of valid port BPDUs received. msg age expiry count Number of expired messages. link loading Indicates whether the link is oversubscribed. BPDU in processing Indicates whether BPDUs are currently being processed.
CHAPTER 10: STP COMMANDS Examples — The following command shows uplink fast convergence information for all VLANs: WX4400# display spantree uplinkfast VLAN port list -----------------------------------------------------------------------1 1(fwd),2,3 Table 72 describes the fields in this display. Table 72 Output for display spantree uplinkfast Field Description VLAN VLAN number. port list Ports in the uplink group. The port that is forwarding traffic is indicated by fwd.
set spantree backbonefast 389 Examples — The following command enables STP on all VLANs configured on a WX switch: WX4400# set spantree enable success: change accepted. The following command disables STP on VLAN burgundy: WX4400# set spantree disable vlan burgundy success: change accepted. See Also set spantree backbonefast display spantree on page 376 Enables or disables STP backbone fast convergence on a wireless LAN switch.
CHAPTER 10: STP COMMANDS See Also set spantree fwddelay display spantree backbonefast on page 378 Changes the period of time after a topology change that a WX switch which is not the root bridge waits to begin forwarding Layer 2 traffic on one or all of its configured VLANs. (The root bridge always forwards traffic.) Syntax — set spantree fwddelay delay {all | vlan vlan-id} delay — Delay value. You can specify from 4 through 30 seconds. all — Changes the forwarding delay on all VLANs.
set spantree maxage 391 vlan vlan-id — VLAN name or number. MSS changes the interval on only the specified VLAN. Defaults — The default hello timer interval is 2 seconds. Access — Enabled. History —Introduced in MSS Version 3.0. Examples — The following command changes the hello interval for all VLANs to 4 seconds: WX4400# set spantree hello 4 all success: change accepted.
CHAPTER 10: STP COMMANDS Examples — The following command changes the maximum acceptable age for root bridge hello packets on all VLANs to 15 seconds: WX4400# set spantree maxage 15 all success: change accepted. See Also set spantree portcost display spantree on page 376 Changes the cost that transmission through a network port or ports in the default VLAN on a wireless LAN switch adds to the total cost of a path to the STP root bridge.
set spantree portfast 393 Usage — This command applies only to the default VLAN (VLAN 1). To change the cost of a port in another VLAN, use the set spantree portvlancost command. Examples — The following command changes the cost on ports 3 and 4 to 20: WX1200# set spantree portcost 3,4 cost 20 success: change accepted.
CHAPTER 10: STP COMMANDS See Also set spantree portpri display spantree portfast on page 380 Changes the STP priority of a network port or ports for selection as part of the path to the STP root bridge in the default VLAN on a wireless LAN switch. Syntax — set spantree portpri port-list priority value port-list — List of ports. MSS changes the priority on the specified ports. priority value — Priority value. You can specify a value from 0 (highest priority) through 255 (lowest priority).
set spantree portvlancost set spantree portvlancost 395 Changes the cost of a network port or ports on paths to the STP root bridge for a specific VLAN on a wireless LAN switch. Syntax — set spantree portvlancost port-list cost cost {all | vlan vlan-id} port-list — List of ports. MSS applies the cost change to all the specified ports. cost cost — Numeric value. You can specify a value from 1 through 65,535. STP selects lower-cost paths over higher-cost paths.
CHAPTER 10: STP COMMANDS set spantree portvlanpri Changes the priority of a network port or ports for selection as part of the path to the STP root bridge, on one VLAN or all VLANs. Syntax — set spantree portvlanpri port-list priority value {all | vlan vlan-id} port-list — List of ports. MSS changes the priority on the specified ports. priority value — Priority value. You can specify a value from 0 (highest priority) through 255 (lowest priority). all — Changes the priority on all VLANs.
set spantree priority set spantree priority 397 Changes the STP root bridge priority of a wireless LAN switch on one or all of its VLANs. Syntax — set spantree priority value {all | vlan vlan-id} priority value — Priority value. You can specify a value from 0 through 65,535. The bridge with the lowest priority value is elected to be the root bridge for the spanning tree. all — Changes the bridge priority on all VLANs. vlan vlan-id — VLAN name or number.
CHAPTER 10: STP COMMANDS History —Introduced in MSS Version 3.0. Usage — The uplink fast convergence feature is applicable to bridges that are acting as access switches to the network core (distribution layer) but are not in the core themselves. Do not enable the feature on WX switches that are in the network core. Examples — The following command enables uplink fast convergence: WX4400# set spantree uplinkfast enable success: change accepted.
11 IGMP SNOOPING COMMANDS Use Internet Group Management Protocol (IGMP) snooping commands to configure and manage multicast traffic reduction on a WX. Commands by usage This chapter presents IGMP snooping commands alphabetically. Use the Table 74 to locate commands in this chapter based on their use.
CHAPTER 11: IGMP SNOOPING COMMANDS clear igmp statistics Clears IGMP statistics counters on one VLAN or all VLANs on a wireless LAN switch and resets them to 0. Syntax — clear igmp statistics [vlan vlan-id] vlan vlan-id — VLAN name or number. If you do not specify a VLAN, IGMP statistics are cleared for all VLANs. Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0.
display igmp router information: Port Mrouter-IPaddr Mrouter-MAC Type TTL ---- --------------- ----------------- ----- ----1 192.28.7.5 00:01:02:03:04:05 dvmrp 17 Group Port Receiver-IP Receiver-MAC TTL --------------- ---- --------------- ----------------- ----224.0.0.2 none none none undef 237.255.255.255 5 10.10.10.11 00:02:04:06:08:0b 258 237.255.255.255 5 10.10.10.13 00:02:04:06:08:0d 258 237.255.255.255 5 10.10.10.14 00:02:04:06:08:0e 258 237.255.255.255 5 10.10.10.12 00:02:04:06:08:0c 258 237.255.
CHAPTER 11: IGMP SNOOPING COMMANDS Table 75 Output for display igmp Field Description VLAN VLAN name. MSS displays information separately for each VLAN. IGMP is enabled (disabled) IGMP state. Proxy reporting Proxy reporting state. Mrouter solicitation Multicast router solicitation state. Querier functionality Pseudo-querier state. Configuration values (qi) Query interval. Configuration values (oqi) Other-querier-present interval. Configuration values (qri) Query response interval.
display igmp 403 Table 75 Output for display igmp (continued) Field Description TTL Number of seconds before this entry ages out if not refreshed. For static multicast router entries, the time-to-live (TTL) value is undef. Static multicast router entries do not age out. Group IP address of a multicast group. The display igmp receiver-table command shows the same information as these receiver fields. Port Physical port through which the WX can reach the group’s receiver.
CHAPTER 11: IGMP SNOOPING COMMANDS Table 75 Output for display igmp (continued) Field Description VLAN VLAN name. MSS displays information separately for each VLAN. IGMP is enabled (disabled) IGMP state. See Also display igmp mrouter display igmp mrouter on page 404 display igmp querier on page 405 display igmp receiver-table on page 407 display igmp statistics on page 409 Displays the multicast routers in a WX’s subnet, on one VLAN or all VLANs.
display igmp querier 405 Table 76 Output for display igmp mrouter Field Description Multicast routers for vlan VLAN containing the multicast routers. Ports are listed separately for each VLAN. Port Number of the physical port through which the WX can reach the router. Mrouter-IPaddr IP address of the multicast router. Mrouter-MAC MAC address of the multicast router.
CHAPTER 11: IGMP SNOOPING COMMANDS History — Introduced in MSS Version 3.0. Examples — The following command displays querier information for VLAN orange: WX1200# display igmp querier vlan orange Querier for vlan orange Port Querier-IP Querier-MAC TTL ---- --------------- ----------------- ----1 193.122.135.
display igmp receiver-table 407 See Also display igmp receiver-table set igmp querier on page 419 Displays the receivers to which a WX forwards multicast traffic. You can display receivers for all VLANs, a single VLAN, or a group or groups identified by group address and network mask. Syntax — display igmp receiver-table [vlan vlan-id] [group group-ip-addr/mask-length] vlan vlan-id — VLAN name or number. If you do not specify a VLAN, MSS displays the multicast receivers on all VLANs.
CHAPTER 11: IGMP SNOOPING COMMANDS The following command lists all receivers for multicast groups 237.255.255.1 through 237.255.255.255, in all VLANs: WX1200# display igmp receiver-table group 237.255.255.0/24 VLAN: red Session Port Receiver-IP Receiver-MAC TTL --------------- ---- --------------- ----------------- ----237.255.255.2 2 10.10.20.19 00:02:04:06:09:0d 112 237.255.255.119 3 10.10.30.
display igmp statistics display igmp statistics 409 Shows IGMP statistics. Syntax — display igmp statistics [vlan vlan-id] vlan vlan-id — VLAN name or number. If you do not specify a VLAN, MSS displays IGMP statistics for all VLANs. Defaults — None. Access — All. History — Introduced in MSS Version 3.0.
CHAPTER 11: IGMP SNOOPING COMMANDS Table 79 Output of display igmp statistics Field Description IGMP statistics VLAN name. Statistics are listed separately for each VLAN. for vlan IGMP message Type of IGMP message: type General-Queries — General group membership queries sent by the multicast querier (multicast router or pseudo-querier). GS-Queries — Group-specific queries sent by the multicast querier to determine whether there are receivers for a specific group.
set igmp 411 Table 79 Output of display igmp statistics (continued) Field Description Topology notifications Number of Layer 2 topology change notifications received by the WX. In the current software version, the value in this field is always 0. Packets with unknown IGMP type Number of multicast packets received with an unrecognized multicast type. Packets with bad length Number of packets with an invalid length.
CHAPTER 11: IGMP SNOOPING COMMANDS set igmp lmqi Changes the IGMP last member query interval timer on one VLAN or all VLANs on a wireless LAN switch. Syntax — set igmp lmqi tenth-seconds [vlan vlan-id] lmqi tenth-seconds — Amount of time (in tenths of a second) that the WX waits for a response to a group-specific query after receiving a leave message for that group, before removing the receiver that sent the leave message from the list of receivers for the group.
set igmp mrouter set igmp mrouter 413 Adds or removes a port in a WX’s list of ports on which it forwards traffic to multicast routers. Static multicast ports are immediately added to or removed from the list of router ports and do not age out. Syntax — set igmp mrouter port port-list {enable | disable} port port-list — Port list. MSS adds or removes the specified ports in the list of static multicast router ports. enable — Adds the port to the list of static multicast router ports.
