Part No.
Copyright © 2007-2008 Nortel Networks. All rights reserved. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks.
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third parties).
developer and/or supplier is an intended beneficiary of this Section. Some jurisdictions do not allow these limitations or exclusions and, in such event, they may not apply. 4.
Exclusive Remedy Your sole remedy under the limited warranty described above is, at Nortel’s sole option and expense, the repair or replacement of the non-conforming Product or refund of the purchase price of the non-conforming Products. Nortel’s obligation under this limited warranty is subject to compliance with Nortel’s then-current Return Material Authorization (“RMA”) procedures. All replaced Products will become the property of Nortel.
END CUSTOMER MAY ALSO HAVE OTHER RIGHTS, WHICH VARY FROM STATE/JURISDICTION TO STATE/JURISDICTION.
(d) Nortel may provide updates, corrections, enhancements, modifications or bug fixes for the Licensed Materials (“Updates”) to Licensee. Any such Update shall be deemed part of the Licensed Materials and subject to the license and all other terms and conditions hereunder. (e) Nortel shall have the right to inspect and audit Licensee’s use, deployment, and exploitation of the Licensed Materials for compliance with the terms and conditions of this Agreement.
that is not covered by the above provisions shall be deemed “technical data-commercial items” pursuant to DFAR section 227.7015(a). Any use, modification, reproduction, release, performance, display or disclosure of such technical data shall be governed by the terms of DFAR section 227.7015(b). 8. Limitation of Liability.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
NN47250-100 (Version 02.
How to get help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Introducing the Nortel WLAN 2300 System . . . . . . . . . . . . . . . . . . . . . . . 5 Nortel WLAN 2300 System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Safety and Advisory Notices . . . . . . . . . . . . . . . . . . . . . . . . . .
IP Services Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 AAA Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Mobility Domain Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Network Domain Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 AP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 STP Commands . .
How to get help This section explains how to get help for Nortel products and services. Getting help from the Nortel web site The best way to get technical support for Nortel products is from the Nortel Technical Support Web site: http://www.nortel.com/support This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products.
How to get help NN47250-100 (Version 02.
Introducing the Nortel WLAN 2300 System Nortel WLAN 2300 System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 This command reference explains WLAN Security Switch 2300 Series (WSS Software) command line interface (CLI) commands that you enter on a WLAN—Security Switch to configure and manage the Nortel WLAN 2300 System wireless LAN (WLAN).
Introducing the Nortel WLAN 2300 System Documentation Consult the following documents to plan, install, configure, and manage a Nortel WLAN 2300 System. Planning, Configuration, and Deployment • Nortel WLAN Management Software 2300 Series User Guide. Instructions for planning, configuring, deploying, and managing the entire WLAN with the WLAN Management Software tool suite.
Introducing the Nortel WLAN 2300 System 17 Safety and Advisory Notices The following kinds of safety and advisory notices appear in this manual. Caution! This situation or condition can lead to data loss or damage to the product or other property. Note. This information is of special interest.
Introducing the Nortel WLAN 2300 System Text and Syntax Conventions Nortel manuals use the following text and syntax conventions: Convention Use Monospace text Sets off command syntax or sample commands and system responses. Bold text Highlights commands that you enter or items you select. Italic text Designates command variables that you replace with appropriate values, or highlights publication titles or words requiring special emphasis.
Using the Command-Line Interface CLI Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Command-Line Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Using CLI Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Understanding Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using the Command-Line Interface Command Prompts By default, the WSS Software CLI provides the following prompt for restricted users. The mm portion shows the WSS model number (for example, 2360) and the nnnnnn portion shows the last 6 digits of the switch’s media access control (MAC) address.
Using the Command-Line Interface 21 Syntax Notation The WSS Software CLI uses standard syntax notation: • Bold monospace font identifies the command and keywords you must type. For example: • Italic monospace font indicates a placeholder for a value. For example, you replace vlan-id in the following command with a virtual LAN (VLAN) ID: • Curly brackets ({ }) indicate a mandatory parameter, and square brackets ([ ]) indicate an optional parameter.
Using the Command-Line Interface MAC Address Notation WSS Software displays MAC addresses in hexadecimal numbers with a colon (:) delimiter between bytes—for example, 00:01:02:1a:00:01. You can enter MAC addresses with either hyphen (-) or colon (:) delimiters, but colons are preferred. For shortcuts: • You can exclude leading zeros when typing a MAC address. WSS Software displays of MAC addresses include all leading zeros.
Using the Command-Line Interface 23 number of characters up to, but not including, a delimiter character in the wildcard. Valid user wildcard delimiter characters are the at (@) sign and the period (.). For example, the following wildcards identify the following users: User Wildcard User(s) Designated jose@example.com User jose at example.com *@example.com All users at example.com whose usernames do not contain periods—for example, jose@example.com and tamara@example.com, but not nin.wong@example.
Using the Command-Line Interface To match all VLANs, use the double-asterisk (**) wildcard characters with no delimiters. To match any number of characters up to, but not including, a delimiter character in the wildcard, use the single-asterisk (*) wildcard. Valid VLAN wildcard delimiter characters are the at (@) sign and the period (.). For example, the VLAN wildcard bldg4.* matches bldg4.security and bldg4.hr and all other VLAN names with bldg4. at the beginning.
Using the Command-Line Interface 25 Command-Line Editing WSS Software editing functions are similar to those of many other network operating systems. Keyboard Shortcuts The following table lists the keyboard shortcuts for entering and editing CLI commands: Keyboard Shortcut(s) Function Ctrl+A Jumps to the first character of the command line. Ctrl+B or Left Arrow key Moves the cursor back one character. Ctrl+C Escapes and terminates prompts and tasks. Ctrl+D Deletes the character at the cursor.
Using the Command-Line Interface Tabs The WSS Software CLI uses the Tab key for command completion. You can type the first few characters of a command and press the Tab key to display the command(s) that begin with those characters. For example: WSS# show i ifm Show interfaces maintained by the interface manager igmp Show igmp information interface Show interfaces ip Show ip information Single-Asterisk (*) Wildcard Character You can use the single-asterisk (*) wildcard character in wildcarding.
Using the Command-Line Interface 27 To see a subset of the online help, type the command for which you want more information. For example, to display all the commands that begin with the letter i, type the following command: WSS# show i? ifm Show interfaces maintained by the interface manager igmp Show igmp information interface Show interfaces ip Show ip information To see all the variations, type one of the commands followed by a question mark (?).
Using the Command-Line Interface NN47250-100 (Version 02.
Access Commands Use access commands to control access to the WLAN Security Switch 2300 Series (WSS Software) (CLI). This chapter presents access commands alphabetically. Use the following table to locate commands in this chapter based on their use. Access Privileges enable on page 19 set enablepass on page 20 disable on page 19 quit on page 20 disable Changes the CLI session from enabled mode to restricted access. Syntax disable Defaults None. Access Enabled.
Access Commands See Also • set enablepass on page 20 • set confirm on page 60 quit Exit from the CLI session. Syntax quit Defaults None. Access All. Examples To end the administrator’s session, type the following command: WSS> quit set enablepass Sets the password that provides enabled access (for configuration and monitoring) to the WSS. Note. The enable password is case-sensitive. Syntax set enablepass Defaults None. Access Enabled. Usage After typing the set enablepass command, press Enter.
Access Commands 31 See Also • disable on page 19 • enable on page 19 Nortel WLAN—Security Switch 2300 Series Command Line Reference
Access Commands NN47250-100 (Version 02.
Port Commands Use port commands to configure and manage individual ports and load-sharing port groups. This chapter presents port commands alphabetically. Use the following table to locate commands in this chapter based on their use.
Port Commands show port mirror on page 49 clear port mirror on page 26 Statistics show port counters on page 46 monitor port counters on page 28 clear port counters on page 24 clear ap Caution! When you clear a AP, WSS Software ends user sessions that are using the AP. Removes a AP. Syntax clear ap ap-num ap-num Number of the AP(s) you want to remove. Defaults None. Access Enabled. Examples The following command clears AP 1: WSS# clear ap 1 This will clear specified AP devices.
Port Commands 35 See Also • monitor port counters on page 28 • show port counters on page 46 clear port-group Removes a port group. Syntax clear port-group name name Name of the port group. name name Defaults None. Access Enabled. Examples The following command clears port group server1: WSS# clear port-group name server1 success: change accepted.
Port Commands See Also • set port media-type on page 36 • show port media-type on page 48 clear port mirror Removes a port mirroring configuration. Syntax clear port mirror Defaults None. Access Enabled. History Introduced in WSS Software Version 4.1. Examples The following command clears the port mirroring configuration from the switch: WSS# clear port mirror See Also • set port mirror on page 37 • show port mirror on page 49 clear port name Removes the name assigned to a port.
Port Commands 37 clear port type Caution! When you clear a port, WSS Software ends user sessions that are using the port. Removes all configuration settings from a port and resets the port as a network port. Syntax clear port type port-list port-list List of physical ports. WSS Software resets and removes the configuration from all the specified ports. Defaults The cleared port becomes a network port but is not placed in any VLANs. Access Enabled.
Port Commands Examples The following command clears port 5: WSS# clear port type 5 This may disrupt currently authenticated users. Are you sure? (y/n) [n]y success: change accepted. See Also • set port type ap on page 41 • set port type wired-auth on page 44 monitor port counters Displays and continually updates port statistics.
Port Commands 39 Table 2: Key Controls for Monitor Port Counters Display Key Effect on Monitor Display Spacebar Advances to the next statistic type. Esc Exits the monitor. WSS Software stops displaying the statistics and displays a new command prompt. c Clears the statistics counters for the currently displayed statistics type. The counters begin incrementing again. For error reporting, the cyclic redundancy check (CRC) errors include misalignment errors.
Port Commands Table 3 describes the port statistics displayed by each statistics option. The Port and Status fields are displayed for each option. Table 3: Output for monitor port counters Statistics Option Field Displayed for All Options Port Port the statistics are displayed for. Status Port status. The status can be Up or Down. Rx Octets Total number of octets received by the port. This number includes octets received in frames that contained errors.
Port Commands 41 Table 3: Output for monitor port counters (continued) Statistics Option Field Description transmit-errors Tx Crc Number of frames transmitted by the port that had the correct length but contained an invalid FCS value. Tx Short Number of frames transmitted by the port that were fewer than 64 bytes long. Tx Fragment Total number of frames transmitted that were less than 64 octets long and had invalid CRCs. Tx Abort Total number of frames that had a link pointer parity error.
Port Commands Table 3: Output for monitor port counters (continued) Statistics Option Field Description transmit-etherstats Tx 64 Number of packets transmitted that were 64 bytes long. Tx 127 Number of packets transmitted that were from 65 through 127 bytes long. Tx 255 Number of packets transmitted that were from 128 through 255 bytes long. Tx 511 Number of packets transmitted that were from 256 through 511 bytes long.
Port Commands 43 See Also set port on page 35 set ap Configures a AP for an AP that is indirectly connected to the WSS through an intermediate Layer 2 or Layer 3 network. Note. Before configuring an AP, you must use the set system countrycode command to set the IEEE 802.11 country-specific regulations on the WSS. See set system countrycode on page 63. Note. For a complete listing of the models in the WLAN Series 2332 and their respective countries of operation, please visit the Nortel Support website.
Port Commands ap-num Number for the AP. The range of valid connection numbers depends on the WSS model: • • • • serial-id serial-ID 2382—1 to 320 2380—1 to 300 2360/61—1 to 30 2350—1 to 8 AP serial ID. The serial ID is listed on the AP case. To display the serial ID using the CLI, use the show version details command. model {2330 | 2330A | 2330B | 2332-A1 AP model.
Port Commands 45 The following command removes AP 1: WSS# clear ap 1 This will clear specified AP devices. Would you like to continue? (y/n) [n]y See Also • clear ap on page 24 • clear port type on page 27 • set port type ap on page 41 • set system countrycode on page 63 set port Administratively disables or reenables a port. Syntax set port {enable | disable} port-list enable Enables the specified ports. disable Disables the specified ports. port-list List of physical ports.
Port Commands Syntax set port-group name group-name port-list mode {on | off} name group-name Alphanumeric string of up to 255 characters, with no spaces. port-list List of physical ports. All the ports you specify are configured together as a single logical link. mode {on | off} State of the group. Use on to enable the group or off to disable the group. The group is enabled by default. Defaults Once configured, a group is enabled by default. Access Enabled.
Port Commands 47 Syntax set port media-type port-list rj45 port-list List of physical ports. WSS Software sets the preference on all the specified ports. rj45 Uses the copper interface. Defaults The GBIC (fiber) interface is enabled, and the copper interface is disabled, by default. Access Enabled. History Introduced in WSS Software Version 4.0. Usage This command applies only to the 2380.
Port Commands Examples The following command sets port 2 to monitor port 1’s traffic: WSS# set port 1 observer 2 See Also • clear port mirror on page 26 • show port mirror on page 49 set port name Assigns a name to a port. After naming a port, you can use the port name or number in other CLI commands. Syntax set port port name name port Number of a physical port. You can specify only one port. name name Alphanumeric string of up to 16 characters, with no spaces. Defaults None. Access Enabled.
Port Commands 49 set port negotiation Disables or reenables autonegotiation on gigabit Ethernet or 10/100 Ethernet ports. Syntax set port negotiation port-list {enable | disable} port-list List of physical ports. WSS Software disables or reenables autonegotiation on all the specified ports. enable Enables autonegotiation on the specified ports. disable Disables autonegotiation on the specified ports. Defaults Autonegotiation is enabled on all Ethernet ports by default. Access Enabled.