CHAPTER 11: IGMP SNOOPING COMMANDS set igmp mrsol Enables or disables multicast router solicitation by a WX. Syntax — set igmp mrsol {enable | disable} [vlan vlan-id] enable — Enables multicast router solicitation. disable — Disables multicast router solicitation. vlan vlan-id — VLAN name or number. If you do not specify a VLAN, multicast router solicitation is disabled or enabled on all VLANs. Defaults — Multicast router solicitation is disabled on all VLANs by default. Access — Enabled.
set igmp oqi 415 Usage — You cannot add MAP access ports or wired authentication ports as static multicast ports. However, MSS can dynamically add these port types to the list of multicast ports based on multicast traffic. Examples — The following example changes the multicast router solicitation interval to 60 seconds: WX1200# set igmp mrsol mrsi 60 success: change accepted. See Also set igmp oqi set igmp mrsol on page 414.
CHAPTER 11: IGMP SNOOPING COMMANDS See Also set igmp proxy-report set igmp lmqi on page 412 set igmp qi on page 417 set igmp qri on page 418 set igmp querier on page 419 set igmp mrouter on page 413 set igmp rv on page 420 Disables or reenables proxy reporting by a WX on one VLAN or all VLANs. Syntax — set igmp proxy-report {enable | disable} vlan vlan-id — VLAN name or number. If you do not specify a VLAN, proxy reporting is disabled or reenabled on all VLANs.
set igmp qi set igmp qi 417 Changes the IGMP query interval timer on one VLAN or all VLANs on a WX. Syntax — set igmp qi seconds [vlan vlan-id] qi seconds — Number of seconds that elapse between general queries sent by the WX when the WX switch is the querier for the subnet. You can specify a value from 1 through 65,535. vlan vlan-id — VLAN name or number. If you do not specify a VLAN, the timer change applies to all VLANs. Defaults — The default query interval is 125 seconds. Access — Enabled.
CHAPTER 11: IGMP SNOOPING COMMANDS set igmp qri Changes the IGMP query response interval timer on one VLAN or all VLANs on a WX. Syntax — set igmp qri tenth-seconds [vlan vlan-id] qri tenth-seconds — Amount of time (in tenths of a second) that the WX waits for a receiver to respond to a group-specific query message before removing the receiver from the receiver list for the group. You can specify a value from 1 through 65,535. vlan vlan-id — VLAN name or number.
set igmp querier set igmp querier 419 Enables or disables the IGMP pseudo-querier on a WX, on one VLAN or all VLANs. Syntax — set igmp querier {enable | disable} [vlan vlan-id] enable — Enables the pseudo-querier. disable — Disables the pseudo-querier. vlan vlan-id — VLAN name or number. If you do not specify a VLAN, the pseudo-querier is enabled or disabled on all VLANs. Defaults — The pseudo-querier is disabled on all VLANs by default. Access — Enabled.
CHAPTER 11: IGMP SNOOPING COMMANDS Defaults — By default, no ports are static multicast receiver ports. Access — Enabled. History — Introduced in MSS Version 3.0. Usage — You cannot add MAP access ports or wired authentication ports as static multicast ports. However, MSS can dynamically add these port types to the list of multicast ports based on multicast traffic.
set igmp rv See Also set igmp oqi on page 415 set igmp qi on page 417 set igmp qri on page 418 421
CHAPTER 11: IGMP SNOOPING COMMANDS
12 SECURITY ACL COMMANDS Use security ACL commands to configure and monitor security access control lists (ACLs). Security ACLs filter packets to restrict or permit network usage by certain users or traffic types, and can assign to packets a class of service (CoS) to define the priority of treatment for packet filtering. (Security ACLs are different from the location policy on a WX switch, which helps you locally control user access. For location policy commands, see “AAA Commands” on page 199.
CHAPTER 12: SECURITY ACL COMMANDS clear security acl Clears a specified security ACL, an access control entry (ACE), or all security ACLs, from the edit buffer. When used with the command commit security acl, clears the ACE from the running configuration. Syntax — clear security acl {acl-name | all} [editbuffer-index] acl-name — Name of an existing security ACL to clear. ACL names start with a letter and are case-insensitive. all — Clears all security ACLs.
clear security acl map 425 WX4400# display security acl info all ACL information for all set security acl ip acl_133 (hits #1 0) --------------------------------------------------------1. deny IP source IP 192.168.1.6 0.0.0.0 destination IP any set security acl ip acl_134 (hits #3 0) --------------------------------------------------------1. permit IP source IP 192.168.0.1 0.0.0.
CHAPTER 12: SECURITY ACL COMMANDS Syntax — clear security acl map {acl-name | all} {vlan vlan-id | port port-list [tag tag-value] | dap dap-num} {in | out} acl-name — Name of an existing security ACL to clear. ACL names start with a letter and are case-insensitive. all — Removes security ACL mapping from all physical ports, virtual ports, and VLANs on a WX switch. vlan vlan-id — VLAN name or number. MSS removes the security ACL from the specified VLAN. port port-list — Port list.
commit security acl 427 To clear all physical ports, virtual ports, and VLANs on a WX switch of the ACLs mapped for incoming and outgoing traffic, type the following command: WX4400# clear security acl map all success: change accepted.
CHAPTER 12: SECURITY ACL COMMANDS Examples — The following commands commit all the security ACLs in the edit buffer to the configuration, display a summary of the committed ACLs, and show that the edit buffer has been cleared: WX4400# commit security acl all configuration accepted WX4400# display security acl ACL table ACL Type Class Mapping ----------------------- ---- ------ ------acl_123 IP Static acl_124 IP Static WX4400# display security acl info all editbuffer acl editbuffer information for all
display security acl 429 The IP precedence and ToS fields use 7 bits, while the DSCP field uses only 6 bits. Following the DSCP field is a 2-bit ECN field that can be set by other devices based on network congestion. If you are filtering based on DSCP value, you need two ACEs to ensure that the ACL matches regardless of the value of the seventh bit. Use the first ACE to match on the precedence and ToS values corresponding to the DSCP value.
CHAPTER 12: SECURITY ACL COMMANDS Examples — To display a summary of the committed security ACLs on a WX switch, type the following command: WX4400# display security acl ACL table ACL ---------------------------acl_123 acl_133 acl_124 Type ---IP IP IP Class -----Static Static Static Mapping ------Port 2 In Port 4 In To view a summary of the security ACLs in the edit buffer, type the following command: WX4400# display security acl ACL edit-buffer table ACL ---------------------------acl_122 acl_132
display security acl info 431 Examples — To display the security ACL hits on a WX switch, type the following command: WX4400# display security acl hits ACL hit-counters Index Counter ACL-name ----- -------------------- -------1 0 acl_2 2 0 acl_175 3 916 acl_123 See Also display security acl info hit-sample-rate on page 437 set security acl on page 439 Displays the contents of a specified security ACL or all security ACLs that are committed — saved in the running configuration and nonvolatile st
CHAPTER 12: SECURITY ACL COMMANDS Examples — To display the contents of all security ACLs committed on a WX switch, type the following command: WX4400# display security acl info all ACL information for all set security acl ip acl_123 (hits #5 462) --------------------------------------------------------1. permit IP source IP 192.168.1.11 0.0.0.255 destination IP any enable-hits 2. deny IP source IP 192.168.2.11 0.0.0.
display security acl resource-usage 433 Access — Enabled. History — Introduced in MSS Version 3.0.
CHAPTER 12: SECURITY ACL COMMANDS Examples — To display security ACL resource usage, type the following command: WX4400# display security acl resource-usage ACL resources Classifier tree counters -----------------------Number of rules : 2 Number of leaf nodes : 1 Stored rule count : 2 Leaf chain count : 1 Longest leaf chain : 2 Number of non-leaf nodes : 0 Uncompressed Rule Count : 2 Maximum node depth : 1 Sub-chain count : 0 PSCBs in primary memory : 0 (max: 512) PSCBs in secondary memory : 0 (max: 9
display security acl resource-usage 435 Table 81 Output of display security acl resource-usage Field Description Number of rules Number of security ACEs currently mapped to ports or VLANs. Number of leaf nodes Number of security ACL data entries stored in the rule tree. Stored rule count Number of security ACEs stored in the rule tree. Leaf chain count Number of chained security ACL data entries stored in the rule tree.
CHAPTER 12: SECURITY ACL COMMANDS Table 81 Output of display security acl resource-usage (continued) Field Description LUdef in use Number of the lookup definition (LUdef) table currently in use for packet handling. Default action pointer Memory address used for packet handling, from which default action data is obtained when necessary. L4 global Security ACL mapping on the WX switch: No rules Non-IP rules True — Security ACLs are mapped. False — No security ACLs are mapped.
hit-sample-rate 437 Table 81 Output of display security acl resource-usage (continued) Field Description In mapping Application of security ACLs to incoming traffic on the WX switch: No VLAN or PORT mapping No VPORT mapping hit-sample-rate True — Security ACLs are mapped to incoming traffic. False — No security ACLs are mapped to incoming traffic. Application of security ACLs to WX VLANs or ports on the WX switch: True — No security ACLs are mapped to VLANs or ports.
CHAPTER 12: SECURITY ACL COMMANDS Examples — The first command sets MSS to sample ACL hits every 15 seconds. The second and third commands display the results. The results show that 916 packets matching security acl_153 were sent since the ACL was mapped. WX4400# hit-sample-rate 15 WX4400# display security acl info acl_153 ACL information for acl_153 set security acl ip acl_153 (hits #3 916) --------------------------------------------------------1. permit IP source IP 20.1.1.1 0.0.0.
set security acl 439 Examples — The following commands show the edit buffer before a rollback, clear any changes in the edit buffer to security acl_122, and show the edit buffer after the rollback: WX4400# display security acl info all editbuffer ACL edit-buffer information for all set security acl ip acl_122 (ACEs 3, add 3, del 0, modified 0) --------------------------------------------------------1. permit IP source IP 20.0.1.11 0.0.0.255 destination IP any enable-hits 2. deny IP source IP 20.0.2.11 0.
CHAPTER 12: SECURITY ACL COMMANDS By ICMP packets Syntax — set security acl ip acl-name {permit [cos cos] | deny} icmp {source-ip-addr mask destination-ip-addr mask [type icmp-type] [code icmp-code] [precedence precedence ] [tos tos] [before editbuffer-index | modify editbuffer-index] [hits] By TCP packets Syntax — set security acl ip acl-name {permit [cos cos] |deny} tcp {source-ip-addr mask [operator port [port2]] destination-ip-addr mask [operator port [port2]]} [precedence precedence] [tos tos] [
set security acl 441 0 or 3—Best effort. Packets are queued in MAP forwarding queue 3. 4 or 5—Video. Packets are queued in MAP forwarding queue 2. Use CoS level 4 or 5 for voice over IP (VoIP) packets other than SpectraLink Voice Priority (SVP). 6 or 7—Voice. Packets are queued in MAP forwarding queue 1. In MSS Version 3.0, use 6 or 7 only for VoIP phones that use SVP, not for other types of traffic. deny — Blocks traffic that matches the conditions in the ACE.
CHAPTER 12: SECURITY ACL COMMANDS (For a complete list of TCP and UDP port numbers, see www.iana.org/assignments/port-numbers.) destination-ip-addr mask — IP address and wildcard mask of the network or host to which the packet is being sent. Specify both address and mask in dotted decimal notation. For more information, see “Wildcard Masks” on page 26. type icmp-type — Filters ICMP messages by type. Specify a value from 0 through 255.
set security acl 443 before editbuffer-index — Inserts the new ACE in front of another ACE in the security ACL. Specify the number of the existing ACE in the edit buffer. Index numbers start at 1. (To display the edit buffer, use display security acl editbuffer.) modify editbuffer-index — Replaces an ACE in the security ACL with the new ACE. Specify the number of the existing ACE in the edit buffer. Index numbers start at 1. (To display the edit buffer, use display security acl editbuffer.
CHAPTER 12: SECURITY ACL COMMANDS The following command adds an ACE to acl_123 that denies packets from IP address 192.168.2.11: WX4400# set security acl ip acl_123 deny 192.168.2.11 0.0.0.0 The following command creates acl_125 by defining an ACE that denies TCP packets from source IP address 192.168.0.1 to destination IP address 192.168.0.2 for established sessions only, and counts the hits: WX4400# set security acl ip acl_125 deny tcp 192.168.0.1 0.0.0.0 192.168.0.2 0.0.0.
set security acl map 445 Syntax — set security acl map acl-name {vlan vlan-id | port port-list [tag tag-list] | dap dap-num} {in | out} acl-name — Name of an existing security ACL to map. ACL names start with a letter and are case-insensitive. vlan vlan-id — VLAN name or number. MSS assigns the security ACL to the specified VLAN. port port-list — Port list. MSS assigns the security ACL to the specified physical WX port or ports.
CHAPTER 12: SECURITY ACL COMMANDS See Also clear security acl map on page 425 commit security acl on page 427 set mac-user attr on page 246 set mac-usergroup attr on page 252 set security acl on page 439 set user attr on page 257 set user group on page 258 display security acl map on page 432
13 CRYPTOGRAPHY COMMANDS Use cryptography commands to configure and manage certificates and public-private key pairs for system authentication. Depending on your network configuration, you must create keys and certificates to authenticate the WX switch to IEEE 802.1X wireless clients for which the WX switch performs authentication, and to 3Com wireless switch manager (3WXM) and Web Manager. Commands by Usage This chapter presents cryptography commands alphabetically.
CHAPTER 13: CRYPTOGRAPHY COMMANDS crypto ca-certificate Installs a certificate authority’s own PKCS #7 certificate into the WX certificate and key storage area. Syntax — crypto ca-certificate {admin | eap | webaaa} PEM-formatted certificate admin — Stores the certificate authority’s certificate that signed the administrative certificate for the WX switch. The administrative certificate authenticates the WX to 3Com wireless switch manager (3XWM) or Web Manager.
crypto certificate 449 To use this command, you must already have obtained a copy of the certificate authority’s certificate as a PKCS #7 object file. Then do the following: 1 Open the PKCS #7 object file with an ASCII text editor such as Notepad or vi. 2 Enter the crypto ca-certificate command on the CLI command line. 3 When MSS prompts you for the PEM-formatted certificate, paste the PKCS #7 object file onto the command line.
CHAPTER 13: CRYPTOGRAPHY COMMANDS PEM-formatted certificate — ASCII text representation of the PKCS #7 certificate, consisting of up to 4096 characters, that you have obtained from the certificate authority. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0.
crypto generate key crypto generate key 451 Generates an RSA public-private encryption key pair that is required for a Certificate Signing Request (CSR) or a self-signed certificate. For SSH, the command generates an SSH authentication key. Syntax — crypto generate key {admin | eap | ssh | webaaa } {512 | 1024 | 2048} admin — Generates an administrative key pair for authenticating the WX switch to 3WXM or Web Manager. eap — Generates an EAP key pair for authenticating the WX switch to 802.
CHAPTER 13: CRYPTOGRAPHY COMMANDS crypto generate request Generates a Certificate Signing Request (CSR). This command outputs a PEM-formatted PKCS #10 text string that you can cut and paste to another location for delivery to a certificate authority. This command generates either an administrative CSR for use with 3WXM and Web Manager, or an EAP CSR for use with 802.1X clients.
crypto generate request 453 Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — To use this command, you must already have generated a public-private encryption key pair with the crypto generate key command. Enter crypto generate request admin, crypto generate request eap, or crypto generate request webaaa and press Enter. When you are prompted, type the identifying values in the fields, or press Enter if the field is optional. You must enter a common name for the WX switch.
CHAPTER 13: CRYPTOGRAPHY COMMANDS See Also crypto generate self-signed crypto certificate on page 449 crypto generate key on page 451 Generates a self-signed certificate for either an administrative certificate for use with 3WXM or an EAP certificate for use with 802.1X wireless users. Syntax — crypto generate self-signed {admin | eap | webaaa} admin — Generates an administrative certificate to authenticate the WX switch to 3WXM or Web Manager.
crypto generate self-signed 455 Note: If you are generating a WebAAA (webaaa) certificate, use a common name that looks like a domain name (two or more strings connected by dots, with no spaces). For example, use common.name instead of common name. The string is not required to be an actual domain name. It simply needs to be formatted like one. Email Address string — (Optional) Specify your email address, in up to 80 alphanumeric characters with no spaces.
CHAPTER 13: CRYPTOGRAPHY COMMANDS BAMCBkAwSAYJYIZIAYb4QgENBDsWOXRoaXMgY2VydGlmaWNhdGUgaXMgY29tcGxl dGVseSB1bnRydXN0d29ydGh5LiBJcyB0aGF0IE9LPzAPBgNVHRMBAf8EBTADAQH/ MA0GCSqGSIb3DQEBBAUAA4GBAHUOhMG/Zbgojvxb+hopdNzWmjAL8Cr8lX4/g2W2 clyq55Y3SF+L6CmGxUmlLR5ZsM9KuEIZLPtKsCurIhiPft4g52fkCC/EdibxXlUb kw8IUADwGiE1T21OM8vmm4EIKM7tyyEF0b94dqFxZQfSsJp+Up6d8LBnBRYDxzPd -----END CERTIFICATE----- See Also crypto otp crypto certificate on page 449 crypto generate key on page 451 Sets a one-time password (O
crypto pkcs12 Question mark (?) Ampersand (&) 457 Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — The password allows the public-private key pair and certificate to be installed together from the same PKCS #12 object file. MSS erases the one-time password after processing the crypto pkcs12 command or when you reboot the WX switch. 3Com recommends that you create a password that is memorable to you but is not subject to easy guesses or a dictionary attack.
CHAPTER 13: CRYPTOGRAPHY COMMANDS webaaa — Unpacks a PKCS #12 object file for a WebAAA certificate and key pair — and optionally the certificate authority’s own certificate — for authenticating the WX switch to WebAAA clients. file-location-url — Location of the PKCS #12 object file to be installed. Specify a location of between 1 and 128 alphanumeric characters, with no spaces.
display crypto ca-certificate display crypto ca-certificate 459 Displays information about the certificate authority’s PEM-encoded PKCS #7 certificate. Syntax — display crypto ca-certificate {admin | eap | webaaa} admin — Displays information about the certificate authority’s certificate that signed the administrative certificate for the WX switch. The administrative certificate authenticates the WX to 3WXM or Web Manager.
CHAPTER 13: CRYPTOGRAPHY COMMANDS Table 83 display crypto ca-certificate Output (continued) Issuer Certificate authority that issued the certificate or signature. Validity Time period for which the certificate is valid. See Also display crypto certificate crypto ca-certificate on page 448 display crypto certificate on page 460 Displays information about one of the cryptographic certificates installed on the WX switch.
display crypto key ssh 461 Table 84 crypto certificate Output Fields Description Version Version of the X.509 certificate. Serial Number A unique identifier for the certificate or signature. Subject Name of the certificate owner. Signature Algorithm Algorithm that created the signature, such as RSA MD5 or RSA SHA. Issuer Certificate authority that issued the certificate or signature. Validity Time period for which the certificate is valid.
CHAPTER 13: CRYPTOGRAPHY COMMANDS
14 RADIUS AND SERVER GROUP COMMANDS Use RADIUS commands to set up communication between an WX switch and groups of up to four RADIUS servers for remote authentication, authorization, and accounting (AAA) of administrators and network users. Commands by Usage This chapter presents RADIUS commands alphabetically. Use Table 85 to locate commands in this chapter based on their uses.
CHAPTER 14: RADIUS AND SERVER GROUP COMMANDS clear radius Resets parameters that were globally configured for RADIUS servers to their default values. Syntax — clear radius {deadtime | key | retransmit | timeout } deadtime — Number of minutes to wait after declaring an unresponsive RADIUS server unavailable before retrying the RADIUS server. key — Password (shared secret key) used to authenticate to the RADIUS server.
clear radius client system-ip 465 WX4400# clear radius timeout success: change accepted. See Also clear radius client system-ip set radius on page 468 set radius server on page 472 display aaa on page 217 Removes the WX switch’s system IP address from use as the permanent source address in RADIUS client requests from the switch to its RADIUS server(s). Syntax — clear radius client system-ip Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0.
CHAPTER 14: RADIUS AND SERVER GROUP COMMANDS clear radius proxy client Removes a RADIUS proxy client entry for a third-party AP. Syntax — clear radius proxy client all Defaults — None. Access — Enabled. History —Introduced in MSS 4.0. Examples — The following command clears all RADIUS proxy client entries from the switch: WX-1200# clear radius proxy client all success: change accepted.
clear radius server clear radius server 467 Removes the named RADIUS server from the WX configuration. Syntax — clear radius server server-name server-name — Name of a RADIUS server configured to perform remote AAA services for the WX switch. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Examples — The following command removes the RADIUS server rs42 from a list of remote AAA servers: WX4400# clear radius server rs42 success: change accepted.