Port Commands Defaults PoE is disabled on network and wired authentication ports. The state on AP ports depends on whether you enabled or disabled PoE when setting the port type. See set port type ap on page 41. Access Enabled. Usage This command does not apply to any gigabit Ethernet ports or to ports 7 and 8 on the 2360 and 2382 switch.
Port Commands 51 packets sent to a WSS port in such a configuration can cause forwarding on the link to stop. Do not set the port speed of a gigabit port to auto. Although the CLI allows this setting, it is invalid. If you set the port speed of a gigabit port to auto, the link will stop working.
Port Commands Note. Before configuring a port as an AP port, you must use the set system countrycode command to set the IEEE 802.11 country-specific regulations on the WSS. See set system countrycode on page 63. Note. For Series 2332 access points, be sure the system country code is supported for the selected access point model. Note. For an AP that is indirectly connected to the WSS through an intermediate Layer 2 or Layer 3 network, use the set ap command to configure a AP. Note.
Port Commands 53 Defaults All WSS ports are network ports by default. Model AP-2330, AP-2330A, AP-2330B, and Series 2332 APs have two radios. On two-radio models, one radio is always 802.11a. The other radio is 802.11b/g, but can be configured for 802.11b or 802.11g exclusively. If the country of operation specified by the set system countrycode command does not allow 802.11g, the default is 802.11b.
Port Commands To manage an AP on a switch model that does not have 10/100 Ethernet ports, use the set ap command to configure a AP connection on the switch. Examples The following commands set port 2 for AP model 2330, enable PoE on the port, and specify external antenna model 24453 for the 802.11b/g radio: WSS# set port type ap 2 model 2330 poe enable This may affect the power applied on the configured ports. Would you like to continue? (y/n) [n]y success: change accepted.
Port Commands 55 Syntax set port type wired-auth port-list [tag tag-list] [max-sessions num] [auth-fall-thru {last-resort | none | web-portal}] port-list List of physical ports. tag-list One or more numbers between 1 and 4094 that subdivide a wired authentication port into virtual ports. num Maximum number of simultaneous user sessions supported. last-resort Automatically authenticates the user, without requiring a username and password.
Port Commands For 802.1X clients, wired authentication works only if the clients are directly attached to the wired authentication port, or are attached through a hub that does not block forwarding of packets from the client to the PAE group address (01:80:c2:00:00:03). Wired authentication works in accordance with the 802.1X specification, which prohibits a client from sending traffic directly to an authenticator’s MAC address until the client is authenticated.
Port Commands 57 Usage You can specify one statistic type with the command. Examples The following command shows octet statistics for port 3: WSS> show port counters octets port 3 Port Status Rx Octets Tx Octets ============================================================================= 3 Up 27965420 34886544 This command’s output has the same fields as the monitor port counters command. For descriptions of the fields, see Table 3 on page 30.
Port Commands See Also • clear port-group on page 25 • set port-group on page 35 show port media-type Displays the enabled interface types on a 2380 switch’s gigabit Ethernet ports. Syntax show port media-type [port-list] port-list List of physical ports. WSS Software displays the enabled interface types for all the specified ports. Defaults None. Access All. History Introduced in WSS Software Version 4.0. Usage This command applies only to the 2380.
Port Commands 59 show port mirror Displays the port mirroring configuration. Syntax show port mirror Defaults None. Access Enabled. History Introduced in WSS Software Version 4.1.
Port Commands 9 9 10 10 11 11 12 12 13 13 14 14 15 15 16 16 17 17 18 18 19 19 20 20 21 21 22 22 up up down down down down down down down down down down down down AP - enabled 1.44 disabled off disabled off disabled off disabled off disabled off disabled off disabled off disabled off disabled off disabled off disabled off disabled invalid disabled invalid Table 8 describes the fields in this display. Table 8: Output for show port poe Field Description Port Port number. Name Port name.
Port Commands 61 show port status Displays configuration and status information for ports. Syntax show port status [port-list] port-list List of physical ports. If you do not specify a port list, information is displayed for all ports. Defaults None. Access All.
Port Commands Table 9: Output for show port status (continued) Field Description Admin Administrative status of the port: • up—The port is enabled. • down—The port is disabled. Oper Operational status of the port: • up—The port is operational. • down—The port is not operational. Config Port speed configured on the port: • • • • Actual Type 10—10 Mbps. 100—100 Mbps. 1000—1000 Mbps. auto—The port sets its own speed. Speed and operating mode in effect on the port.
System Services Commands Use system services commands to configure and monitor system information for a WLAN—Security Switch (WSS). This chapter presents system services commands alphabetically. Use the following table to located commands in this chapter based on their use.
System Services Commands show licenses on page 67 Technical Support show tech-support on page 70 clear banner motd Deletes the message-of-the-day (MOTD) banner that is displayed before the login prompt for each CLI session on the WSS. Syntax clear banner motd Defaults None. Access Enabled. Examples To clear a banner, type the following command: WSS# clear banner motd success: change accepted Note.
System Services Commands 65 clear prompt Resets the system prompt to its previously configured value. If the prompt was not configured previously, this command resets the prompt to its default. Syntax clear prompt Defaults None. Access Enabled. Examples To reset the prompt, type the following command: wildebeest# clear prompt success: change accepted. WSS# See Also set prompt on page 62. (For information about default prompts, see “Command Prompts” on page 10.
System Services Commands Examples To clear the location of the WSS, type the following command: WSS# clear system location success: change accepted. See Also • set system contact on page 62 • set system countrycode on page 63 • set system idle-timeout on page 64 • set system ip-address on page 65 • set system location on page 65 • show config on page 553 • show system on page 68 help Displays a list of commands that can be used to configure and monitor the WSS. Syntax help Defaults None.
System Services Commands 67 traceroute Print the route packets take to network host See Also “Using CLI Help” on page 16 history Displays the command history buffer for the current CLI session. Syntax history Defaults None. Access All.
System Services Commands Syntax set auto-config {enable | disable} enable Enables the switch to contact a WLAN Management Software server to request a configuration. disable Disables the auto-config option. Defaults The auto-config option is automatically enabled on an unconfigured 2350 when the factory reset switch is pressed during power on. However, auto-config is disabled by default on other models. Access Enabled. History Introduced in WSS Software Version 4.0.
System Services Commands 69 1 Configure a VLAN: 2360# set vlan 1 port 7 success: change accepted. 2 Enable the DHCP client on VLAN 1: WSS# set interface 1 ip dhcp-client enable success: change accepted. 3 Enable the auto-config option: WSS# set auto-config enable success: change accepted. 4 Save the configuration changes: WSS# save config success: configuration saved.
System Services Commands • Number sign (#) • Question mark (?) • Single quotation mark (') Examples To create a banner that says Update meeting at 3 p.m., type the following command: WSS# set banner motd ^Update meeting at 3 p.m.^ success: change accepted. See Also • clear banner motd on page 54 • show banner motd on page 67 set confirm Enables or disables the display of confirmation messages for commands that might have a large impact on the network.
System Services Commands 71 Syntax set length number-of-lines number-of-lines Number of lines of text to display between paging prompts. You can specify from 0 to 512. The 0 value disables the paging prompt action entirely. Defaults WSS Software displays 24 lines by default. Access All. Usage Use this command if the output of a CLI command is greater than the number of lines allowed by default for a terminal type.
System Services Commands See Also show licenses on page 67 set prompt Changes the CLI prompt for the WSS to a string you specify. Syntax set prompt string string Alphanumeric string up to 32 characters long. To include spaces in the prompt, you must enclose the string in double quotation marks (“”). Defaults The factory default for the WSS name is WSS-mm-nnnnnn, where mm is the model number and nnnnnn is the last 6 digits of the 12-digit system MAC address. Access Enabled.
System Services Commands 73 Examples The following command sets the system contact information to tamara@example.com: 23x0#set system contact tamara@example.com success: change accepted. See Also • clear system on page 55 • set system location on page 65 • set system name on page 66 • show system on page 68 set system countrycode Defines the country-specific IEEE 802.11 regulations to enforce on the WSS.
System Services Commands See Also show config on page 553 Note. For Series 2332 access points, be sure the system country code is supported for the selected access point model. set system idle-timeout Specifies the maximum number of seconds a CLI management session with the switch can remain idle before WSS Software terminates the session. Syntax set system idle-timeout seconds seconds Number of seconds a CLI management session can remain idle before WSS Software terminates the session.
System Services Commands 75 set system ip-address Sets the system IP address so that it can be used by various services in the WSS. Caution! Any currently configured Mobility Domain operations cease if you change the IP address. If you change the address, you must reset the Mobility Domain. Syntax set system ip-address ip-addr ip-addr IP address, in dotted decimal notation. Defaults None. Access Enabled. Examples The following command sets the IP address of the WSS to 192.168.253.
System Services Commands See Also • clear system on page 55 • set system contact on page 62 • set system name on page 66 • show system on page 68 set system name Changes the name of the WSS from the default system name and also provides content for the CLI prompt, if you do not specify a prompt. Syntax set system name string string Alphanumeric string up to 256 characters long, with no blank spaces. WLAN Management Software requires unique WSS names.
System Services Commands 77 show banner motd Shows the banner that was configured with the set banner motd command. Syntax show banner motd Defaults None. Access Enabled. Examples To display the banner with the message of the day, type the following command: WSS# show banner motd hello world See Also • clear banner motd on page 54 show licenses Displays information about the license key(s) currently installed on a 2380 or 2382 switch. Syntax show licenses Defaults None. Access All.
System Services Commands See Also show system on page 68 show system Displays system information. Syntax show system Defaults None. Access Enabled. History Version 4.0 License field removed. To display license information, use the show license command.
System Services Commands 79 Table 1: show system output Field Description Product Name WSS model number. System Name System name (factory default, or optionally configured with set system name). System Countrycode Country-specific 802.11 code required for AP operation (configured with set system countrycode). System Location Record of WSS’s physical location (optionally configured with set system location).
System Services Commands Table 1: show system output (continued) Field Description PSU Status Status of the lower and upper power supply units: • missing—Power supply is not installed or is inoperable. • DC ok—Power supply is producing DC power. • DC output failure—Power supply is not producing DC power. WSS Software sends an alert to the system log every 5 minutes until this condition is corrected. • AC ok—Power supply is receiving AC power. • AC not present—Power supply is not receiving AC power.
System Services Commands 81 Usage Enter this command before calling the Nortel Enterprise Technical Support (NETS). See “How to get help” on page 3 for more information.
System Services Commands NN47250-100 (Version 02.
VLAN Commands Use virtual LAN (VLAN) commands to configure and manage parameters for individual port VLANs on network ports, and to display information about clients roaming within a mobility domain. This chapter presents VLAN commands alphabetically. Use the following table to locate commands in this chapter based on their use.
VLAN Commands clear fdb Deletes an entry from the forwarding database (FDB). Syntax clear fdb {perm | static | dynamic | port port-list} [vlan vlan-id] [tag tag-value] perm Clears permanent entries. A permanent entry does not age out and remains in the database even after a reboot, reset, or power cycle. You must specify a VLAN name or number with this option. static Clears static entries. A static entry does not age out, but is removed from the database after a reboot, reset, or power cycle.
VLAN Commands 85 clear security l2-restrict Removes one or more MAC addresses from the list of destination MAC addresses to which clients in a VLAN are allowed to send traffic at Layer 2. Syntax clear security l2-restrict vlan vlan-id [permit-mac mac-addr [mac-addr] | all] vlan-id VLAN name or number. permit-mac mac-addr List of MAC addresses. WSS Software no longer allows clients in the [mac-addr] VLAN to send traffic to the MAC addresses at Layer 2. all Removes all MAC addresses from the list.
VLAN Commands Defaults If you do not specify a VLAN or all, counters for all VLANs are cleared. Access Enabled. History Introduced in WSS Software Version 4.1. Usage To clear MAC addresses from the list of addresses to which clients are allowed to send data, use the clear security l2-restrict command instead. Examples The following command clears Layer 2 forwarding restriction statistics for VLAN abc_air: WSS# clear security l2-restrict counters vlan abc_air success: change accepted.
VLAN Commands 87 Examples The following command removes port 1 from VLAN green: WSS# clear vlan green port 1 This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y success: change accepted. The following command removes port 4, which uses tag value 69, from VLAN red: WSS# clear vlan red port 4 tag 69 This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y success: change accepted.
VLAN Commands Examples The following command adds a permanent entry for MAC address 00:11:22:aa:bb:cc on ports 3 and 5 in VLAN blue: WSS# set fdb perm 00:11:22:aa:bb:cc port 3,5 vlan blue success: change accepted. The following command adds a static entry for MAC address 00:2b:3c:4d:5e:6f on port 1 in the default VLAN: WSS# set fdb static 00:2b:3c:4d:5e:6f port 1 vlan default success: change accepted.
VLAN Commands 89 Syntax set security l2-restrict vlan vlan-id [mode {enable | disable}] [permit-mac mac-addr [mac-addr]] vlan-id VLAN name or number. mode {enable | disable} Enables or disables restriction of Layer 2 forwarding. permit-mac mac-addr [mac- MAC addresses to which clients are allowed to forward data at addr] Layer 2. You can specify up to four addresses. Defaults Layer 2 restriction is disabled by default. Access Enabled. History Introduced in WSS Software Version 4.1.
VLAN Commands Nortel recommends that you do not use the name default. This name is already used for VLAN 1. Nortel also recommends that you do not rename the default VLAN. You cannot use numbers in the VLAN name. Nortel recommends that you do not use the same name with different capitalizations for VLANs. For example, do not configure two separate VLANs with the names red and RED. VLAN names are case-sensitive for RADIUS authorization when a client roams to a WSS.