CHAPTER 14: RADIUS AND SERVER GROUP COMMANDS Examples — To remove the server group sg-77 type the following command: WX4400# clear server group sg-77 success: change accepted. To disable load balancing in a server group shorebirds, type the following command: WX4400# set server group shorebirds load-balance disable success: change accepted. See Also set radius set server group on page 474 Configures global defaults for RADIUS servers that do not explicitly set these values themselves.
set radius client system-ip 469 retransmit — 3 (the total number of attempts, including the first attempt) timeout — 5 seconds Access — Enabled. History —Introduced in MSS Version 3.0. Usage — You can specify only one parameter per command line.
CHAPTER 14: RADIUS AND SERVER GROUP COMMANDS Usage — The WX system IP address must be set before you use this command. Examples — The following command sets the WX system IP address as the address of the RADIUS client: WX4400# set radius client system-ip success: change accepted. See Also set radius proxy client clear radius client system-ip on page 465 set system ip-address on page 57 Adds a RADIUS proxy entry for a third-party AP.
set radius proxy port 471 WX-1200# set radius proxy client address 10.20.20.9 key radkey1 success: change accepted. See Also set radius proxy port clear radius proxy client on page 466 set authentication proxy on page 238 set radius proxy port on page 471 Configures the WX port connected to a third-party AP as a RADIUS proxy for the SSID supported by the AP.
CHAPTER 14: RADIUS AND SERVER GROUP COMMANDS See Also set radius server clear radius proxy port on page 466 set authentication proxy on page 238 set radius proxy client on page 470 Configures RADIUS servers and their parameters. By default, the WX switch automatically sets all these values except the password (key).
set radius server 473 author-password password — Password used for authorization to a RADIUS server for MAC users. Specify a password of up to 32 alphanumeric characters with no spaces or tabs.
CHAPTER 14: RADIUS AND SERVER GROUP COMMANDS See Also set server group display aaa on page 217 set authentication admin on page 226 set authentication console on page 228 set authentication dot1x on page 230 set authentication last-resort on page 234 set authentication mac on page 236 set authentication web on page 239 set radius on page 468 set server group on page 474 Configures a group of one to four RADIUS servers.
set server group load-balance 475 sandpiper success: change accepted. See Also set server group load-balance clear server group on page 467 display aaa on page 217 set server group load-balance on page 475 Enables or disables load balancing among the RADIUS servers in a server group. Syntax — set server group group-name load-balance {enable | disable} group-name — Server group name of up to 32 characters.
CHAPTER 14: RADIUS AND SERVER GROUP COMMANDS To disable load balancing between shorebirds server group members, type the following command: WX1200# set server group shorebirds load-balance disable success: change accepted.
15 802.1X MANAGEMENT COMMANDS Use 802. IEEE X management commands to modify the default settings for IEEE 802.1X sessions on an WX switch. For best results, change the settings only if you are aware of a problem with the WX switch’s 802.1X performance. CAUTION: 802.1X parameter settings are global for all SSIDs configured on the switch. Commands by Usage This chapter presents 802.1X commands alphabetically. Use Table 86 to locate commands in this chapter based on their use.
CHAPTER 15: 802.1X MANAGEMENT COMMANDS Table 86 802.1X Commands by Usage (continued) Type Command Reauthentication, cont.
clear dot1x max-req clear dot1x max-req 479 Resets to the default setting the number of Extensible Authentication Protocol (EAP) requests that the WX switch retransmits to a supplicant (client). Syntax — clear dot1x max-req Defaults — The default number is 20. Access — Enabled. History —Introduced in MSS Version 3.0. Examples — To reset the number of 802.1X requests the WX can send to the default setting, type the following command: WX4400# clear dot1x max-req success: change accepted.
CHAPTER 15: 802.1X MANAGEMENT COMMANDS Examples — Type the following command to reset the wired authentication port control: WX4400# clear dot1x port-control success: change accepted. See Also clear dot1x quiet-period display dot1x on page 483 set dot1x port-control on page 490 Resets the quiet period after a failed authentication to the default setting. Syntax — clear dot1x quiet-period Defaults — The default is 60 seconds. Access — Enabled. History —Introduced in MSS Version 3.0.
clear dot1x reauth-max clear dot1x reauth-max Resets the maximum number of reauthorization attempts to the default setting. Syntax — clear dot1x reauth-max Defaults — The default is 2 attempts. Access — Enabled. History —Introduced in MSS Version 3.0. Examples — Type the following command to reset the maximum number of reauthorization attempts to the default: WX4400# clear dot1x reauth-max success: change accepted.
CHAPTER 15: 802.1X MANAGEMENT COMMANDS clear dot1x timeout auth-server Resets to the default setting the number of seconds that must elapse before the WX times out a request to a RADIUS server. Syntax — clear dot1x timeout auth-server Defaults — The default is 30 seconds. Access — Enabled. History —Introduced in MSS Version 3.0.
clear dot1x tx-period clear dot1x tx-period 483 Resets to the default setting the number of seconds that must elapse before the WX switch retransmits an EAP over LAN (EAPoL) packet. Syntax — clear dot1x tx-period Defaults — The default is 5 seconds. Access — Enabled. History —Introduced in MSS Version 3.0. Examples — Type the following command to reset the EAPoL retransmission time: WX4400# clear dot1x tx-period success: change accepted.
CHAPTER 15: 802.1X MANAGEMENT COMMANDS History —Introduced in MSS Version 3.0. Format of 802.1X authentication rule information in display dot1x config output changed in MSS Version 3.2. The rules are still listed at the top of the display, but more information is shown for each rule. Examples — Type the following command to display the 802.
display dot1x 802.
CHAPTER 15: 802.1X MANAGEMENT COMMANDS Table 87 display dot1x stats Output Field Description Enters Connecting Number of times that the WX switch state transitions to the CONNECTING state from any other state. Logoffs While Connecting Number of times that the WX switch state transitions from CONNECTING to DISCONNECTED as a result of receiving an EAPoL-Logoff message. Enters Authenticating Number of times that the state wildcard transitions.
set dot1x bonded-period 487 Defaults — By default, authentication control for individual wired authentication is enabled. Access — Enabled. History —Introduced in MSS Version 3.0. Usage — This command applies only to wired authentication ports. Examples — To enable per-port 802.1X authentication on wired authentication ports, type the following command: WX4400# set dot1x authcontrol enable success: dot1x authcontrol enabled.
CHAPTER 15: 802.1X MANAGEMENT COMMANDS Usage — Normally, the Bonded Auth period needs to be set only if the network has Bonded Auth clients that use dynamic WEP, or use WEP-40 or WEP-104 encryption with WPA or RSN. These clients can be affected by the 802.1X reauthentication parameter or the RADIUS Session-Timeout parameter. 3Com recommends that you try 60 seconds, and change the period to a longer value only if clients are unable to authenticate within 60 seconds.
set dot1x max-req 489 Examples — Type the following command to enable key transmission: WX4400# set dot1x key-tx enable success: dot1x key transmission enabled. See Also set dot1x max-req display dot1x on page 483 Sets the maximum number of times the WX retransmits an EAP request to a supplicant (client) before ending the authentication session. Syntax — set dot1x max-req number-of-retransmissions number-of-retransmissions — Specify a value between 0 and 10.
CHAPTER 15: 802.1X MANAGEMENT COMMANDS set dot1x port-control Determines the 802.1X authentication behavior on individual wired authentication ports or groups of ports. Syntax — set dot1x port-control {forceauth | forceunauth | auto} port-list forceauth — Forces the specified wired authentication port(s) to unconditionally authorize all 802.1X authentication attempts, with an EAP success message. forceunauth — Forces the specified wired authentication port(s) to unconditionally reject all 802.
set dot1x quiet-period set dot1x quiet-period 491 Sets the number of seconds an WX remains quiet and does not respond to a supplicant after a failed authentication. Syntax — set dot1x quiet-period seconds seconds — Specify a value between 0 and 65,535. Defaults — The default is 60 seconds. Access — Enabled. History —Introduced in MSS Version 3.0. Examples — Type the following command to set the quiet period to 90 seconds: WX4400# set dot1x quiet-period 90 success: dot1x quiet period set to 90.
CHAPTER 15: 802.1X MANAGEMENT COMMANDS See Also set dot1x reauth-max display dot1x on page 483 set dot1x reauth-max on page 492 set dot1x reauth-period on page 493 Sets the number of reauthentication attempts that the WX switch makes before the supplicant (client) becomes unauthorized. Syntax — set dot1x reauth-max number-of-attempts number-of-attempts — Specify a value between 1 and 10. Defaults — The default number of reauthentication attempts is 2. Access — Enabled.
set dot1x reauth-period set dot1x reauth-period 493 Sets the number of seconds that must elapse before the WX switch attempts reauthentication. Syntax — set dot1x reauth-period seconds seconds — Specify a value between 60 (1 minute) and 1,641,600 (19 days). Defaults — The default is 3600 seconds (1 hour). Access — Enabled. History —Introduced in MSS Version 3.0.
CHAPTER 15: 802.1X MANAGEMENT COMMANDS See Also set dot1x timeout supplicant display dot1x on page 483 clear dot1x timeout auth-server on page 482 Sets the number of seconds that must elapse before the WX switch times out an authentication session with a supplicant (client). Syntax — set dot1x timeout supplicant seconds seconds — Specify a value between 1 and 65,535. Defaults — The default is 30 seconds. Access — Enabled. History —Introduced in MSS Version 3.0.
set dot1x wep-rekey 495 Examples — Type the following command to set the number of seconds before the WX switch retransmits an EAPoL packet to 300: WX4400# set dot1x tx-period 300 success: dot1x tx-period set to 300. See Also set dot1x wep-rekey display dot1x on page 483 clear dot1x tx-period on page 483 Enables or disables Wired Equivalency Privacy (WEP) rekeying for broadcast and multicast encryption keys.
CHAPTER 15: 802.1X MANAGEMENT COMMANDS set dot1x wep-rekey-period Sets the interval for rotating the WEP broadcast and multicast keys. Syntax — set dot1x wep-rekey-period seconds seconds — Specify a value between 30 and 1,641,600 (19 days). Defaults — The default is 1800 seconds (30 minutes). Access — Enabled. History —Introduced in MSS Version 3.0.
16 SESSION MANAGEMENT COMMANDS Use session management commands to display and clear administrative and network user sessions. Commands by Usage This chapter presents session management commands alphabetically. Use Table 88 to locate commands in this chapter based on their use.
CHAPTER 16: SESSION MANAGEMENT COMMANDS Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0.
clear sessions network 499 Specify a username, use the double-asterisk wildcard character (**) to specify all usernames, or use the single-asterisk wildcard character (*) to specify a set of usernames up to or following the first delimiter character—either an at sign (@) or a period (.). (For details, see “User Globs” on page 26.) mac-addr mac-addr-glob — Clears all network sessions for a MAC address.
CHAPTER 16: SESSION MANAGEMENT COMMANDS To clear the session of user Natasha, type the following command: WX1200# clear sessions network user Natasha To clear the sessions of users whose name begins with the characters Jo, type the following command: WX1200# clear sessions network user Jo* To clear the sessions of all users on VLAN red, type the following command: WX1200# clear sessions network vlan red See Also display sessions display sessions on page 500 display sessions network on page
display sessions 501 Examples — To view information about sessions of administrative users, type the following command: WX4400> display sessions admin Tty Username -------------------------tty0 tty2 tech tty3 sshadmin Time (s) -------3644 6 381 Type ---Console Telnet SSH 3 admin sessions To view information about console users’ sessions, type the following command: WX4400> display sessions console Tty Username -------------------------console 1 console session Time (s) -------8573 To view informatio
CHAPTER 16: SESSION MANAGEMENT COMMANDS Table 89 display sessions admin, display sessions console, and display sessions telnet Output Field Description Tty The Telnet terminal number, or console for administrative users connected through the console port. Username Up to 30 characters of the name of an authenticated user. Time (s) Number of seconds the session has been active.
display sessions network display sessions network 503 Displays summary or verbose information about all network sessions, or network sessions for a specified username or set of usernames, MAC address or set of MAC addresses, VLAN or set of VLANs, or session ID. Syntax — display sessions network [user user-glob | mac-addr mac-addr-glob | ssid ssid-name vlan vlan-glob | session-id session-id | wired] [verbose] user user-glob — Displays all network sessions for a single user or set of users.
CHAPTER 16: SESSION MANAGEMENT COMMANDS History —Introduced in MSS Version 3.0. Usage — MSS displays information about network sessions in three types of displays. See the following tables for field descriptions. Summary display — See Table 91 on page 506. Verbose display — See Table 92 on page 506. display sessions network session-id display — See Table 93 on page 508. Examples — To display summary information for all network sessions, type display sessions network.
display sessions network 505 (Table 91 on page 506 describes the summary displays of display sessions network commands.) The following command displays detailed (verbose) session information about user nin@example.com: WX1200# display sessions network user nin@example.com verbose User Sess IP or MAC VLAN Port/ Name ID Address Name Radio ----------------------------- ---- ----------------- --------------- ----nin@example.com 5* 10.20.30.
CHAPTER 16: SESSION MANAGEMENT COMMANDS Tag: 1 Session Timeout: 1800 Authentication Method: PEAP, using server 10.10.70.
display sessions network 507 Table 92 Additional display sessions network verbose Output (continued) Field Description State Status of the session: AUTH, ASSOC REQ — Client is being associated by the 802.1X protocol. AUTH AND ASSOC — Client is being associated by the 802.1X protocol, and the user is being authenticated. AUTHORIZING — User has been authenticated (for example, by the 802.1X protocol and an AAA method), and is entering AAA authorization.
CHAPTER 16: SESSION MANAGEMENT COMMANDS Table 93 display sessions network session-id Output Field Description Global Id A unique session identifier within the Mobility Domain. State Status of the session: AUTH, ASSOC REQ — Client is being associated by the 802.1X protocol. AUTH AND ASSOC — Client is being associated by the 802.1X protocol, and the user is being authenticated. AUTHORIZING — User has been authenticated (for example, by the 802.
display sessions network 509 Table 93 display sessions network session-id Output (continued) Field Description Session Timeout Assigned session timeout in seconds. Authentication Extensible Authentication Protocol (EAP) type used to authenticate Method the session user, and the IP address of the authentication server. Session statistics as updated from AP Time the session statistics were last updated from the MAP access point, in seconds since a fixed standard date and time.
CHAPTER 16: SESSION MANAGEMENT COMMANDS
17 RF DETECTION COMMANDS MSS automatically performs RF detection scans on enabled and disabled radios to detect rogue access points. A rogue access point is a BSSID (MAC address associated with an SSID) that does not belong to a 3Com switch and is not a member of the ignore list configured on the seed switch of the Mobility Domain. MSS can issue countermeasures against rogue devices to prevent clients from being able to use them. You can configure RF detection parameters on individual WX switches.
CHAPTER 17: RF DETECTION COMMANDS Table 94 RF Detection Commands by Usage (continued) Type Command Permitted SSID List set rfdetect ssid-list on page 532 display rfdetect ssid-list on page 525 clear rfdetect ssid-list on page 514 Client Black List set rfdetect black-list on page 529 display rfdetect black-list on page 535 clear rfdetect black-list on page 513 Attack List set rfdetect attack-list on page 528 display rfdetect attack-list on page 534 clear rfdetect attack-list on page 512 Ignore Li
clear rfdetect black-list 513 See Also clear rfdetect black-list set rfdetect attack-list on page 528 display rfdetect attack-list on page 534 Removes a MAC address from the client black list. Syntax — clear rfdetect black-list mac-addr mac-addr — MAC address you want to remove from the black list. Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0.
CHAPTER 17: RF DETECTION COMMANDS Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Examples — The following command removes BSSID aa:bb:cc:11:22:33 from the ignore list for RF scans: WX1200# clear rfdetect ignore aa:bb:cc:11:22:33 success: aa:bb:cc:11:22:33 is no longer ignored. See Also clear rfdetect ssid-list display rfdetect ignore on page 520 set rfdetect ignore on page 530 Removes an SSID from the permitted SSID list.
clear rfdetect vendor-list clear rfdetect vendor-list 515 Removes an entry from the permitted vendor list. Syntax — clear rfdetect vendor-list {client | ap} mac-addr | all client|ap — Specifies whether the entry is for an AP brand or a client brand. mac-addr|all — Organizationally Unique Identifier (OUI) to remove. Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0.
CHAPTER 17: RF DETECTION COMMANDS Examples — The following command shows counters for rogue activity detected by a WX switch: WX-1200# display rfdetect counters Type Current Total ----------------- ----------- -----------Rogue access points 0 0 Interfering access points 139 1116 Rogue 802.11 clients 0 0 Interfering 802.11 clients 4 347 802.11 adhoc clients 0 1 Unknown 802.11 clients 20 965 Interfering 802.11 clients seen on wired network 0 0 802.11 probe request flood 0 0 802.
display rfdetect countermeasures display rfdetect countermeasures 517 Displays the current status of countermeasures against rogues in the Mobility Domain. Syntax — display rfdetect countermeasures Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. As of Version 4.0, output no longer lists rogues for which countermeasures have not been started. Usage — This command is valid only on the seed switch of the Mobility Domain.
CHAPTER 17: RF DETECTION COMMANDS Table 95 display rfdetect countermeasures Output (continued) Field Description Countermeasures Radio MAC MAC address of the 3Com radio sending countermeasures against the rogue. If the field value is Not Started, MSS has not started countermeasures against the rogue yet. WX-IPaddr System IP address of the WX switch that is managing the MAP that is sending or will send countermeasures.
display rfdetect data 519 Examples — The following command shows the devices detected by this WX switch during the most recent RF detection scan: WX1200# display rfdetect data Total number of entries: 197 Flags: i = infrastructure, a = ad-hoc c = CCMP, t = TKIP, 1 = 104-bit WEP, 4 BSSID Vendor Type Port/Radio/Ch ----------------- ------- ----- ------------00:07:50:d5:cc:91 Cisco intfr 3/1/6 00:07:50:d5:dc:78 Cisco intfr 3/1/6 00:09:b7:7b:8a:54 Cisco intfr 3/1/2 00:0a:5e:4b:4a:c0 3Com intfr 3/1/11 00:0a:5e
CHAPTER 17: RF DETECTION COMMANDS Table 96 display rfdetect data Output Field Description Flags Classification and encryption information for the rogue: The i, a, or u flag indicates the classification. The other flags indicate the encryption used by the rogue. For flag definitions, see the key in the command output.
display rfdetect mobility-domain display rfdetect mobility-domain 521 Displays the rogues detected by all WX switches in the Mobility Domain during RF detection scans. Syntax — display rfdetect mobility-domain [ssid ssid-name | bssid mac-addr] ssid ssid-name — Displays rogues that are using the specified SSID. bssid mac-addr — Displays rogues that are using the specified BSSID. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0.
CHAPTER 17: RF DETECTION COMMANDS The lines in this display are compiled from data from multiple listeners (MAP radios). If an item has the value unresolved, not all listeners agree on the value for that item. Generally, an unresolved state occurs only when an MAP or a Mobility Domain is still coming up, and lasts only briefly. The following command displays detailed information for rogues using SSID 3Com-webaaa.
display rfdetect mobility-domain 523 The following command displays detailed information for a BSSID. WX1200# display rfdetect mobility-domain bssid 00:0b:0e:00:04:d1 BSSID: 00:0b:0e:00:04:d1 Vendor: Cisco SSID: notmycorp Type: rogue Adhoc: no Crypto-types: clear WX-IPaddress: 10.8.121.102 Port/Radio/Ch: 3/2/56 Mac: 00:0b:0e:00:0a:6b Device-type: rogue Adhoc: no Crypto-types: clear RSSI: -72 SSID: notmycorp WX-IPaddress: 10.3.8.
CHAPTER 17: RF DETECTION COMMANDS Table 98 display rfdetect mobility-domain ssid or bssid Output Field Description BSSID MAC address of the SSID used by the detected device. Vendor Company that manufactures or sells the rogue device. SSID SSID used by the detected device. Type Classification of the rogue device: rogue—Wireless device that is on the network but is not supposed to be on the network.
display rfdetect ssid-list 525 See Also display rfdetect ssid-list display rfdetect data on page 518 display rfdetect visible on page 526 Displays the entries in the permitted SSID list. Syntax — display rfdetect ssid-list Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0.
CHAPTER 17: RF DETECTION COMMANDS Examples — The following example shows the permitted vendor list on WX switch: WX1200# display rfdetect vendor-list Total number of entries: 1 OUI Type ----------------- -----aa:bb:cc:00:00:00 client 11:22:33:00:00:00 ap See Also display rfdetect visible clear rfdetect vendor-list on page 515 set rfdetect vendor-list on page 533 Displays the BSSIDs discovered by a specific 3Com radio.
display rfdetect visible 527 History —Introduced in MSS Version 3.0. Vendor, Type, and Flags fields added in Version 4.0. Usage — If a 3Com radio is supporting more than one SSID, each of the corresponding BSSIDs is listed separately. To display rogue information for the entire Mobility Domain, use the display rfdetect mobility-domain command on the seed switch.