VLAN Commands 91 The following command adds port 16 to VLAN beige and assigns tag value 86 to the port: WSS# set vlan beige port 16 tag 86 success: change accepted. See Also • clear vlan on page 76 • set vlan name on page 79 • show vlan config on page 89 set vlan tunnel-affinity Changes a WSS’s preferability within a mobility domain for tunneling user traffic for a VLAN.
VLAN Commands mac-addr-wildcard A single MAC address or set of MAC addresses. Specify a MAC address, or use the wildcard character (*) to specify a set of MAC addresses. (For details, see “MAC Address Wildcards” on page 13.) vlan vlan-id Name or number of a VLAN for which to display entries. perm Displays permanent entries. A permanent entry does not age out and remains in the database even after a reboot, reset, or power cycle. static Displays static entries.
VLAN Commands 93 Table 1: Output for show fdb Field Description VLAN VLAN number. TAG VLAN tag value. If the interface is untagged, the TAG field is blank. Dest MAC/Route Des MAC address of this forwarding entry’s destination. CoS Type of entry. The entry types are explained in the first row of the command output. Note: This Class of Service (CoS) value is not associated with WSS Software quality of service (QoS) features. Destination Ports WSS port associated with the entry.
VLAN Commands See Also set fdb agingtime on page 78 show fdb count Lists the number of entries in the forwarding database. Syntax show fdb count {perm | static | dynamic} [vlan vlan-id] perm Lists the number of permanent entries. A permanent entry does not age out and remains in the database even after a reboot, reset, or power cycle. static Lists the number of static entries. A static entry does not age out, but is removed from the database after a reboot, reset, or power cycle.
VLAN Commands 95 Usage The output displays roaming stations within the previous 1 second. Examples To display all stations roaming to the WSS, type the following command: WSS# show roaming station User Name Station Address VLAN State ---------------------- ----------------- --------------- ----redsqa 10.10.10.5 violet Up Table 12 describes the fields in the display. Table 2: Output for show roaming station Field Description User Name Name of the user. This is the name used for authentication.
VLAN Commands Syntax show roaming vlan Defaults None. Access Enabled. Examples The following command shows the current roaming VLANs: WSS# show roaming vlan NN47250-100 (Version 02.
VLAN Commands 97 VLAN WSS Affinity ---------------- --------------- -------vlan-cs 192.168.14.2 5 vlan-eng 192.168.14.4 5 vlan-fin 192.168.14.2 5 vlan-it 192.168.14.4 5 vlan-it 192.168.14.2 5 vlan-pm 192.168.14.2 5 vlan-sm 192.168.14.2 5 vlan-tp 192.168.14.4 5 vlan-tp 192.168.14.2 5 Table 13 describes the fields in the display. Table 3: Output for show roaming vlan Field Description VLAN VLAN name. WSS System IP address of the WSS on which the VLAN is configured.
VLAN Commands Examples The following command shows Layer 2 forwarding restriction information for all VLANs: WSS# show security l2-restrict VLAN Name En Drops Permit MAC Hits ---- ---------------- -- ---------- ------------------- --------------------1 default Y 0 00:0b:0e:02:53:3e 5947 00:30:b6:3e:5c:a8 9 2 vlan-2 Y 0 04:04:04:04:04:04 0 Table 14 describes the fields in the display. Table 4: Output for show security l2-restrict Field Description VLAN VLAN number. Name VLAN name.
VLAN Commands 99 Examples To display all tunnels from a WSS to other switches in the Mobility Domain, type the following command. WSS# show tunnel VLAN Local Address Remote Address State Port LVID RVID --------------- --------------- --------------- ------- ----- ----- ----vlan-eng 192.168.14.2 192.168.14.4 DORMANT 1024 4096 130 Table 15 describes the fields in the display. Table 5: Output for show tunnel Field Description VLAN VLAN name. Local Address IP address of the local end of the tunnel.
VLAN Commands WSS# show vlan config burgundy Admin VLAN Tunl Port VLAN Name Status State Affin Port Tag State ---- ---------------- ------ ----- ----- ---------------- ----- -----------------2 burgundy Up Up 5 2 none Up 3 none Up 4 none Up 6 none Up 11 none Up t:10.10.40.4 none Up Table 16 describes the fields in this display. Table 6: Output for show vlan config Field Description VLAN VLAN number. Name VLAN name. Admin Status Administrative status of the VLAN: • Down—The VLAN is disabled.
VLAN Commands 101 See Also • clear vlan on page 76 • set vlan name on page 79 • set vlan port on page 80 • set vlan tunnel-affinity on page 81 Nortel WLAN—Security Switch 2300 Series Command Line Reference
VLAN Commands NN47250-100 (Version 02.
Quality of Service Commands Use Quality of Service (QoS) commands to configure packet prioritization in WSS Software. Packet prioritization ensures that WSSs and APs give preferential treatment to high-priority traffic such as voice and video. (To override the prioritization for specific traffic, use access controls lists [ACLs] to set the Class of Service [CoS] for the packets. See Chapter , “Security ACL Commands,” on page 449.) This chapter presents QoS commands alphabetically.
Quality of Service Commands Examples The following command resets all QoS mappings: WSS# clear qos success: change accepted. The following command resets the mapping used to classify packets with DSCP value 44: WSS# clear qos dscp-to-qos-map 44 success: change accepted. set qos cos-to-dscp-map Changes the value to which WSS Software maps an internal QoS value when marking outbound packets. Syntax set qos cos-to-dscp-map level dscp dscp-value level Internal CoS value.
Quality of Service Commands 105 set qos dscp-to-cos-map Changes the internal QoS value to which WSS Software maps a packet’s DSCP value when classifying inbound packets. Syntax set qos dscp-to-cos-map dscp-range cos level dscp-range DSCP range. You can specify the values as decimal numbers. Valid decimal values are 0 to 63. To specify a range, use the following format: 40-56. Specify the lower number first. cos level Internal QoS value. You can specify a number from 0 to 7.
Quality of Service Commands Ingress QoS Classification Map (dscp-to-cos) Ingress DSCP CoS Level =============================================================================== 00-09 0 0 0 0 0 0 0 0 1 1 10-19 1 1 1 1 1 1 2 2 2 2 20-29 2 2 2 2 3 3 3 3 3 3 30-39 3 3 4 4 4 4 4 4 4 4 40-49 5 5 5 5 5 5 5 5 6 6 50-59 6 6 6 6 6 6 7 7 7 7 60-63 7 7 7 7 Egress QoS Marking Map (cos-to-dscp) CoS Level 0 1 2 3 4 5 6 7 =============================================================================== Egress DSCP 0 8 16
IP Services Commands Use IP services commands to configure and manage IP interfaces, management services, the Domain Name Service (DNS), Network Time Protocol (NTP), and aliases, and to ping a host or trace a route. This chapter presents IP services commands alphabetically. Use the following table to locate commands in this chapter based on their use.
IP Services Commands Time and Date set timedate on page 142 set timezone on page 143 set summertime on page 140 show timedate on page 161 show timezone on page 161 show summertime on page 160 clear timezone on page 106 clear summertime on page 105 NTP set ntp on page 121 set ntp server on page 122 set ntp update-interval on page 122 show ntp on page 156 clear ntp server on page 102 clear ntp update-interval on page 103 ARP set arp on page 108 set arp agingtime on page 109 show arp on page 144 SNM
IP Services Commands 109 clear snmp community on page 103 clear snmp usm on page 105 clear snmp notify profile on page 104 clear snmp notify target on page 104 Ping ping on page 107 Telnet client telnet on page 162 Traceroute traceroute on page 163 DHCP server set interface dhcp-server on page 111 show dhcp-server on page 147 clear interface Removes an IP interface. Syntax clear interface vlan-id ip vlan-id VLAN name or number. Defaults None. Access Enabled.
IP Services Commands clear ip alias Removes an alias, which is a string that represents an IP address. Syntax clear ip alias name name Alias name. Defaults None. Access Enabled. Examples The following command removes the alias server1: WSS# clear ip alias server1 success: change accepted. See Also • set ip alias on page 113 • show ip alias on page 150 clear ip dns domain Removes the default DNS domain name. Syntax clear ip dns domain Defaults None. Access Enabled.
IP Services Commands 111 clear ip dns server Removes a DNS server from a WSS configuration. Syntax clear ip dns server ip-addr ip-addr IP address of a DNS server. Defaults None. Access Enabled. Examples The following command removes DNS server 10.10.10.69 from a WSS’s configuration: WSS# clear ip dns server 10.10.10.69 success: change accepted.
IP Services Commands See Also • set ip route on page 116 • show ip route on page 153 clear ip telnet Resets the Telnet server’s TCP port number to its default value. A WSS listens for Telnet management traffic on the Telnet server port. Syntax clear ip telnet Defaults The default Telnet port number is 23. Access Enabled. Examples The following command resets the TCP port number for Telnet management traffic to its default: WSS# clear ip telnet success: change accepted.
IP Services Commands 113 • set ntp on page 121 • set ntp server on page 122 • set ntp update-interval on page 122 • show ntp on page 156 clear ntp update-interval Resets the NTP update interval to the default value. Syntax clear ntp update-interval Defaults The default NTP update interval is 64 seconds. Access Enabled. Examples To reset the NTP interval to the default value, type the following command: WSS# clear ntp update-interval success: change accepted.
IP Services Commands See Also • set snmp community on page 123 • show snmp community on page 158 clear snmp notify profile Clears an SNMP notification profile. Syntax clear snmp notify profile profile-name profile-name Name of the notification profile you are clearing. Defaults None. Access Enabled. History Introduced in WSS Software Version 4.0.
IP Services Commands 115 See Also • set snmp notify target on page 131 • show snmp notify target on page 159 clear snmp usm Clears an SNMPv3 user. Syntax clear snmp usm usm-username usm-username Name of the SNMPv3 user you want to clear. Defaults None. Access Enabled. History Introduced in WSS Software Version 4.0. Examples The following command clears SNMPv3 user snmpmgr1: WSS# clear snmp usm snmpmgr1 success: change accepted.
IP Services Commands • show timedate on page 161 • show timezone on page 161 clear system ip-address Clears the system IP address. Caution! Clearing the system IP address disrupts the system tasks that use the address. Syntax clear system ip-address Defaults None. Access Enabled.
IP Services Commands 117 See Also • clear summertime on page 105 • set summertime on page 140 • set timedate on page 142 • set timezone on page 143 • show summertime on page 160 • show timedate on page 161 • show timezone on page 161 ping Tests IP connectivity between a WSS and another device. WSS Software sends an Internet Control Message Protocol (ICMP) echo packet to the specified device and listens for a reply packet.
IP Services Commands • interval—100 (one tenth of a second) • size—56. Access Enabled. Usage To stop a ping command that is in progress, press Ctrl+C. A WSS cannot ping itself. WSS Software does not support this. Examples The following command pings a device that has IP address 10.1.1.1: WSS# ping 10.1.1.1 PING 10.1.1.1 (10.1.1.1) from 10.9.4.34 : 56(84) bytes of data. 64 bytes from 10.1.1.1: icmp_seq=1 ttl=255 time=0.769 ms 64 bytes from 10.1.1.1: icmp_seq=2 ttl=255 time=0.
IP Services Commands 119 See Also • set arp agingtime on page 109 • show arp on page 144 set arp agingtime Changes the aging timeout for dynamic ARP entries. Syntax set arp agingtime seconds seconds Number of seconds an entry can remain unused before WSS Software removes the entry. You can specify from 0 through 1,000,000. To disable aging, specify 0. Defaults The default aging timeout is 1200 seconds. Access Enabled. Usage Aging applies only to dynamic entries.
IP Services Commands Defaults None. Access Enabled. Usage You can assign one IP interface to each VLAN. If an interface is already configured on the VLAN you specify, this command replaces the interface.
IP Services Commands 121 WSS Software also has a configurable DHCP server. (See set interface dhcp-server on page 111.) You can configure a DHCP client and DHCP server on the same VLAN, but only the client or the server can be enabled. The DHCP client and DHCP server cannot both be enabled on the same VLAN at the same time. Examples The following command enables the DHCP client on VLAN corpvlan: WSS# set interface corpvlan ip dhcp-client enable success: change accepted.
IP Services Commands Access Enabled. History Version 4.0 Version 5.0 Command introduced New options added: • dns-domain • primary-dns and secondary-dns • default-router Usage By default, all addresses except the host address of the VLAN, the network broadcast address, and the subnet broadcast address are included in the range. If you specify the range, the start address must be lower than the stop address, and all addresses must be in the same subnet.
IP Services Commands 123 Defaults IP interfaces are enabled by default. Access Enabled. Examples The following command disables the IP interface on VLAN mauve: WSS# set interface mauve status down success: set interface mauve to down See Also • clear interface on page 99 • set interface on page 109 • show interface on page 149 set ip alias Configures an alias, which maps a name to an IP address. You can use aliases as shortcuts in CLI commands.
IP Services Commands Access Enabled. Examples The following command enables DNS on a WSS: WSS# set ip dns enable Start DNS Client See Also • clear ip dns domain on page 100 • clear ip dns server on page 101 • set ip dns domain on page 114 • set ip dns server on page 115 • show ip dns on page 151 set ip dns domain Configures a default domain name for DNS queries. The WSS appends the default domain name to domain names or hostnames you enter in commands.
IP Services Commands 125 set ip dns server Specifies a DNS server to use for resolving hostnames you enter in CLI commands. Syntax set ip dns server ip-addr {primary | secondary} ip-addr IP address of a DNS server, in dotted decimal or CIDR notation. primary Makes the server the primary server, which WSS Software always consults first for resolving DNS queries. secondary Makes the server a secondary server. WSS Software consults a secondary server only if the primary server does not reply.