CHAPTER 17: RF DETECTION COMMANDS Table 99 display rfdetect visible Output (continued) Field Description Type Classification of the rogue device: rogue—Wireless device that is on the network but is not supposed to be on the network. intfr—Wireless device that is not part of your network and is not a rogue, but might be causing RF interference with MAP radios. known—Device that is a legitimate member of the network. Ch Channel number on which the radio detected the rogue.
set rfdetect black-list 529 Access — Enabled. History —Introduced in MSS Version 4.0. Usage — The attack list applies only to the WX switch on which the list is configured. WX switches do not share attack lists. Examples — The following command adds MAC address aa:bb:cc:44:55:66 to the attack list: WX-1200# set rfdetect attack-list 11:22:33:44:55:66 success: MAC 11:22:33:44:55:66 is now in attacklist.
CHAPTER 17: RF DETECTION COMMANDS Examples — The following command adds client MAC address 11:22:33:44:55:66 to the black list: WX-8# set rfdetect black-list 11:22:33:44:55:66 success: MAC 11:22:33:44:55:66 is now blacklisted. See Also set rfdetect black-list on page 529 display rfdetect black-list on page 535 set rf detect countermeasures Deprecated in MSS Version 4.0. You now can disable or reenable active scan in individual radio profiles.
set rfdetect log 531 Examples — The following command configures MSS to ignore BSSID aa:bb:cc:11:22:33 during RF scans: WX1200# set rfdetect ignore aa:bb:cc:11:22:33 success: MAC aa:bb:cc:11:22:33 is now ignored. See Also set rfdetect log clear rfdetect ignore on page 513 display rfdetect ignore on page 520 Disables or reenables generation of log messages when rogues are detected or when they disappear. Syntax — set rfdetect log {enable | disable} enable — Enables logging of rogues.
CHAPTER 17: RF DETECTION COMMANDS set rfdetect signature Enables MAP signatures. A MAP signature is a set of bits in a management frame sent by a MAP that identifies that MAP to MSS. If someone attempts to spoof management packets from a 3Com MAP, MSS can detect the spoof attempt. Syntax — set rfdetect signature {enable | disable} enable — Enables MAP signatures. disable — Disables MAP signatures. Defaults — MAP signatures are disabled by default. Access — Enabled.
set rfdetect vendor-list 533 Defaults — The permitted SSID list is empty by default and all SSIDs are allowed. However, after you add an entry to the list, MSS allows traffic only for the SSIDs that are on the list. Access — Enabled. History —Introduced in MSS Version 4.0. Usage — The permitted SSID list applies only to the WX switch on which the list is configured. WX switches do not share permitted SSID lists.
CHAPTER 17: RF DETECTION COMMANDS Usage — The permitted vendor list applies only to the WX switch on which the list is configured. WX switches do not share permitted vendor lists. Examples — The following command adds an entry for clients whose MAC addresses start with aa:bb:cc: WX-1200# set rfdetect vendor-list client aa:bb:cc:00:00:00 success: MAC aa:bb:cc:00:00:00 is now in client vendor-list. The trailing 00:00:00 value is required.
display rfdetect black-list display rfdetect black-list 535 Displays information abut the clients in the client black list. Syntax — display rfdetect black-list Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0.
CHAPTER 17: RF DETECTION COMMANDS Examples — The following command shows information about all wireless clients detected by an WX switch’s MAPs: WX1200# display rfdetect clients Total number of entries: 30 Client MAC Client AP MAC AP Port/Radio NoL Type Last Vendor Vendor /Channel seen ----------------- ------- ----------------- ------- ------------- --- ----- ---00:03:7f:bf:16:70 Unknown 00:04:23:77:e6:e5 Intel 00:05:5d:79:ce:0f D-Link 00:05:5d:7e:96:a7 D-Link 00:05:5d:7e:96:ce D-Link 00:05:5d:84:d1:
display rfdetect clients 537 Table 100 display rfdetect clients Output (continued) Field Description NoL Number of listeners. This is the number of MAP radios that detected the rogue client. Type Classification of the rogue device: Last seen rogue — Wireless device that is on the network but is not supposed to be on the network. intfr — Wireless device that is not part of your network and is not a rogue, but might be causing RF interference with MAP radios.
CHAPTER 17: RF DETECTION COMMANDS Table 101 display rfdetect clients mac Output (continued) Field Description Last Rogue Status Check Number of seconds since the WX switch looked on the air for the AP with which the rogue client is associated. The switch looks for the client’s AP by sending a packet from the wired side of the network addressed to the client, and watching the air for a wireless packet containing the client’s MAC address.
18 FILE MANAGEMENT COMMANDS Use file management commands to manage system files and to display software and boot information. Commands by Usage This chapter presents file management commands alphabetically. Use Table 102 to locate commands in this chapter based on their use.
CHAPTER 18: FILE MANAGEMENT COMMANDS backup Creates an archive of WX system files and optionally, user file, in Unix tape archive (tar) format. Syntax backup system [tftp:/ip-addr/]filename [all | critical] [tftp:/ip-addr/]filename — Name of the archive file to create. You can store the file locally in the switch’s nonvolatile storage or on a TFTP server. all — Backs up system files and all the files in the user files area.
clear boot config 541 The backup command places the boot configuration file into the archive. (The boot configuration file is the Configured boot configuration in the display boot command’s output.) If the running configuration contains changes that have not been saved, these changes are not in the boot configuration file and are not archived.
CHAPTER 18: FILE MANAGEMENT COMMANDS See Also copy display config on page 548 reset system on page 554 Performs the following copy operations: Copies a file from a TFTP server to nonvolatile storage. Copies a file from nonvolatile storage or temporary storage to a TFTP server. Copies a file from one area in nonvolatile storage to another. Copies a file to a new filename in nonvolatile storage.
copy 543 History —Introduced in MSS Version 3.0. Usage — The filename and file:filename URLs are equivalent. You can use either URL to refer to a file in an WX switch’s nonvolatile memory. The tftp://ip-addr/filename URL refers to a file on a TFTP server. If DNS is configured on the WX switch, you can specify a TFTP server’s hostname as an alternative to specifying the IP address. The tmp:filename URL specifies a file in temporary storage.
CHAPTER 18: FILE MANAGEMENT COMMANDS WX4400# delete test-config success: file deleted. The following command copies file corpa-login.html from a TFTP server into subdirectory corpa in an WX switch’s nonvolatile storage: WX4400# copy tftp://10.1.1.1/corpa-login.html corpa/corpa-login.html success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec] See Also delete delete on page 544 dir on page 545 Deletes a file.
dir 545 Examples — The following commands copy file testconfig to a TFTP server and delete the file from nonvolatile storage: WX4400# copy testconfig tftp://10.1.1.1/testconfig success: sent 365 bytes in 0.401 seconds [ 910 bytes/sec] WX4400# delete testconfig success: file deleted. The following commands delete file dang_doc from subdirectory dang: WX4400# delete dang/dang_doc success: file deleted.
CHAPTER 18: FILE MANAGEMENT COMMANDS =============================================================================== Boot: Filename Size Created *boot0:bload 746 KB May 09 2004, 19:02:16 *boot0:WXA03002.Rel 8182 KB May 09 2004, 18:58:16 boot1:WXA03001.
display boot display boot 547 Displays the system image and configuration filenames used after the last reboot and configured for use after the next reboot. Syntax — display boot Defaults — None. Access — Access. History —Introduced in MSS Version 3.0. Examples — The following command shows the boot information for a WX switch: WX1200# display boot Configured boot image: Configured boot configuration: Booted version: Booted image: Booted configuration: Product model: boot0:WXB03002.Rel file:newconfig 3.
CHAPTER 18: FILE MANAGEMENT COMMANDS display config Displays the configuration running on the WX switch. Syntax — display config [area area] [all] area area — Configuration area.
display version 549 History —Introduced in MSS Version 3.0. In MSS Version 4.0, option snoop added for remote traffic monitoring, and rfdevice was changed to rfdetect. Usage — If you do not use one of the optional parameters, configuration commands that set nondefault values are displayed for all configuration areas. If you specify an area, commands are displayed for that area only. If you use the all option, the display also includes commands for configuration items that are set to their default values.
CHAPTER 18: FILE MANAGEMENT COMMANDS Examples — The following command displays version information for a WX switch: WX1200# display version Mobility System Software, Version: 3.0.1 Copyright (c) 2004 3Com Corporation. All rights reserved. Build Information: Model: Hardware Mainboard: PoE board: Serial number Flash: Kernel: BootLoader: (build#168) TOP 2004-09-23 08:35:00 WX1200 version 1 ; FPGA version 0 version 0 ; FPGA version 0 M8WE48BB8C7A0 3.0.0.549 - md0a 3.0.
load config F/W1 F/W2 S/W BOOT S/W : : : : 551 4.2 4.2 3.0.1_092304_WX1200 3.0.1_082504 Table 105 describes the fields in the display version output. Table 105 Output for display version Field Description Build Information Factory timestamp of the image file. Label Software version and build date. Build Suffix Build suffix. Model Build model. Hardware Version information for the WX switch’s motherboard and Power over Ethernet (PoE) board. Serial number Serial number of the WX switch.
CHAPTER 18: FILE MANAGEMENT COMMANDS Syntax — load config [url] url — Filename. Specify between 1 and 128 alphanumeric characters, with no spaces. If the file is in a subdirectory, specify the subdirectory name, followed by a forward slash, in front of the filename. For example: backup_configs/config_c. Defaults — The default file location is nonvolatile storage. The current version supports loading a configuration file only from the switch’s nonvolatile storage.
mkdir 553 See Also mkdir display boot on page 547 display config on page 548 save config on page 557 Creates a new subdirectory in nonvolatile storage. Syntax — mkdir [subdirname] subdirname — Subdirectory name. Specify between 1 and 32 alphanumeric characters, with no spaces. Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0.
CHAPTER 18: FILE MANAGEMENT COMMANDS =============================================================================== temporary files: Filename Size Created Total: 0 bytes used, 93537 Kbytes free See Also reset system dir on page 545 rmdir on page 556 Restarts an WX switch and reboots the software. Syntax — reset system [force] force — Immediately restarts the system and reboots, without comparing the running configuration to the configuration file. Defaults — None. Access — Enabled.
restore 555 See Also restore display boot on page 547 display version on page 549 save config on page 557 Unzips a system archive created by the backup command and copies the files from the archive onto the switch. Syntax — restore system [tftp:/ip-addr/]filename [all | critical] [tftp:/ip-addr/]filename — Name of the archive file to load. The archive can be located in the switch’s nonvolatile storage or on a TFTP server.