IP Services Commands set ip https server Enables the HTTPS server on a WSS. The HTTPS server is required for Web View access to the switch. Caution! If you disable the HTTPS server, Web View access to the switch is disabled. Syntax set ip https server {enable | disable} enable Enables the HTTPS server. disable Disables the HTTPS server. Defaults The HTTPS server is disabled by default. Access Enabled.
IP Services Commands 127 default-router IP address, DNS hostname, or alias of the next-hop router. metric Cost for using the route. You can specify a value from 0 through 2,147,483,647. Lower-cost routes are preferred over higher-cost routes. Defaults None. Access Enabled. Usage WSS Software can use a static route only if a direct route in the route table resolves the static route. WSS Software adds routes with next-hop types Local and Direct when you add an IP interface to a VLAN, if the VLAN is up.
IP Services Commands • clear ip route on page 101 • show interface on page 149 • show ip route on page 153 set ip snmp server Enables or disables the SNMP service on the WSS. Syntax set ip snmp server {enable | disable} enable Enables the SNMP service. disable Disables the SNMP service. Defaults The SNMP service is disabled by default. Access Enabled. Examples The following command enables the SNMP server on a WSS: WSS# set ip snmp server enable success: change accepted.
IP Services Commands 129 Examples The following command changes the SSH port number on a WSS to 6000: WSS# set ip ssh port 6000 success: change accepted. See Also • set ip ssh server on page 119 • set ip ssh server on page 119 • set ip ssh server on page 119 set ip ssh server Disables or reenables the SSH server on a WSS. Caution! If you disable the SSH server, SSH access to the WSS is also disabled. Syntax set ip ssh server {enable | disable} enable Enables the SSH server.
IP Services Commands set ip telnet Changes the TCP port number on which a WSS listens for Telnet management traffic. Caution! If you change the Telnet port number from a Telnet session, WSS Software immediately ends the session. To open a new management session, you must Telnet to the switch with the new Telnet port number. Syntax set ip telnet port-num port-num TCP port number. Defaults The default Telnet port number is 23. Access Enabled.
IP Services Commands 131 Usage The maximum number of Telnet sessions supported on a WSS is eight. If SSH is also enabled, the switch can have up to eight Telnet or SSH sessions, in any combination, and one console session. Examples The following command enables the Telnet server on a WSS: WSS# set ip telnet server enable success: change accepted.
IP Services Commands set ntp server Configures a WSS to use an NTP server. Syntax set ntp server ip-addr ip-addr IP address of the NTP server, in dotted decimal notation. Defaults None. Access Enabled. Usage You can configure up to three NTP servers. WSS Software queries all the servers and selects the best response based on the method described in RFC 1305, Network Time Protocol (Version 3) Specification, Implementation and Analysis.
IP Services Commands 133 See Also • clear ntp server on page 102 • clear ntp update-interval on page 103 • set ntp on page 121 • set ntp server on page 122 • show ntp on page 156 set snmp community Configures a community string for SNMPv1 or SNMPv2c. Note. For SNMPv3, use the set snmp usm command to configure an SNMPv3 user. SNMPv3 does not use community strings.
IP Services Commands History Version 4.0 Default strings removed. There are no default strings in WSS Software Version 4.0. New access types added for SNMPv3: • read-notify • notify-only • notify-read-write Usage SNMP community strings are passed as clear text in SNMPv1 and SNMPv2c. Nortel recommends that you use strings that cannot easily be guessed by unauthorized users. For example, do not use the wellknown strings public and private.
IP Services Commands 135 set snmp notify profile Configures an SNMP notification profile. A notification profile is a named list of all the notification types that can be generated by a switch, and for each notification type, the action to take (drop or send) when an event occurs. You can configure up to ten notification profiles.
IP Services Commands notification-type Name of the notification type: • APBootTraps—Generated when an AP boots. • ApNonOperStatusTraps—Generated to indicate an AP radio is nonoperational. • ApOperRadioStatusTraps—Generated when the status of an AP radio changes. • APTimeoutTraps—Generated when an AP fails to respond to the WSS. • AuthenTraps—Generated when the WSS’s SNMP engine receives a bad community string.
IP Services Commands 137 notification-type (cont.) • CounterMeasureStopTraps—Generated when WSS Software stops countermeasures against a rogue access point. • DAPConnectWarningTraps—Generated when a Distributed AP whose fingerprint has not been configured in WSS Software establishes a management session with the switch. • DeviceFailTraps—Generated when an event with an Alert severity occurs. • DeviceOkayTraps—Generated when a device returns to its normal state.
IP Services Commands notification-type (cont.) • RFDetectDoSPortTraps—Generated when WSS Software detects an associate request flood, reassociate request flood, or disassociate request flood. • RFDetectDoSTraps—Generated when WSS Software detects a DoS attack other than an associate request flood, reassociate request flood, or disassociate request flood. • RFDetectInterferingRogueAPTraps—Generated when an interfering device is detected.
IP Services Commands 139 The following commands create notification profile snmpprof_rfdetect, and change the action to send for all RF detection notification types: WSS# set snmp notify profile snmpprof_rfdetect send RFDetectAdhocUserTraps success: change accepted. WSS# set snmp notify profile snmpprof_rfdetect send RFDetectClientViaRogueWiredAPTraps success: change accepted. WSS# set snmp notify profile snmpprof_rfdetect send RFDetectDoSTraps success: change accepted.
IP Services Commands • show snmp notify profile on page 158 NN47250-100 (Version 02.
IP Services Commands 141 set snmp notify target Configures a notification target for notifications from SNMP. A notification target is a remote device to which WSS Software sends SNMP notifications. You can configure the WSS Software SNMP engine to send confirmed notifications (informs) or unconfirmed notifications (traps). Some of the command options differ depending on the SNMP version and the type of notification you specify. You can configure up to 10 notification targets.
IP Services Commands retries num Specifies the number of times the WSS Software SNMP engine will resend a notification that has not been acknowledged by the target. You can specify from 0 to 3 retries. timeout num Specifies the number of seconds WSS Software waits for acknowledgement of a notification. You can specify from 1 to 5 seconds.
IP Services Commands 143 SNMPv2c with Informs To configure a notification target for informs from SNMPv2c, use the following command: Syntax set snmp notify target target-num ip-addr[:udp-port-number] v2c community-string inform [profile profile-name] [retries num] [timeout num] target-num ID for the target. This ID is local to the WSS and does not need to correspond to a value on the target itself. You can specify a number from 1 to 10. ip-addr[:udp-port-number] IP address of the server.
IP Services Commands SNMPv1 with Traps To configure a notification target for traps from SNMPv1, use the following command: Syntax set snmp notify target target-num ip-addr[:udp-port-number] v1 community-string [profile profile-name] target-num ID for the target. This ID is local to the WSS and does not need to correspond to a value on the target itself. You can specify a number from 1 to 10. ip-addr[:udp-port-number] IP address of the server.
IP Services Commands 145 • set ip snmp server on page 118 • set snmp community on page 123 • set snmp notify profile on page 125 • set snmp protocol on page 135 • set snmp security on page 136 • set snmp usm on page 136 • show snmp notify target on page 159 set snmp protocol Enables an SNMP protocol. WSS Software supports SNMPv1, SNMPv2c, and SNMPv3.
IP Services Commands set snmp security Sets the minimum level of security WSS Software requires for SNMP message exchanges. Syntax set snmp security {unsecured | authenticated | encrypted | auth-req-unsec-notify} unsecured SNMP message exchanges are not secure. This is the only value supported for SNMPv1 and SNMPv2c. authenticated SNMP message exchanges are authenticated but are not encrypted. encrypted SNMP message exchanges are authenticated and encrypted.
IP Services Commands 147 Syntax set snmp usm usm-username snmp-engine-id {ip ip-addr | local | hex hex-string} access {read-only | read-notify | notify-only | read-write | notify-read-write} auth-type {none | md5 | sha} {auth-pass-phrase string | auth-key hex-string} encrypt-type {none | des | 3des | aes} {encrypt-pass-phrase string | encrypt-key hex-string} usm-username Name of the SNMPv3 user. Specify between 1 and 32 alphanumeric characters, with no spaces.
IP Services Commands access {read-only | read-notify | notify-only | read-write | notify-read-write} NN47250-100 (Version 02.51) Specifies the access level of the user: • read-only—An SNMP management application using the string can get (read) object values on the switch but cannot set (write) them. • read-notify—An SNMP management application using the string can get object values on the switch but cannot set them. The switch can use the string to send notifications.
IP Services Commands 149 auth-type {none | md5 | sha} {auth-pass-phrase Specifies the authentication type used to string | auth-key hex-string} authenticate communications with the remote SNMP engine. You can specify one of the following: • none—No authentication is used. • md5—Message-digest algorithm 5 is used. • sha—Secure Hashing Algorithm (SHA) is used. If the authentication type is md5 or sha, you can specify a passphrase or a hexadecimal key.
IP Services Commands Examples The following command creates USM user snmpmgr1, associated with the local SNMP engine ID. This user can send traps to notification receivers. WSS# set snmp usm snmpmgr1 snmp-engine-id local success: change accepted. The following command creates USM user securesnmpmgr1, which uses SHA authentication and 3DES encryption with passphrases. This user can send informs to the notification receiver that has engine ID 192.168.40.2.
IP Services Commands 151 min Minute to start or end the time change—a value between 0 and 59. end End of the time change period. Defaults If you do not specify a start and end time, the system implements the time change starting at 2:00 a.m. on the first Sunday in April and ending at 2:00 a.m. on the last Sunday in October, according to the North American standard. Access Enabled.
IP Services Commands Access Enabled. Usage You must use an address that is configured on one of the WSS’s VLANs. To display the system IP address, use the show system command. Examples The following commands configure an IP interface on VLAN taupe and configure the interface to be the system IP address: WSS# set interface taupe ip 10.10.20.20/24 success: set ip address 10.10.20.20 netmask 255.255.255.0 on vlan taupe WSS# set system ip-address 10.10.20.20 success: change accepted.
IP Services Commands 153 • clear timezone on page 106 • set summertime on page 140 • set timezone on page 143 • show summertime on page 160 • show timedate on page 161 • show timezone on page 161 set timezone Sets the number of hours, and optionally the number of minutes, that the WSS’s real-time clock is offset from Coordinated Universal Time (UTC). These values are also used by Network Time Protocol (NTP), if it is enabled.
IP Services Commands show arp Displays the ARP table. Syntax show arp [ip-addr] ip-addr IP address. Defaults If you do not specify an IP address, the whole ARP table is displayed. Access All. Examples The following command displays ARP entries: WSS# show arp ARP aging time: 1200 seconds Host HW Address VLAN Type State ------------------------------ ----------------- ----- ------- --------------10.5.4.51 00:0b:0e:02:76:f5 1 DYNAMIC RESOLVED 10.5.4.
IP Services Commands 155 Table 1: Output for show arp (continued) Field Description Type Entry type: • DYNAMIC—Entry was learned from network traffic and ages out if unused for longer than the ARP aging timeout. • LOCAL—Entry for the WSS MAC address. Each VLAN has one local entry for the switch MAC address. • PERMANENT—Entry does not age out and remains in the configuration even following a reboot. • STATIC—Entry does not age out but is removed after a reboot.
IP Services Commands Examples The following command displays DHCP client information: WSS# show dhcp-client Interface: corpvlan(4) Configuration Status: Enabled DHCP State: IF_UP Lease Allocation: 65535 seconds Lease Remaining: 65532 seconds IP Address: 10.3.1.110 Subnet Mask: 255.255.255.0 Default Gateway: 10.3.1.1 DHCP Server: 10.3.1.4 DNS Servers: 10.3.1.29 DNS Domain Name: mycorp.com Table 18 describes the fields in this display. Table 2.
IP Services Commands 157 See Also set interface dhcp-client on page 110 show dhcp-server Displays WSS Software DHCP server information. Syntax show dhcp-server [interface vlan-id] [verbose] interface vlan-id Displays the IP addresses leased by the specified VLAN. verbose Displays configuration and status information for the WSS Software DHCP server. Defaults None. Access All. History Introduced in WSS Software Version 4.0.
IP Services Commands Table 3.Output for show dhcp-server Field Description VLAN VLAN number. Name VLAN name. Address IP address leased by the server. MAC Address MAC address of the device that holds the lease for the address. Lease Remaining Number of seconds remaining before the address lease expires. Table 4.Output for show dhcp-server verbose Field Description Interface VLAN name and number.
IP Services Commands 159 Table 4.Output for show dhcp-server verbose (continued) Field Description Subnet Mask Network mask of the IP address leased to the client. Default Router Default router IP address included in the DHCP Offer to the client. DNS Servers DNS server IP address(es) included in the DHCP Offer to the client. DNS Domain Name Default DNS domain name included in the DHCP Offer to the client.
IP Services Commands Table 5: Output for show interface Field Description VLAN VLAN number Name VLAN name Address IP address Mask Subnet mask Enabled Administrative state: • YES (enabled) • NO (disabled) State Link state: • Up (operational) • Down (unavailable) RIB Routing Information Base See Also • clear interface on page 99 • set interface on page 109 • set interface status on page 112 show ip alias Displays the IP aliases configured on the WSS.
IP Services Commands 161 Table 22 describes the fields in this display. Table 6: Output for show ip alias Field Description Name Alias string. IP Address IP address associated with the alias. See Also • clear ip alias on page 100 • set ip alias on page 113 show ip dns Displays the DNS servers the WSS is configured to use. Syntax show ip dns Defaults None. Access All. Examples The following command displays the DNS information: WSS# show ip dns Domain Name: example.
IP Services Commands Table 7: Output for show ip dns (continued) Field Description IP Address IP address of the DNS server Type Server type: • PRIMARY • SECONDARY See Also • clear ip dns domain on page 100 • clear ip dns server on page 101 • set ip dns on page 113 • set ip dns domain on page 114 • set ip dns server on page 115 show ip https Displays information about the HTTPS management port. Syntax show ip https Defaults None. Access All.