CHAPTER 18: FILE MANAGEMENT COMMANDS If the archive’s files cannot fit on the switch, the restore operation fails. 3Com recommends deleting unneeded image files before creating or restoring an archive. The backup command stores the MAC address of the switch in the archive. By default, the restore command works only if the MAC address in the archive matches the MAC address of the switch where the restore command is entered.
save config 557 History —Introduced in MSS Version 3.0. Usage — MSS does not allow the subdirectory to be removed unless it is empty. Delete all files from the subdirectory before attempting to remove it. Examples — The following example removes subdirectory corp2: WX4400# rmdir corp2 success: change accepted. See Also save config dir on page 545 mkdir on page 553 Saves the running configuration to a configuration file.
CHAPTER 18: FILE MANAGEMENT COMMANDS Examples — The following command saves the running configuration to the configuration file loaded during the most recent reboot. In this example, the filename used during the most recent reboot is configuration. WX4400# save config Configuration saved to configuration. The following command saves the running configuration to a file named testconfig1: WX4400# save config testconfig1 Configuration saved to testconfig1.
set boot partition set boot partition 559 Specifies the boot partition in which to look for the system image file following the next system reset, software reload, or power cycle. Syntax — set boot partition {boot0 | boot1} boot0 — Boot partition 0. boot1 — Boot partition 1. Defaults — By default, an WX switch uses the same boot partition for the next software reload that was used to boot the currently running image. Access — Enabled. History —Introduced in MSS Version 3.0.
CHAPTER 18: FILE MANAGEMENT COMMANDS
19 TRACE COMMANDS Use trace commands to perform diagnostic routines. While MSS allows you to run many types of traces, this chapter describes commands for those traces you are most likely to use. For a complete listing of the types of traces MSS allows, type the set trace ? command. CAUTION: Using the set trace command can have adverse effects on system performance. 3Com recommends that you use the lowest levels possible for initial trace commands, and slowly increase the levels to get the data you need.
CHAPTER 19: TRACE COMMANDS clear log trace Deletes the log messages stored in the trace buffer. Syntax — clear log trace Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0. Examples — To delete the trace log, type the following command: WX4400# clear log trace See Also clear trace display log buffer on page 582 set log on page 586 Deletes running trace commands and ends trace processes.
display trace 563 To clear the session manager trace, type the following command: WX4400# clear trace sm success: clear trace sm See Also display trace display trace on page 563 set trace authentication on page 564 set trace authorization on page 565 set trace dot1x on page 566 set trace sm on page 567 Displays information about traces that are currently configured on the WX switch, or all possible trace options.
CHAPTER 19: TRACE COMMANDS save trace Saves the accumulated trace data for enabled traces to a file in the WX switch’s nonvolatile storage. Syntax — save trace filename filename — Name for the trace file. To save the file in a subdirectory, specify the subdirectory name, then a slash. For example: traces/trace1 Defaults — None. Access — Enabled. History —Introduced in MSS Version 3.0.
set trace authorization 565 Examples — The following command starts a trace for information about user jose’s authentication: WX4400# set trace authentication user jose success: change accepted. See Also set trace authorization clear trace on page 562 display trace on page 563 Traces authorization information. Syntax — set trace authorization [mac-addr mac-address] [port port-num] [user username] [level level] mac-addr mac-address — Traces a MAC address.
CHAPTER 19: TRACE COMMANDS set trace dot1x Traces 802.1X sessions. Syntax — set trace dot1x [mac-addr mac-address] [port port-num] [user username] [level level] mac-addr mac-address — Traces a MAC address. Specify a MAC address, using colons to separate the octets (for example, 00:11:22:aa:bb:cc). port port-num — Traces on a WX port number. user username — Traces a user. Specify a username of up to 80 alphanumeric characters with no spaces.
set trace sm set trace sm 567 Traces session manager activity. Syntax — set trace sm [mac-addr mac-address] [port port-num] [user username] [level level] mac-addr mac-address — Traces a MAC address. Specify a MAC address, using colons to separate the octets (for example, 00:11:22:aa:bb:cc). port port-num — Traces on a WX port number. user username — Traces a user. Specify a username of up to 80 alphanumeric characters, with no spaces.
CHAPTER 19: TRACE COMMANDS
20 SNOOP COMMANDS Use snoop commands to monitor wireless traffic, by using a Distributed MAP as a sniffing device. The MAP copies the sniffed 802.11 packets and sends the copies to an observer, which is typically a protocol analyzer such as Ethereal or Tethereal. (For more information, including setup instructions for the monitoring station, see the “Remotely Monitoring Traffic” section in the “Troubleshooting an WX Switch” chapter of the Wireless LAN Switch Configuration Guide.
CHAPTER : SNOOP COMMANDS clear snoop Deletes a snoop filter. Syntax — clear snoop filter-name filter-name — Name of the snoop filter. Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0. Examples — The following command deletes snoop filter snoop1: WX1200# clear snoop snoop1 See Also clear snoop map set snoop on page 571 display snoop info on page 577 Removes a snoop filter from an MAP radio.
set snoop 571 The following command removes all snoop filter mappings from all radios: WX1200# clear snoop map all success: change accepted. See Also set snoop set snoop map on page 574 display snoop on page 576 display snoop map on page 577 Configures a snoop filter. set snoop filter-name [condition-list] [observer ip-addr] [snap-length num] filter-name — Name for the filter. The name can be up to 32 alphanumeric characters, with no spaces.
CHAPTER : SNOOP COMMANDS If you omit a condition, all packets match that condition. For example, if you omit frame-type, all frame types match the filter. For most conditions, you can use eq (equal) to match only on traffic that matches the condition value. Use neq (not equal) to match only on traffic that is not equal to the condition value. observer ip-addr — Specifies the IP address of the station where the protocol analyzer is located.
set snoop 573 If the snoop filter is running on a Distributed MAP, and the MAP used a DHCP server in its local subnet to configure its IP information, and the MAP did not receive a default gateway address as a result, the observer must also be in the same subnet. Without a default gateway, the MAP cannot find the observer. The MAP that is running a snoop filter forwards snooped packets directly to the observer. This is a one-way communication, from the MAP to the observer.
CHAPTER : SNOOP COMMANDS set snoop map Maps a snoop filter to a radio on a Distributed MAP. A snoop filter does take effect until you map it to a radio and enable the filter. Examples — set snoop map filter-name dap dap-num radio {1 | 2} filter-name — Name of the snoop filter. dap-num —Number of a Distributed MAP to which to map the snoop filter. radio 1 — Radio 1 of the MAP. radio 2 — Radio 2 of the MAP. (This option does not apply to single-radio models.
set snoop mode 575 See Also set snoop mode clear snoop map on page 570 set snoop on page 571 set snoop mode on page 575 display snoop map on page 577 display snoop stats on page 578 Enables a snoop filter. A snoop filter does not take effect until you map it to an MAP radio and enable the filter. set snoop {filter-name | all} mode {enable [stop-after num-pkts] | disable} filter-name | all — Name of the snoop filter. Specify all to enable all snoop filters.
CHAPTER : SNOOP COMMANDS display snoop display snoop on page 576 display snoop info on page 577 display snoop map on page 577 display snoop stats on page 578 Displays the MAP radio mapping for all snoop filters. Syntax — display snoop Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0. Usage — To display the mappings for a specific MAP radio, use the display snoop map command.
display snoop info display snoop info 577 Shows the configured snoop filters. Syntax — display snoop filter-name filter-name — Name of the snoop filter. Defaults — None. Access — Enabled. History —Introduced in MSS Version 4.0. Examples — The following command shows the snoop filters configured in the examples above: WX1200# display snoop info snoop1: observer 10.10.30.2 snap-length 100 all packets snoop2: observer 10.10.30.
CHAPTER : SNOOP COMMANDS Usage — To display the mappings for all snoop filters, use the display snoop command. Examples — The following command shows the mapping for snoop filter snoop1: WX1200# display snoop map snoop1 filter 'snoop1' mapping Dap: 3 Radio: 2 See Also display snoop stats clear snoop map on page 570 set snoop map on page 574 display snoop on page 576 Displays statistics for enabled snoop filters.
display snoop stats 579 Examples — The following command shows statistics for snoop filter snoop1: WX1200# display snoop stats snoop1 Filter Dap Radio Rx Match Tx Match Dropped Stop-After ========================================================================= snoop 3 1 96 4 0 stopped Table 108 describes the fields in this display. Table 108 display snoop stats Output Field Description Filter Name of the snoop filter. Dap Distributed MAP containing the radio to which the filter is mapped.
CHAPTER : SNOOP COMMANDS
21 SYSTEM LOG COMMANDS Use the system log commands to record information for monitoring and troubleshooting. MSS system logs are based on RFC 3164, which defines the log protocol. Commands by Usage This chapter present system log commands alphabetically. Use Table 109 to locate commands in this chapter based on their use.
CHAPTER 21: SYSTEM LOG COMMANDS Access — Enabled. History — Introduced in MSS Version 3.0. Examples — To stop sending system logging messages to a server at 192.168.253.11, type the following command: WX4400# clear log server 192.168.253.11 success: change accepted. Type the following command to clear all messages from the log buffer: WX4400# clear log buffer success: change accepted.
display log buffer 583 severity severity-level — Displays messages at a severity level greater than or equal to the level specified. Specify one of the following: emergency — The WX switch is unusable. alert — Action must be taken immediately. critical — You must resolve the critical conditions. If the conditions are not resolved, the WX can reboot or shut down. error — The WX is missing data or is unable to form a connection. warning — A possible problem exists.
CHAPTER 21: SYSTEM LOG COMMANDS See Also display log config clear log on page 581 display log config on page 584 Displays log configuration information. Syntax — display log config Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0.
display log trace display log trace 585 Displays system information stored in the nonvolatile log buffer or the trace buffer. Syntax — display log trace [{+|-|/}number-of-messages] [facility facility-name] [matching string] [severity severity-level] trace — Displays the log messages in the trace buffer.
CHAPTER 21: SYSTEM LOG COMMANDS Defaults — None. Access — Enabled. History — Introduced in MSS Version 3.0.
set log 587 sessions — Sets the default log values for Telnet sessions. You can set defaults for the following log parameters: Severity Logging state (enabled or disabled) To override the session defaults for an individual session, type the set log command from within the session and use the current option. trace — Sets log parameters for trace files. severity severity-level — Logs events at a severity level greater than or equal to the level specified.