IP Services Commands 163 Table 8: Output for show ip https Field Description HTTPS is enabled/disabled State of the HTTPS server: • Enabled • Disabled HTTPS is set to use port TCP port number on which the WSS listens for HTTPS connections. Last 10 connections List of the last 10 devices to establish connections to the WSS’s HTTPS server. IP Address IP address of the device that established the connection.
IP Services Commands Usage When you add an IP interface to a VLAN that is up, WSS Software adds direct and local routes for the interface to the route table. If the VLAN is down, WSS Software does not add the routes. If you add an interface to a VLAN but the routes for that interface do not appear in the route table, use the show vlan config command to check the VLAN state.
IP Services Commands 165 Table 9: Output for show ip route (continued) Field Description Gateway Next-hop router for reaching the route destination. Note: This field applies only to static routes. VLAN:Interface Destination VLAN, protocol type, and IP address of the route. Because direct routes are for local interfaces, a destination IP address is not listed. The destination for the IP multicast route is MULTICAST.
IP Services Commands Table 10: Output for show ip telnet Field Server Status Description State of the HTTPS server: • Enabled • Disabled Port TCP port number on which the WSS listens for Telnet management traffic. See Also • clear ip telnet on page 102 • set ip https server on page 116 • set ip telnet on page 120 • set ip telnet server on page 120 • show ip https on page 152 show ntp Displays NTP client information. Syntax show ntp Defaults None. Access All.
IP Services Commands 167 Table 11: Output for show ntp Field Description NTP client State of the NTP client. The state can be one of the following: • Enabled • Disabled Current update-interval Number of seconds between queries sent by the WSS to the NTP servers for updates. Current time System time that was current on the WSS when you pressed Enter after typing the show ntp command. Timezone Time zone configured on the switch.
IP Services Commands • set ntp server on page 122 • set summertime on page 140 • set timezone on page 143 • show timezone on page 161 show snmp community Displays the configured SNMP community strings. Syntax show snmp community Defaults None. Access Enabled. History Introduced in WSS Software Version 4.0. See Also • clear snmp community on page 103 • set snmp community on page 123 show snmp counters Displays SNMP statistics counters. Syntax show snmp counters Defaults None. Access Enabled.
IP Services Commands 169 show snmp notify target Displays SNMP notification targets. Syntax show snmp notify target Defaults None. Access Enabled. History Introduced in WSS Software Version 4.0. See Also • clear snmp notify target on page 104 • set snmp notify target on page 131 show snmp status Displays SNMP version and status information. Syntax show snmp status Defaults None. Access Enabled. History Introduced in WSS Software Version 4.0.
IP Services Commands show snmp usm Displays information about SNMPv3 users. Defaults None. Access Enabled. History Introduced in WSS Software Version 4.0. See Also • clear snmp usm on page 105 • show snmp usm on page 160 show summertime Shows a WSS’s offset from its real-time clock. Syntax show summertime Defaults There is no summertime offset by default. Access All.
IP Services Commands 171 show timedate Shows the date and time of day currently set on a WSS’s real-time clock. Syntax show timedate Defaults None. Access All.
IP Services Commands telnet Opens a Telnet client session with a remote device. Syntax telnet {ip-addr | hostname} [port port-num] ip-addr IP address of the remote device. hostname Hostname of the remote device. port port-num TCP port number on which the TCP server on the remote device listens for Telnet connections. Defaults WSS Software attempts to establish Telnet connections with TCP port 23 by default. Access Enabled.
IP Services Commands 173 When the administrator presses Ctrl+t to end the Telnet connection, the management session returns to the local WSS prompt: WSS-remote> Session 0 pty tty2.d terminated tt name tty2.d WSS# See Also • clear sessions on page 435 • show sessions on page 437 traceroute Traces the route to an IP host. Syntax traceroute host [dnf] [no-dns] [port port-num] [queries num] [size size] [ttl hops] [wait ms] host IP address, hostname, or alias of the destination host.
IP Services Commands WSS# traceroute server1 traceroute to server1.example.com (192.168.22.7), 30 hops max, 38 byte packets 1 engineering-1.example.com (192.168.192.206) 2 ms 1 ms 1 ms 2 engineering-2.example.com (192.168.196.204) 2 ms 3 ms 2 ms 3 gateway_a.example.com (192.168.1.201) 6 ms 3 ms 3 ms 4 server1.example.com (192.168.22.7) 3 ms * 2 ms The first row of the display indicates the target host, the maximum number of hops, and the packet size. Each numbered row displays information about one hop.
AAA Commands Use authentication, authorization, and accounting (AAA) commands to provide a secure network connection and a record of user activity. Location policy commands override any virtual LAN (VLAN) or security ACL assignment by AAA or the local WSS database to help you control access locally. (Security ACLs are packet filters. For command descriptions, see “Security ACL Commands” on page 449.) This chapter presents AAA commands alphabetically.
AAA Commands clear mac-usergroup attr on page 174 clear mac-user group on page 173 clear mac-usergroup on page 174 Web authorization set web-portal on page 209 Accounting set accounting {admin | console} on page 178 set accounting {dot1x | mac | web | last-resort} on page 179 set accounting system on page 181 show accounting statistics on page 212 clear accounting on page 166 AAA information show aaa on page 210 Mobility Profiles set mobility-profile on page 204 set mobility-profile mode on page
AAA Commands 177 system Disables sending of Accounting-On and Accounting-Off messages to a RADIUS server, if previously enabled. When this command is entered, an Accounting-Off message is generated and sent to the server or server group specified with the set accounting system command. user-wildcard Single user or set of users with administrative access or network access.
AAA Commands Access Enabled. Note. The syntax descriptions for the clear authentication commands have been separated for clarity. However, the options and behavior for the clear authentication admin command are the same as in previous releases. Examples The following command clears authentication for administrator Jose: WSS# clear authentication admin Jose success: change accepted.
AAA Commands 179 success: change accepted. See Also • clear authentication admin on page 167 • clear authentication dot1x on page 169 • clear authentication mac on page 170 • clear authentication web on page 171 • set authentication console on page 183 • show aaa on page 210 clear authentication dot1x Removes an 802.1X authentication rule. Syntax clear authentication dot1x {ssid ssid-name | wired} user-wildcard ssid ssid-name SSID name to which this authentication rule applies.
AAA Commands clear authentication mac Removes a MAC authentication rule. Syntax clear authentication mac {ssid ssid-name | wired} mac-addr-wildcard ssid ssid-name SSID name to which this authentication rule applies. wired Clears a rule used for access over a WSS’s wired-authentication port. mac-addr-wildcard MAC address wildcard associated with the rule you are removing. Defaults None. Access Enabled.
AAA Commands 181 See Also • set authentication proxy on page 190 • show aaa on page 210 clear authentication web Removes a Web-based AAA rule. Syntax clear authentication web {ssid ssid-name | wired} user-wildcard ssid ssid-name SSID name to which this authentication rule applies. wired Clears a rule used for access over a WSS’s wired-authentication port. user-wildcard User-wildcard associated with the rule you are removing. Defaults None. Access Enabled.
AAA Commands Usage To determine the index numbers of location policy rules, use the show location policy command. Removing all the ACEs from the location policy disables this function on the WSS. Examples The following command removes location policy rule 4 from a WSS’s location policy: WSS# clear location policy 4 success: clause 4 is removed.
AAA Commands 183 Syntax clear mac-user mac-addr attr attribute-name mac-addr MAC address of the user, in hexadecimal numbers separated by colons (:). You can omit leading zeros. attribute-name Name of an attribute used to authorize the MAC user for a particular service or session characteristic. (For a list of authorization attributes, see Table 29 on page 198.) Defaults None. Access Enabled.
AAA Commands clear mac-usergroup Removes a user group from the local database on the WSS, for a group of users who are authenticated by a MAC address. (To delete a MAC user group in RADIUS, see the documentation for your RADIUS server.) Syntax clear mac-usergroup group-name group-name Name of an existing MAC user group. Defaults None. Access Enabled. Usage To remove a user from a MAC user group, use the clear mac-user group command.
AAA Commands 185 WSS# clear mac-usergroup eastcoasters attr vlan-name success: change accepted. See Also • clear mac-usergroup on page 174 • set mac-usergroup attr on page 203 • show aaa on page 210 clear mobility-profile Removes a Mobility Profile entirely. Syntax clear mobility-profile name name Name of an existing Mobility Profile. Defaults None. Access Enabled. Examples The following command removes the Mobility Profile for user Nin: WSS# clear mobility-profile Nin success: change accepted.
AAA Commands Examples The following command deletes the user profile for user Nin: WSS# clear user Nin success: change accepted. See Also • set user on page 206 • show aaa on page 210 clear user attr Removes an authorization attribute from the user profile in the local database on the WSS, for a user with a password. (To remove an authorization attribute from a RADIUS user profile, see the documentation for your RADIUS server.
AAA Commands 187 clear user group Removes a user with a password from membership in a user group in the local database on the WSS. (To remove a user from a user group in RADIUS, see the documentation for your RADIUS server.) Syntax clear user username group username Username of a user with a password. Defaults None. Access Enabled. Usage Removing the user from the group removes the group name from the user’s profile, but does not delete either the user or the user group from the local WSS database.
AAA Commands • set usergroup on page 208 • show aaa on page 210 clear usergroup attr Removes an authorization attribute from a user group in the local database on the WSS. (To remove an authorization attribute in RADIUS, see the documentation for your RADIUS server.) Syntax clear usergroup group-name attr attribute-name group-name Name of an existing user group. attribute-name Name of an attribute used to authorize all the users in the group for a particular service or session characteristic.
AAA Commands 189 user-wildcard Single user or set of users with administrative access or network access. Specify a username, use the double-asterisk wildcard character (**) to specify all usernames, or use the single-asterisk wildcard character (*) to specify a set of usernames up to or following the first delimiter character—either an at sign (@) or a period (.). (For details, see “User Wildcards” on page 12.) Note: This option does not apply if mac is specified. For mac, specify a mac-addr-wildcard.
AAA Commands Syntax set accounting {dot1x | mac | web | last-resort} {ssid ssid-name | wired} {user- wildcard | mac-addr-wildcard} {start-stop | stop-only} method1 [method2] [method3] [method4] dot1x Users with network access through the WSS who are authenticated by 802.1X.
AAA Commands 191 Usage For network users with start-stop accounting whose records are sent to a RADIUS server, WSS Software sends interim updates to the RADIUS server when the user roams. Examples The following command issues stop-only records to the RADIUS server group sg2 for network user Nin, who is authenticated by 802.1X: WSS# set accounting dot1x Nin stop-only sg2 success: change accepted.
AAA Commands See Also • clear accounting on page 166 • show accounting statistics on page 212 set authentication admin Configures authentication and defines where it is performed for specified users with administrative access through Telnet or Web View. Syntax set authentication admin user-wildcard method1 [method2] [method3] [method4] user-wildcard Single user or set of users with administrative access over the network through Telnet or Web View.
AAA Commands 193 Defaults By default, authentication is deactivated for all admin users. The default authentication method in an admin authentication rule is local. WSS Software checks the local WSS database for authentication. Access Enabled.. Note. The syntax descriptions for the set authentication commands have been separated for clarity. However, the options and behavior for the set authentication admin command are the same as in previous releases.
AAA Commands Syntax set authentication console user-wildcard method1 [method2] [method3] [method4] user-wildcard Single user or set of users with administrative access through the switch’s console. Specify a username, use the double-asterisk wildcard character (**) to specify all usernames, or use the single-asterisk wildcard character (*) to specify a set of usernames up to or following the first delimiter character—either an at sign (@) or a period (.).
AAA Commands 195 Access Enabled.. Note. The syntax descriptions for the set authentication commands have been separated for clarity. However, the options and behavior for the set authentication console command are the same as in previous releases. Usage You can configure different authentication methods for different groups of users. (For details, see “User Wildcards, MAC Address Wildcards, and VLAN Wildcards” on page 12.
AAA Commands user-wildcard A single user or a set of users with 802.1X network access. Specify a username, use the double-asterisk wildcard character (**) to specify all usernames, or use the single-asterisk wildcard character (*) to specify a set of usernames up to or following the first delimiter character—either an at sign (@) or a period (.). (For details, see “User Wildcards” on page 12.) bonded Enables Bonded Auth™ (bonded authentication).
AAA Commands 197 protocol Protocol used for authentication. Specify one of the following: • eap-md5—Extensible Authentication Protocol (EAP) with message-digest algorithm 5. For wired authentication clients: • Uses challenge-response to compare hashes • Provides no encryption or integrity checking for the connection Note: The eap-md5 option does not work with Microsoft wired authentication clients.
AAA Commands Defaults By default, authentication is unconfigured for all clients with network access through AP ports or wired authentication ports on the WSS. Connection, authorization, and accounting are also disabled for these users. Bonded authentication is disabled by default. Access Enabled. Usage You can configure different authentication methods for different groups of users by “wildcarding.” (For details, see “User Wildcards” on page 12.
AAA Commands 199 • set service-profile auth-fallthru on page 308 • show aaa on page 210 set authentication last-resort Deprecated in WSS Software Version 5.0. The last-resort user is not required or supported in WSS Software Version 5.0. Instead, a user who accesses the network on an SSID by using the fallthru access type last-resort is automatically a last-resort user. The authorization attributes assigned to the user come from the default authorization attributes set on the SSID.
AAA Commands Usage You can configure different authentication methods for different groups of MAC addresses by “wildcarding.” (For details, see “User Wildcards, MAC Address Wildcards, and VLAN Wildcards” on page 12.) If you specify multiple authentication methods in the set authentication mac command, WSS Software applies them in the order in which they appear in the command, with these results: • If the first method responds with pass or fail, the evaluation is final.
AAA Commands 201 Defaults None. Access Enabled. History Introduced in WSS Software 4.0. Usage AAA for third-party AP users has additional configuration requirements. See the “Configuring AAA for Users of Third-Party APs” section in the “Configuring AAA for Network Users” chapter of the Nortel WLAN Security Switch 2300 Series Configuration Guide. Examples The following command configures a proxy authentication rule that matches on all usernames associated with SSID mycorp.
AAA Commands wired Applies this authentication rule specifically to users connected to a wired authentication port. method1 method2 method3 method4 At least one and up to four methods that WSS Software uses to handle authentication. Specify one or more of the following methods in priority order. WSS Software applies multiple methods in the order you enter them. A method can be one of the following: • local—Uses the local database of usernames and user groups on the WSS for authentication.
AAA Commands 203 • set authentication admin on page 182 • set authentication console on page 183 • set authentication dot1x on page 185 • show aaa on page 210 set location policy Creates and enables a location policy on a WSS. A location policy enables you to locally set or change authorization attributes for a user after the user is authorized by AAA, without making changes to the AAA server.
AAA Commands vlan operator vlanwildcard VLAN-Name attribute assigned by AAA and condition by which to determine if the location policy rule applies. Replace operator with one of the following operands: • eq—Applies the location policy rule to all users assigned VLAN names matching vlan-wildcard. • neq—Applies the location policy rule to all users assigned VLAN names not matching vlan-wildcard.
AAA Commands 205 • Use inacl inacl-name to filter traffic that enters the switch from users via an AP access port or wired authentication port, or from the network via a network port. • Use outacl outacl-name to filter traffic sent from the switch to users via an AP access port or wired authentication port, or from the network via a network port. • You can optionally add the suffixes.in and.
AAA Commands Syntax set mac-user mac-addr [group group-name] mac-addr MAC address of the user, in hexadecimal numbers separated by colons (:). You can omit leading zeros. group-name Name of an existing MAC user group. Defaults None. Access Enabled. Usage WSS Software does not require MAC users to belong to user groups. Users authenticated by MAC address can be authenticated only for network access through the WSS. WSS Software does not support passwords for MAC users.
AAA Commands 207 set mac-user attr Assigns an authorization attribute in the local database on the WSS to a user who is authenticated by a MAC address. (To assign authorization attributes through RADIUS, see the documentation for your RADIUS server.) Syntax set mac-user mac-addr attr attribute-name value mac-addr MAC address of the user, in hexadecimal numbers separated by colons (:). You can omit leading zeros.
AAA Commands Table 1: Authentication Attributes for Local Users Attribute Description encryption-type Type of encryption required One of the following numbers that identifies an for access by the client. encryption algorithm: Clients who attempt to use • 1—AES_CCM (Advanced an unauthorized encryption Encryption Standard using Counter method are rejected. Note: Encryption-Type is a Nortel vendor-specific attribute (VSA). The vendor ID is 562, and the vendor type is 233.
AAA Commands 209 Table 1: Authentication Attributes for Local Users (continued) Attribute Description Valid Value(s) filter-id (network access mode only) Security access control list (ACL), to permit or deny traffic received (input) or sent (output) by the WSS. (For more information about security ACLs, see “Security ACL Commands” on page 449.) Name of an existing security ACL, up to 253 alphanumeric characters, with no tabs or spaces. • Use acl-name.
AAA Commands Table 1: Authentication Attributes for Local Users (continued) Attribute Description service-type Type of access the user is requesting. Valid Value(s) One of the following numbers: • 2—Framed; for network user access • 6—Administrative; for administrative access to the WSS, with authorization to access the enabled (configuration) mode. The user must enter the enable command and the correct enable password to access the enabled mode.
AAA Commands 211 Table 1: Authentication Attributes for Local Users (continued) Attribute Description time-of-day (network access mode only) Day(s) and time(s) during which the user is permitted to log into the network. After authorization, the user’s session can last until either the Time-Of-Day range or the SessionTimeout duration (if set) expires, whichever is shorter. Note: Time-Of-Day is a Nortel vendor-specific attribute (VSA). The vendor ID is 562, and the vendor type is 234.
AAA Commands Table 1: Authentication Attributes for Local Users (continued) Attribute Description Valid Value(s) url (network access mode only) URL to which the user is redirected after successful Web-based AAA. Web URL, in standard format. For example: http://www.example.com Note: You must include the http:// portion.
AAA Commands 213 The following command restricts a user at MAC address 06:05:04:03:02:01 to network access between 7 p.m. on Mondays and Wednesdays and 7 a.m. on Tuesdays and Thursdays: WSS# set mac-user 06:05:04:03:02:01 attr time-of-day mo1900-1159,tu00000700,we1900-1159,th0000-0700 success: change accepted.
AAA Commands • show aaa on page 210 set mobility-profile Creates a Mobility Profile and specifies the AP and/or wired authentication ports on the WSS through which any user assigned to the profile is allowed access. Syntax set mobility-profile name name {port {none | all | port-list}} | {ap {none | all | ap-num}} name Name of the Mobility Profile. Specify up to 32 alphanumeric characters, with no spaces.
AAA Commands 215 Examples The following commands create the Mobility Profile magnolia, which restricts user access to port 12; enable the Mobility Profile feature on the WSS; and assign the magnolia Mobility Profile to user Jose. WSS# set mobility-profile name magnolia port 12 success: change accepted. WSS# set mobility-profile mode enable success: change accepted. WSS# set user Jose attr mobility-profile magnolia success: change accepted.
AAA Commands See Also • clear mobility-profile on page 175 • set mobility-profile on page 204 • show mobility-profile on page 215 set user Configures a user profile in the local database on the WSS for a user with a password. (To configure a user profile in RADIUS, see the documentation for your RADIUS server.) Syntax set user username password [encrypted] string username Username of a user with a password.
AAA Commands 217 The following command changes Nin’s password from goody to 29Jan04: WSS# set user Nin password 29Jan04 See Also • clear user on page 175 • show aaa on page 210 set user attr Configures an authorization attribute in the local database on the WSS for a user with a password. (To assign authorization attributes in RADIUS, see the documentation for your RADIUS server.) Syntax set user username attr attribute-name value username Username of a user with a password.
AAA Commands See Also • clear user attr on page 176 • show aaa on page 210 set user group Adds a user to a user group. The user must have a password and a profile that exists in the local database on the WSS. (To configure a user in RADIUS, see the documentation for your RADIUS server.) Syntax set user username group group-name username Username of a user with a password. group-name Name of an existing user group for password users. Defaults None. Access Enabled.
AAA Commands 219 Syntax set usergroup group-name attr attribute-name value group-name Name of a group for password users. Specify a name of up to 32 alphanumeric characters, with no spaces. The name must begin with an alphabetic character. attribute-name value Name and value of an attribute you are using to authorize all users in the group for a particular service or session characteristic. For a list of authorization attributes and values that you can assign to users, see Table 29 on page 198.
AAA Commands History Version 4.0 Command name changed from set web-aaa to set web-portal, to match change to portal-based implementation. Usage This command disables or reenables support for Web-based AAA. However, Web-based AAA has additional configuration requirements. For information, see the “Configuring AAA for Network Users” chapter in the Nortel WLAN Security Switch 2300 Series Configuration Guide.
AAA Commands 221 sg3: rs-5 Web Portal: enabled set authentication admin Jose sg3 set authentication console * none set authentication mac ssid mycorp * local set authentication dot1x ssid mycorp Geetha eap-tls set authentication dot1x ssid mycorp * peap-mschapv2 sg1 sg2 sg3 set authentication dot1x ssid any ** peap-mschapv2 sg1 sg2 sg3 set accounting dot1x Nin ssid mycorp stop-only sg2 set accounting admin Natasha start-stop local user Nin Password = 082c6c64060b (encrypted) Filter-Id = acl-999.
AAA Commands Table 2: show aaa Output (continued) Field Description author-pass Password used for authorization to a RADIUS server for MAC authentication. The client’s MAC address is sent as the username and the author-pass string is sent as the password. Radius Servers Information about active RADIUS servers. Server Name of each RADIUS server currently active. Addr IP address of each RADIUS server currently active.
AAA Commands 223 Syntax show accounting statistics Defaults None. Access Enabled. History Version 4.
AAA Commands Table 3: show accounting statistics Output Field Description Date and time Date and time of the accounting record. Acct-Status-Type Type of accounting record: • START • STOP • UPDATE Acct-Authentic Location where the user was authenticated (if authentication took place) for the session: • 1—RADIUS server • 2—Local WSS database User-Name Username of a user with a password. Acct-Multi-Session-Id Unique accounting ID for multiple related sessions in a log file.
AAA Commands 225 show location policy Displays the list of location policy rules that make up the location policy on a WSS. Syntax show location policy Defaults None. Access Enabled. Examples The following command displays the list of location policy rules in the location policy on a WSS: WSS show location policy Id Clauses ---------------------------------------------------------------1) deny if user eq *.theirfirm.com 2) permit vlan guest_1 if vlan neq *.wodefirm.com 3) permit vlan bld4.
AAA Commands NN47250-100 (Version 02.
Mobility Domain Commands Use Mobility Domain commands to configure and manage Mobility Domain groups. A Mobility Domain is a system of WSSs and APs working together to support a roaming user (client). One WSS acts as a seed switch, which maintains and distributes a list of IP addresses of the domain members. Note. Nortel recommends that you run the same WSS Software version on all the WSSs in a Mobility Domain. This chapter presents Mobility Domain commands alphabetically.
Mobility Domain Commands clear mobility-domain Clears all Mobility Domain configuration and information from a WSS, regardless of whether the WSS is a seed or a member of a Mobility Domain. Syntax clear mobility-domain Defaults None. Access Enabled. Usage This command has no effect if the WSS is not configured as part of a Mobility Domain. Examples To clear a Mobility Domain from a WSS within the domain, type the following command: 23x0# clear mobility-domain success: change accepted.
Mobility Domain Commands 229 Syntax set domain security {none | required} none WSS-WSS security is disabled. required WSS-WSS security is enabled. Defaults The default is none. (WSS-WSS security is disabled.) Access Enabled. History Introduced in WSS Software 5.0. Usage The setting must be the same (none or required) on all switches, the seed and all members, in the Mobility Domain. The set domain security none command is equivalent to the clear domain security command.
Mobility Domain Commands success: change accepted. WSS# set mobility-domain member 192.168.1.10 success: change accepted. See Also • clear mobility-domain member on page 218 • show mobility-domain config on page 222 set mobility-domain mode member seed-ip On a nonseed WSS, sets the IP address of the seed WSS. This command is used on a member WSS to configure it as a member. If the WSS is currently part of another Mobility Domain or using another seed, this command overwrites that configuration.
Mobility Domain Commands 231 Syntax set mobility-domain mode member secondary-seed-ip secondary-seed-ip-addr Defaults None. Access Enabled. History Introduced in WSS Software Version 6.0. Examples Following is the example of mobility-domain secondary-seed-ip. WSS# set mobility-domain mode member secondary-seed-ip 192.168.1.8 Success: change accepted set mobility-domain mode seed domain-name Creates a Mobility Domain by setting the current WSS as the seed device and naming the Mobility Domain.
Mobility Domain Commands set mobility-domain mode secondary-seed domainname seed-ip Creates a Mobility Domain by setting the current WSS as the secondary seed device and naming the Mobility Domain. Syntax set mobility-domain mode secondary-seed domain-name domain-name seed-ip seed- ip mob-domain-name Name of the Mobility Domain. Specify between 1 and 32 characters with no spaces. Defaults None. Access Enabled. History Introduced in WSS Software Version 6.0.
Mobility Domain Commands 233 Syntax show mobility-domain Defaults None. Access Enabled. History Upgraded in WSS Software Version 6.0. Examples To display Mobility Domain status, type the following command: WSS# show mobility-domain Mobility Domain name: Santa Clara Member State --------------- ------------------------192.168.253.11 STATE_DOWN 192.168.253.12 STATE_UP Type (* active) ------------------------Seed Secondary seed * Model Version --------------------- --------------Unknown Unknown 2360 6.0.3.
Mobility Domain Commands NN47250-100 (Version 02.
Network Domain Commands Use Network Domain commands to configure and manage Network Domain groups. A Network Domain is a group of geographically dispersed Mobility Domains that share information among themselves over a WAN link. This shared information allows a user configured on a WSS in one Mobility Domain to establish connectivity on a WSS in another Mobility Domain elsewhere in the same Network Domain.
Network Domain Commands See Also • set network-domain mode member seed-ip on page 227 • set network-domain peer on page 228 • set network-domain mode seed domain-name on page 229 clear network-domain mode Removes the Network Domain seed or member configuration from the WSS. Syntax clear network-domain mode {seed | member} seed Clears the Network Domain seed configuration from the WSS. member Clears the Network Domain member configuration from the WSS. Defaults None. Access Enabled.
Network Domain Commands 237 Defaults None. Access Enabled. History Introduced in WSS Software 4.1. Usage This command has no effect if the WSS is not configured as a Network Domain seed. Examples The following command clears the Network Domain peer configuration for peer 192.168.9.254 from the WSS: 23x0# clear network-domain peer 192.168.9.254 success: change accepted.
Network Domain Commands Syntax set network-domain mode member seed-ip ip-addr [affinity num] ip-addr IP address of the Network Domain seed, in dotted decimal notation. num Preference for using the specified Network Domain seed. You can specify a value from 1 through 10. A higher number indicates a greater preference. Defaults The default affinity for a Network Domain seed is 5. Access Enabled. History Introduced in WSS Software 4.1. Usage You can specify multiple Network Domain seeds on the WSS.