CHAPTER 21: SYSTEM LOG COMMANDS If you do not specify a local facility, MSS sends the messages with their default MSS facilities. For example, AAA messages are sent with facility 4 and boot messages are sent with facility 20 by default. enable — Enables messages to the specified target. disable — Disables messages to the specified target. Defaults — The following are defaults for the set log commands. Events at the error level and higher are logged to the WX console.
set log trace mbytes set log trace mbytes 589 Changes the size of trace log files. Syntax — set log trace mbytes count count — Size of the trace buffer, in megabytes (MB). You can specify from 1 through 50. Defaults — The default trace buffer size is 1 MB. Access — Enabled. History — Introduced in MSS Version 3.0. Examples — The following command increases the trace buffer size to 4 MB: WX4400# set log trace mbytes 4 success: change accepted.
CHAPTER 21: SYSTEM LOG COMMANDS
22 BOOT PROMPT COMMANDS Boot prompt commands enable you to perform basic tasks, including booting a system image file, from the boot prompt (boot>). A CLI session enters the boot prompt if MSS does not boot successfully or you intentionally interrupt the boot process. To interrupt the boot process, press q followed by Enter (return). CAUTION: Generally, boot prompt commands are used only for troubleshooting.
CHAPTER 22: BOOT PROMPT COMMANDS Table 110 Boot Prompt Commands by Usage (continued) Type Command Boot Profile Management, cont. next on page 603 change on page 595 delete on page 597 Diagnostics diag on page 598 test on page 605 autoboot Displays or changes the state of the autoboot option. The autoboot option controls whether a WX switch automatically boots a system image after initializing the hardware, following a system reset or power cycle.
boot boot 593 Loads and executes a system image file. Syntax — boot [BT=type] [DEV=device] [FN=filename] [HA=ip-addr] [FL=num] [OPT=option] [OPT+=option] BT=type — Boot type: c — Compact flash. Boots using nonvolatile storage or a flash card. n — Network. Boots using a TFTP server.
CHAPTER 22: BOOT PROMPT COMMANDS Usage — If you use an optional parameter, the parameter setting overrides the setting of the same parameter in the currently active boot profile. However, the boot profile itself is not changed. To display the currently active boot profile, use the display command. To change the currently active boot profile, use the change command. Examples — The following command loads system image file WXA30001.Rel from boot partition 1: boot> boot FN=WXA03001.
change change 595 Changes parameters in the currently active boot profile. (For information about boot profiles, see display on page 599.) Syntax — change Defaults — The default boot type is c (compact flash). The default filename is default. The default flags setting is 0x00000000 (all flags disabled) and the default options list is run=nos;boot=0.
create CHAPTER 22: BOOT PROMPT COMMANDS delete on page 597 display on page 599 next on page 603 Creates a new boot profile. (For information about boot profiles, see display on page 599.) Syntax — create Defaults — The new boot profile has the same settings as the currently active boot profile by default. Access — Boot prompt. History —Introduced in MSS Version 3.0. Usage — A WX switch can have up to four boot profiles. The boot profiles are stored in slots, numbered 0 through 3.
delete delete display on page 599 next on page 603 597 Removes the currently active boot profile. (For information about boot profiles, see display on page 599.) Syntax — delete Defaults — None. Access — Boot prompt. History —Introduced in MSS Version 3.0. Usage — When you type the delete command, the next-lower numbered boot profile becomes the active profile. For example, if the currently active profile is number 3, profile number 2 becomes active after you type delete to delete profile 3.
diag CHAPTER 22: BOOT PROMPT COMMANDS Accesses the diagnostic mode. Syntax — diag Defaults — The diagnostic mode is disabled by default. Access — Boot prompt. History —Introduced in MSS Version 3.0. Usage — Access to the diagnostic mode requires a password, which is not user configurable. Use this mode only if advised to do so by 3Com. dir Displays the boot code and system image files on a WX switch.
display 599 Internal Compact Flash Directory (Secondary): WXA30001.Rel 8862885 bytes See Also display fver on page 601 version on page 606 Displays the currently active boot profile. A boot profile is a set of parameters that a WX switch uses to control the boot process.
CHAPTER 22: BOOT PROMPT COMMANDS DEVICE: FILENAME: FLAGS: OPTIONS: boot1: default 00000000 run=nos;boot=0 Table 111 describes the fields in the display. Table 111 Output of display command Field Description BOOT Index Boot profile slot, which can be a number from 0 to 3. BOOT TYPE Boot type: DEVICE c — Compact flash. Boots using nonvolatile storage or a flash card. n — Network. Boots using a TFTP server.
fver fver 601 Displays the version of a system image file installed in a specific location on a WX switch. Syntax — fver {c: | d: | e: | f: | boot0: | boot1:} [filename] c: — Nonvolatile storage area containing boot partition 0 (primary). d: — Nonvolatile storage area containing boot partition 1 (secondary). e: — Primary partition of the flash card in the flash card slot. f: — Secondary partition of the flash card in the flash card slot. boot0: — Boot partition 0.
CHAPTER 22: BOOT PROMPT COMMANDS help Displays a list of all the boot prompt commands or detailed information for an individual command. Syntax — help [command-name] command-name — Boot prompt command. Defaults — None. Access — Boot prompt. History —Introduced in MSS Version 3.0. Usage — If you specify a command name, detailed information is displayed for that command. If you do not specify a command name, all the boot prompt commands are listed.
next 603 Usage — To display help for an individual command, type help followed by the command name (for example, help boot). Examples — To display a list of the commands available at the boot prompt, type the following command: boot> ls ls help autoboot boot profile. change create delete next display dir fver version reset test diag Display a list of all commands and descriptions. Display help information for each command. Display the state of, enable, or disable the autoboot option.
CHAPTER 22: BOOT PROMPT COMMANDS Examples — To activate the boot profile in the next slot and display the profile, type the following command: boot> next BOOT Index: BOOT TYPE: DEVICE: FILENAME: FLAGS: OPTIONS: 0 c boot1: testcfg 00000000 run=nos;boot=0 See Also reset change on page 595 create on page 596 delete on page 597 display on page 599 Resets a WX switch’s hardware. Syntax — reset Defaults — None. Access — Boot prompt. History —Introduced in MSS Version 3.0.
test 605 3Com WX-4400 Bootstrap/Bootloader Version 3.0.2 Release Compiled on Wed Sep 22 09:18:47 PDT 2004 by Bootstrap Bootloader Bootstrap Bootloader 0 0 1 1 version: version: version: version: WX-4400 Board Revision: WX-4400 Controller Revision: WXA30001.Rel BOOT Index: BOOT TYPE: DEVICE: FILENAME: FLAGS: OPTIONS: 3.1 3.0.2 3.1 3.0.1 Active Active 2. 5.
CHAPTER 22: BOOT PROMPT COMMANDS Examples — The following command displays the current setting of the poweron test flag: boot> test The diagnostic execution flag is not set. See Also version boot on page 593 Displays version information for a WX switch’s hardware and boot code. Syntax — version Defaults — None. Access — Boot prompt. History —Introduced in MSS Version 3.0. Usage — This command does not list the system image file versions installed in the boot partitions.
A Register Your Product OBTAINING SUPPORT FOR YOUR PRODUCT Warranty and other service benefits start from the date of purchase, so it is important to register your product quickly to ensure you get full use of the warranty and other service benefits available to you. Warranty and other service benefits are enabled through product registration. Register your product at http://eSupport.3com.com/. 3Com eSupport services are based on accounts that you create or have authorization to access.
APPENDIX A: OBTAINING SUPPORT FOR YOUR PRODUCT Troubleshoot Online You will find support tools posted on the 3Com web site at http://www.3com.com/ 3Com Knowledgebase helps you troubleshoot 3Com products. This query-based interactive tool is located at http://knowledgebase.3com.com and contains thousands of technical solutions written by 3Com support engineers.
Contact Us 609 To send a product directly to 3Com for repair, you must first obtain a return authorization number (RMA). Products sent to 3Com, without authorization numbers clearly marked on the outside of the package, will be returned to the sender unopened, at the sender’s expense. If your product is registered and under warranty, you can obtain an RMA number online at http://eSupport.3com.com/. First time users will need to apply for a user name and password.
APPENDIX A: OBTAINING SUPPORT FOR YOUR PRODUCT Country Telephone Number Country Telephone Number Austria Belgium Denmark Finland France Germany Hungary Ireland Israel Italy 01 7956 7124 070 700 770 7010 7289 01080 2783 0825 809 622 01805 404 747 06800 12813 1407 3387 1800 945 3794 199 161346 Luxembourg Netherlands Norway Poland Portugal South Africa Spain Sweden Switzerland U.K.
INDEX A autoboot 592 B boot 593 C change 595 clear {ap | dap} radio 272 clear accounting 201 clear authentication admin 202 clear authentication console 203 clear authentication dot1x 204 clear authentication last-resort 205 clear authentication mac 205 clear authentication proxy 206 clear authentication web 207 clear banner motd 38 clear boot config 541 clear dap 62 clear dot1x max-req 479 clear dot1x port-control 479 clear dot1x quiet-period 480 clear dot1x reauth-max 481 clear dot1x reauth-period 481
INDEX clear spantree statistics 375 clear summertime 123 clear system 39 clear system countrycode 39 clear system ip-address 39, 124 clear system location 40 clear system name 39 clear timezone 124 clear trace 562 clear user 213 clear user attr 214 clear user group 215 clear usergroup 215 clear usergroup attr 216 clear vlan 97 commit security acl 427 copy 542 create 596 crypto certificate 449 crypto certificate admin 449 crypto certificate eap 449 crypto generate key 451 crypto generate request 452 cr
INDEX display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display display roaming station 102 roaming vlan 104 security acl 429 security acl dscp 428 security acl editbuffer 429 security acl hits 430 security acl info 431 security acl map 432 security acl resource-usage 433
set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set INDEX authentication web 239 auto-config 46 banner motd 49 boot configuration-file 558, 559 confirm 50 dap 77 dap auto 306 dap auto mode 308 dap auto radiotype 309 dap fingerprint 312 dap security 326 dot1x authcontrol 486 dot1x key-tx 488 dot1x max-req 489 dot1x port-control 490 dot1x quiet-
INDEX set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set radius key 468 radius proxy client 470 radius proxy port 471 radius retransmit 468 radius server 472 radius timeout 468 rfdetect active-scan 528 rfdetect attack-list 528 rfdetect black-list 529 rfdetect countermeasures 530 rfdetect countermeasures mac 530 rfdetect ignore 530 rfdetect log 531
INDEX traceroute 196 V version 606