Network Domain Commands 239 History Introduced in WSS Software 4.1. Usage This command must be entered on a WSS configured as a Network Domain seed. Examples The following command sets the WSS with IP address 192.168.9.254 as a peer of this Network Domain seed: WSS# set network-domain peer 192.168.9.254 success: change accepted.
Network Domain Commands Syntax show network-domain Defaults None. Access Enabled. History Introduced in WSS Software 4.1. Examples To display Network Domain status, type the following command. The output of the command differs based on whether the WSS is a member of a Network Domain or a Network Domain seed.
Network Domain Commands 241 Table 1: show network-domain Output (continued) State State of the WSS in the Network Domain: • UP • DOWN Mode Role of the WSS in the Network Domain: • MEMBER • SEED Mobility-Domain Name of the Mobility Domain of which the WSS is a member. Output if WSS is a Network Domain member: Member Network Domain name Name of the Network Domain of which the WSS is a member.
Network Domain Commands NN47250-100 (Version 02.
AP Commands Use AP commands to configure and manage APs. Be sure to do the following before using the commands: • Define the country-specific IEEE 802.11 regulations on the WSS. (See set system countrycode on page 63.) • Install the AP and connect it to a port on the WSS. (See the Nortel Access Point 2330/2330A/2330B Installation Guide or Nortel Series 2332 Access Point Installation Guide.) • Configure an AP access port (for a directly connected AP) or a AP.
AP Commands AP-WSS security set ap fingerprint on page 257 set ap security on page 274 Static IP Address Assignment set ap boot-configuration ip on page 251 for APs set ap boot-configuration switch on page 255 set ap boot-configuration vlan on page 256 clear ap boot-configuration on page 241 show ap boot-configuration on page 370 Radio Profile Assignment set ap radio radio-profile on page 271 set radio-profile mode on page 291 clear radio-profile on page 242 set radio-profile service-profile on page
AP Commands 245 set service-profile cipher-wep104 on page 314 set service-profile cipher-wep40 on page 315 set service-profile psk-phrase on page 322 set service-profile psk-raw on page 323 set service-profile tkip-mc-time on page 333 set service-profile wep active-multicast-index on page 340 set service-profile wep active-unicast-index on page 341 set service-profile wep key-index on page 342 set service-profile keep-initial-vlan on page 317 set service-profile transmit-rates on page 334 set service-profil
AP Commands set radio-profile rate-enforcement on page 295 Transmission retries set service-profile long-retry-count on page 319 set service-profile short-retry-count on page 325 RF Auto-Tuning set radio-profile auto-tune channel-config on page 279 set radio-profile auto-tune channel-holddown on page 280 set radio-profile auto-tune channel-interval on page 281 set radio-profile auto-tune channel-lockdown on page 282 set radio-profile auto-tune power-config on page 282 set radio-profile auto-tune pow
AP Commands 247 show ap config on page 344 show ap status on page 358 show ap counters on page 348 show ap global on page 373 show ap connection on page 371 show ap unconfigured on page 374 show ap qos-stats on page 354 show ap etherstats on page 355 AP Local Switching set ap local-switching mode on page 260 set ap local-switching vlan-profile on page 260 clear ap image on page 237 show ap arp on page 343 show ap fdb on page 353 show ap vlan on page 365 WLAN Mesh Services set ap boot-configuration mesh
AP Commands History Version 5.0 Command introduced. Version 6.0 Option dap removed. Usage Use this command to configure an AP that had been converted to an AirDefense sensor to revert back to an AP. to load the software. When you do this, the next time the AP is booted, it becomes a Nortel Mobility Point. Examples The following command causes the AirDefense sensor software file to be cleared from the configuration of AP 1: WSS# clear ap 1 image success: change accepted.
AP Commands 249 • set ap local-switching vlan-profile on page 260 • set vlan-profile clear ap radio Disables an AP radio and resets it to its factory default settings. Syntax clear {ap port-list | ap ap-num} radio {1 | 2 | all} ap port-list List of ports connected to the AP(s) on which to reset a radio. ap ap-num Number of a AP on which to reset a radio. radio 1 Radio 1 of the AP. radio 2 Radio 2 of the AP. (This option does not apply to single-radio models.) radio all All radios on the AP.
AP Commands Table 1: Radio-Specific Parameters (continued) Parameter Default Value Description channel • 802.11b/g—6 • 802.11a—Lowest valid channel number for the country of operation Number of the channel in which a radio transmits and receives traffic mode disable Operational state of the radio. radio-profile None. You must add the radios to a 802.11 settings radio profile.
AP Commands 251 clear ap boot-configuration Removes the static IP address configuration for a AP. Syntax clear ap boot-configuration ap-num ap ap-num Number of the AP for which you are clearing static IP information. Defaults None. Access Enabled. History Introduced in WSS Software 4.1. Option dap removed in 6.0. Usage When the static IP configuration is cleared for a AP, the next time the AP is rebooted, it uses the standard boot process.
AP Commands Examples The following command clears radio 1 on AP 7 from the load balancing group to which it had been assigned: WSS# clear ap 7 radio 1 load-balancing group success : change accepted. See Also • set load-balancing strictness on page 277 • set ap radio load-balancing on page 268 • set ap local-switching mode on page 260 • show load-balancing group on page 375 clear radio-profile Removes a radio profile or resets one of the profile’s parameters to its default value.
AP Commands 253 History Version 4.1 countermeasures parameter added. Version 5.0 Parameters that no longer apply to radio profiles in WSS Software Version 4.1 removed: • long-retry • short-retry Usage If you specify a parameter, the setting for the parameter is reset to its default value. The settings of the other parameters are unchanged and the radio profile remains in the configuration. If you do not specify a parameter, the entire radio profile is deleted from the configuration.
AP Commands soda failure-page Resets the page that is loaded when a client fails the checks performed by the SODA agent. By default, the page is generated dynamically. soda remediation-acl Disables use of the specified remediation ACL for the service profile. When no remediation ACL is specified, a client is disconnected form the network when it fails SODA agent checks. soda success-page Resets the page that is loaded when a client passes the checks performed by the SODA agent.
AP Commands 255 reset ap Restarts an AP. Syntax reset {ap port-list | ap ap-num} ap port-list List of ports connected to the AP to restart. ap ap-num Number of a AP to reset. Defaults None. Access Enabled. Usage When you enter this command, the AP drops all sessions and reboots. Caution! Restarting an AP can cause data loss for users who are currently associated with the AP. Examples The following command resets the AP on port 7: WSS# reset ap 7 This will reset specified AP devices.
AP Commands Usage Table 35 lists the configurable profile parameters and their defaults. The only parameter that requires configuration is the profile mode. The profile is disabled by default. To use the profile to configure APs, you must enable the profile using the set ap auto mode enable command. The profile uses the default radio profile by default. You can change the profile using the set ap auto radio radio-profile command.
AP Commands 257 • set ap radio auto-tune max-power on page 265 • set ap radio mode on page 270 • set ap radio radio-profile on page 271 • set ap upgrade-firmware on page 275 set ap auto mode Enables a WSS’s profile for automatic AP configuration. Syntax set ap auto mode {enable | disable} enable Enables the AP configuration profile. disable Disables the AP configuration profile. Defaults The AP configuration profile is disabled by default. Access Enabled. History Introduced in WSS Software 4.
AP Commands Syntax set ap auto persistent [ap-num | all] ap-num Converts the configuration of the AP that has the specified connection number into a permanent configuration. all Converts the configurations of all Auto-APs being managed by the switch into permanent configurations. Defaults None. Access Enabled. History Introduced in WSS Software 4.0. Option dap removed in 6.0. Usage To display the AP numbers assigned to Auto-APs, use the show ap status auto command.
AP Commands 259 History Version 4.0 Command introduced. Version 5.0 Option 11a supported. Version 6.0 Option dap removed. Usage If you set the radiotype to 11a and the AP configuration profile is used to configure a two-radio AP model, radio 1 is configured as an 802.11b/g radio and radio 2 is configured as the 802.11a radio. Because this is the reverse of the standard configuration (where radio 1 is the 802.11a radio and radio 2 is the 802.
AP Commands Usage High bias is preferred over low bias. Bias applies only to WSSs that are indirectly attached to the AP through an intermediate Layer 2 or Layer 3 network. An AP always attempts to boot on AP port 1 first, and if a WSS is directly attached on AP port 1, the AP always boots from it. If AP port 1 is indirectly connected to WSSs through the network, the AP boots from the switch with the high bias for the AP.
AP Commands 261 Usage Changing the LED blink mode does not alter operation of the AP. Only the behavior of the LEDs is affected. Examples The following command enables LED blink mode on the AP connected to ports 3 and 4: WSS# set ap 3-4 blink enable success: change accepted. set ap boot-configuration ip Specifies static IP address information for a AP.
AP Commands • show ap boot-configuration on page 370 set ap boot-configuration mesh mode Enables WLAN mesh services on the AP. Syntax set ap ap-number boot-configuration mesh mode {enable | disable} ap ap-number Index value that identifies the AP on the WSS. mode {enable | disable} Enables or disables WLAN mesh services for the AP. Defaults Disabled. Access Enabled. History Introduced in WSS Version 6.0. Usage Use this command to enable WLAN mesh services for an Mesh AP.
AP Commands 263 Usage Use this command to configure the preshared key that a Mesh AP uses to authenticate to a Mesh Portal AP. You must connect the AP to an WSS switch and enter this command to configure the AP for mesh services prior to deploying the Mesh AP in its final untethered location. WSS converts the passphrase into a 256-bit binary number for system use and a raw hexadecimal key to store in the WSS configuration.
AP Commands Examples The following command configures AP7 to use a raw PSK to authenticate with a Mesh Portal AP: WSS# set ap 7 boot-configuration mesh psk-raw c25d3fe4483e867d1df96eaacdf8b02451fa0836162e758100f5f6b87965e59d success: change accepted.
AP Commands 265 • set ap boot-configuration mesh mode on page 252 • set service-profile mesh on page 320 • show ap mesh-links on page 357 set ap boot-configuration switch Specifies the WSS a AP contacts and attempts to use as its boot device. Syntax set ap ap-num boot-configuration switch [switch-ip ip-addr] [name name dns ip-addr] [mode {enable | disable}] ap ap-num Number of the AP for which you are specifying static IP information.
AP Commands See Also • clear ap boot-configuration on page 241 • set ap boot-configuration ip on page 251 • set ap boot-configuration vlan on page 256 • show ap boot-configuration on page 370 set ap boot-configuration vlan Specifies 802.1Q VLAN tagging information for a AP.
AP Commands 267 set ap fingerprint Verifies an AP’s fingerprint on a WSS. If AP-WSS security is required by a WSS, an AP can establish a management session with the switch only if you have verified the AP’s identity by verifying its fingerprint on the switch. Syntax set ap num fingerprint hex ap ap-num Number of the AP whose fingerprint you are verifying. hex The 16-digit hexadecimal number of the fingerprint. Use a colon between each digit.
AP Commands ap auto Configures forced image download for the AP configuration profile. (See set ap auto on page 245.) force-imagedownload enable Enables forced image download. force-imagedownload disable Disables forced image download. Defaults Forced image download is disabled by default. Access Enabled. History Introduced in WSS Software 5.0. Optional dap removed 6.0. Usage A change to the forced image download option takes place the next time the AP is restarted.
AP Commands 269 History Version 4.0 Option auto added for configuration of the AP configuration profile. Version 6.0 Option dap removed. Usage You can assign any subset or all of the APs connected to a WSS to a group on that switch. All access points in a group must be connected to the same WSS. If you use the name none, spelled in any combination of capital or lowercase letters, the specified AP is cleared from all AP groups.
AP Commands Examples The following command causes AP 1 to load the adconvert.bin file, then reboot as an AirDefense sensor: WSS# set ap 1 image adconvert.bin This will change the file a AP will boot. Would you like to continue? (y/n) [n] y set ap local-switching mode Enables local switching for a specified AP. Syntax set ap ap-number local-switching mode {enable | disable} ap-number Index value that identifies the AP on the WSS switch. enable Enables local switching for the AP.
AP Commands 271 Syntax set ap ap-number local-switching vlan-profile profile-name ap-number Index value that identifies the AP on the WSS switch. profile-name The name of a VLAN profile configured on the WSS switch. Defaults If local switching is enabled on an AP, but no VLAN profile is configured, then a default VLAN profile is used. The default VLAN profile includes a single VLAN named default that is not tagged. Access Enabled. History Introduced in WSS Software Version 6.0.
AP Commands History Version 4.1 Default AP name changed from DAPnum to DAPnum Version 6.0 Option dap removed. Examples The following command changes the name of the AP on port 1 to techpubs: WSS# set ap 1 name techpubs success: change accepted. See Also show ap config on page 344 set ap radio antenna-location Specifies the location (indoors or outdoors) of an external antenna. Use this command to ensure that the proper set of channels is available on the radio.
AP Commands 273 See Also set ap radio antennatype on page 263 set ap radio antennatype Sets the model number for the antenna to be used.
AP Commands ap port-list List of ports connected to the APs on which to set the channel. ap ap-num Number of a AP on which to set the channel. radio 1 Radio 1 of the AP. radio 2 Radio 2 of the AP. (This option does not apply to single-radio models.) antennatype 802.
AP Commands 275 antennatype 802.
AP Commands Syntax set {ap port-list | auto}} radio {1 | 2} auto-tune max-power power-level ap port-list List of ports connected to the AP on which to set the maximum power. ap ap-num Number of a AP on which to set the maximum power. ap auto Sets the maximum power for radios configured by the AP configuration profile. (See set ap auto on page 245.) radio 1 Radio 1 of the AP. radio 2 Radio 2 of the AP. (This option does not apply to single-radio models.
AP Commands 277 set ap radio channel Sets an AP radio’s channel. Syntax set {ap port-list | ap ap-num} radio {1 | 2} channel channel-number ap port-list List of ports connected to the AP on which to set the channel. ap ap-num Number of a AP on which to set the channel. radio 1 Radio 1 of the AP. radio 2 Radio 2 of the AP. (This option does not apply to single-radio models.) channel channelnumber Channel number. The valid channel numbers depend on the country of operation.
AP Commands set ap radio min-tx-datarate To specify the minimum rate at which a radio is allowed to transmit traffic to clients, see Deprecated in WSS Software Version 5.0. on page 266. set ap radio link-calibration Configures an AP radio to emit link calibration packets, which can aid in positioning a Mesh AP. Syntax set ap ap-number radio {1 | 2} link-calibration mode {enable | disable} ap ap-number Index value that identifies the AP on the WSS. radio 1 Radio 1 of the AP.
AP Commands 279 Syntax set ap ap-num radio {1 | 2} load-balancing {enable | disable} ap ap-number Index value that identifies the AP on the WSS. radio 1 Radio 1 of the AP. radio 2 Radio 2 of the AP. (This option does not apply to single-radio models.) enable Enables RF load balancing for the AP radio. disable Disables RF load balancing for the AP radio. Defaults RF load balancing is enabled by default for all AP radios. Access Enabled. History Introduced in WSS Software Version 6.0.
AP Commands group name Name of an RF load balancing group to which the AP radio is assigned. A radio can belong to only one group. rebalance Configures the AP radio to disassociate its client sessions and rebalance them whenever a new AP radio is added to the load balancing group. Defaults By default, AP radios are not part of an RF load balancing group. Access Enabled. History Introduced in WSS Software Version 6.0. Usage Assigning radios to specific load balancing groups is optional.
AP Commands 281 Access Enabled. History Version 4.0 Option auto added for configuration of the AP configuration profile. Version 6.0 Option dap removed. Usage To enable or disable one or more radios to which a profile is assigned, use the set ap radio radioprofile command. To enable or disable all radios that use a specific radio profile, use the set radio-profile command.
AP Commands Access Enabled. History Version 4.0 Option auto added for configuration of the AP configuration profile. Version 6.0 Option dap removed. Usage When you create a new profile, the radio parameters in the profile are set to their factory default values. To enable or disable all radios that use a specific radio profile, use set radio-profile.
AP Commands 283 Access Enabled. Usage You also can configure a radio’s channel on the same command line. Use the channel option. This command is not valid if dynamic power tuning (RF Auto-Tuning) is enabled. Examples The following command configures the transmit power on the 802.11a radio on the AP connected to port 5: WSS# set ap 5 radio 1 tx-power 10 success: change accepted. The following command configures the channel and transmit power on the 802.
AP Commands set ap security Sets security requirements for management sessions between a WSS and its APs. This feature applies to APs only, not to directly connected APs configured on AP access ports. Note. The maximum transmission unit (MTU) for encrypted AP management traffic is 1498 bytes, whereas the MTU for unencrypted management traffic is 1474 bytes. Make sure the devices in the intermediate network between the WSS and AP can support the higher MTU.
AP Commands 285 set ap sticky-bit This command is deprecated in WSS Software Version 4.0. WSS assignment is always sticky. If an AP fails over to another WSS connection, the AP stays on that connection until the connection goes down or the WSS or AP is restarted. set ap upgrade-firmware Disables or reenables automatic upgrade of an AP’s boot firmware.
AP Commands Syntax set band-preference {none | 11bg | 11a} none When a client supports both 802.11a and 802.11b/g radio bands, does not steer the client to a specific AP radio. 11bg When a client supports both 802.11a and 802.11b/g radio bands, steers the client to the 802.11b/g radio. 11a When a client supports both 802.11a and 802.11b/g radio bands, steers the client to the 802.11a radio. Defaults By default, clients are not steered to specific AP radios for RF load balancing. Access Enabled.
AP Commands 287 History Introduced in WSS Version 6.0. Usage By default, RF load balancing is enabled on all AP radios. Use this command to disable or re-enable RF load balancing globally for all AP radios managed by the WSS switch. If RF load balancing has been enabled or disabled for a specific AP radio, then the setting for the individual radio takes precedence over the global setting.
AP Commands across the AP radios in the load-balancing group. When low strictness is specified (the default), WSS Software makes heavily loaded AP radios less visible in order to steer clients to less-busy AP radios, but ensures that even if all the AP radios in the group are heavily loaded, clients are not denied service.
AP Commands 289 Usage You can enter this command on any WSS in the Mobility Domain. The command takes effect only on that switch. Examples The following command disables active scan in radio profile radprof3: WSS# set radio-profile radprof3 active-scan disable success: change accepted. See Also show radio-profile on page 376 set radio-profile auth-dot1x Deprecated in WSS Software Version 3.0. In 3.0, this parameter is associated with service profiles instead of radio profiles.
AP Commands Even when RF Auto-Tuning for channels is enabled, WSS Software does not change the channel on radios that have active client sessions, unless you use the no-client option. RF Auto-Tuning of channels on 802.11a radios uses only the bottom eight channels in the band (36, 40, 44, 48, 52, 56, 60, and 64). To use a higher channel number, you must disable RF Auto-Tuning of channels on the radio profile the radio is in, and use the set ap radio channel command to statically configure the channel.
AP Commands 291 • set radio-profile auto-tune channel-interval on page 281 • set radio-profile auto-tune channel-lockdown on page 282 • show radio-profile on page 376 set radio-profile auto-tune channel-interval Sets the interval at which RF Auto-Tuning decides whether to change the channels on radios in a radio profile. At the end of each interval, WSS Software processes the results of the RF scans performed during the previous interval, and changes radio channels if needed.
AP Commands set radio-profile auto-tune channel-lockdown Locks down the current channel settings on all radios in a radio profile. The channel settings that are in effect when the command is entered are changed into statically configured channel assignments on the radios. RF Auto-Tuning of channels is then disabled in the radio profile. Syntax set radio-profile name auto-tune channel-lockdown name Radio profile name.
AP Commands 293 Syntax set radio-profile name auto-tune power-config {enable | disable} name Radio profile name. enable Configures radios to dynamically set their power levels when the APs are started. disable Configures radios to use their statically assigned power levels, or the default power levels if unassigned, when the radios are started. Defaults Dynamic power assignment is disabled by default. Access Enabled. History Introduced in WSS Software Version 3.0.
AP Commands History Introduced in WSS Software Version 3.0. Examples The following command sets the power interval for radios in radio profile rp2 to 240 seconds: WSS# set radio-profile rp2 auto-tune power-interval 240 success: change accepted.
AP Commands 295 set radio-profile auto-tune power-ramp-interval Changes the interval at which power is increased or decreased, in 1 dBm increments, on radios in a radio profile until the optimum power level calculated by RF Auto-Tuning is reached. Syntax set radio-profile name auto-tune power-ramp-interval seconds name Radio profile name. seconds Number of seconds WSS Software waits before increasing or decreasing radio power by another 1 dBm. You can specify from 1 to 65535.
AP Commands Examples The following command changes the beacon interval for radio profile rp1 to 200 ms: WSS# set radio-profile rp1 beacon-interval 200 success: change accepted. See Also • set radio-profile mode on page 291 • show radio-profile on page 376 set radio-profile beaconed-ssid See set service-profile beacon on page 310. set radio-profile cipher-ccmp See set service-profile cipher-ccmp on page 312. set radio-profile cipher-tkip See set service-profile cipher-tkip on page 313.
AP Commands 297 set radio-profile countermeasures Caution! Countermeasures affect wireless service on a radio. When an AP radio is sending countermeasures, the radio is disabled for use by network traffic, until the radio finishes sending the countermeasures. Enables or disables countermeasures on the AP radios managed by a radio profile. Countermeasures are packets sent by a radio to prevent clients from being able to use rogue access points.
AP Commands The following command disables countermeasures in radio profile radprof3: WSS# clear radio-profile radprof3 countermeasures success: change accepted. The following command causes radios managed by radio profile radprof3 to issue countermeasures against devices in the WSS’s attack list: WSS# set radio-profile radprof3 countermeasures configured success: change accepted.
AP Commands 299 See Also • set radio-profile mode on page 291 • show radio-profile on page 376 set radio-profile frag-threshold Changes the fragmentation threshold for the AP radios in a radio profile. The fragmentation threshold is the threshold at which the long-retry-count is applicable instead of the short-retry-count. The long-retry-count specifies the number of times a radio can send a unicast frame that is equal to or longer than the frag-threshold without receiving an acknowledgment.
AP Commands set radio-profile long-retry Deprecated in WSS Software Version 4.1. In 4.1, this parameter is associated with service profiles instead of radio profiles. See set service-profile long-retry-count on page 319. set radio-profile max-rx-lifetime Changes the maximum receive threshold for the AP radios in a radio profile. The maximum receive threshold specifies the number of milliseconds that a frame received by a radio can remain in buffer memory.
AP Commands 301 Defaults The default maximum transmit threshold for AP radios is 2000 ms (2 seconds). Access Enabled. Usage You must disable all radios that are using a radio profile before you can change parameters in the profile. Use the set radio-profile mode command. Examples The following command changes the maximum transmit threshold for radio profile rp1 to 4000 ms: WSS# set radio-profile rp1 max-tx-lifetime 4000 success: change accepted.
AP Commands Table 4: Defaults for Radio Profile Parameters (continued) Parameter Default Value Radio Behavior When Parameter Set To Default Value countermeasures Not configured Does not issue countermeasures against any device. dtim-interval 1 Sends the delivery traffic indication map (DTIM) after every beacon. frag-threshold 2346 Uses the short-retry-count for frames shorter than 2346 bytes and uses the long-retry-count for frames that are 2346 bytes or longer.
AP Commands 303 History Version 4.1 • Parameters that no longer apply to radio profiles in WSS Software Version 4.1 removed: • 11g-only • long-retry • short-retry • wmm parameter name changed to qos-mode. Version 5.0 Parameters added: • rfid-mode • wmm-powersave Usage Use the command without any optional parameters to create new profile. If the radio profile does not already exist, WSS Software creates a new radio profile.
AP Commands set radio-profile preamble-length Changes the preamble length for which an 802.11b/g AP radio advertises support. This command does not apply to 802.11a. Syntax set radio-profile name preamble-length {long | short} name Radio profile name. long Advertises support for long preambles. short Advertises support for short preambles. Defaults The default is short. Access Enabled. Usage Changing the preamble length value affects only the support advertised by the radio.
AP Commands 305 set radio-profile qos-mode Sets the prioritization mode for forwarding queues on AP radios managed by the radio profile. Syntax set radio-profile name qos-mode {svp | wmm} svp Optimizes forwarding prioritization of AP radios for SpectraLink Voice Priority (SVP). wmm Classifies and marks traffic based on 802.1p and DSCP, and optimizes forwarding prioritization of AP radios for Wi-Fi Multimedia (WMM). Defaults The default QoS mode is wmm. Access Enabled.
AP Commands Syntax set radio-profile name rate-enforcement {enable | disable} name Radio profile name. enable Enables data rate enforcement for the radios in the radio profile. disable Disables data rate enforcement for the radios in the radio profile. Defaults Data rate enforcement is disabled by default. Access Enabled. History Introduced in WSS Software Version 6.0. Usage Each type of radio (802.11a, 802.11b, and 802.
AP Commands 307 Syntax set radio-profile name rfid-mode {enable | disable} name Radio profile name. enable Enables radios to function as asset location receivers. disable Disables radios from functioning as asset location receivers. Defaults The default is disable. Access Enabled. History Introduced in WSS Software Version 5.0.
AP Commands set radio-profile service-profile Maps a service profile to a radio profile. All radios that use the radio profile also use the parameter settings, including SSID and encryption settings, in the service profile. Syntax set radio-profile name service-profile name radio-profile name Radio profile name of up to 16 alphanumeric characters, with no spaces. service-profile name Service profile name of up to 16 alphanumeric characters, with no spaces.
AP Commands 309 Table 5: Defaults for Service Profile Parameters (continued) Radio Behavior When Parameter Set To Default Value Parameter Default Value cipher-ccmp disable Does not use Counter with Cipher Block Chaining Message Authentication Code Protocol (CCMP) to encrypt traffic sent to WPA clients. cipher-tkip enable When the WPA IE is enabled, uses Temporal Key Integrity Protocol (TKIP) to encrypt traffic sent to WPA clients.
AP Commands Table 5: Defaults for Service Profile Parameters (continued) Radio Behavior When Parameter Set To Default Value Parameter Default Value no-broadcast disable Does not reduce wireless broadcast traffic by sending unicasts to clients for ARP requests and DHCP Offers and Acks instead of forwarding them as multicasts. proxy-arp disable Does not reply on behalf of wireless clients to ARP requests for client IP addresses. Instead, the radio forwards the ARP Requests as wireless broadcasts.
AP Commands 311 Table 5: Defaults for Service Profile Parameters (continued) Radio Behavior When Parameter Set To Default Value Parameter Default Value tkip-mc-time 60000 Uses Michael countermeasures for 60,000 ms (60 seconds) following detection of a second MIC failure within 60 seconds. transmit-rates 802.11a: Accepts associations only from clients that support one of the mandatory rates. Sends beacons at the specified rate (6 Mbps for 802.11a, 2 Mbps for 802.11b/g).
AP Commands Table 5: Defaults for Service Profile Parameters (continued) Radio Behavior When Parameter Set To Default Value Parameter Default Value web-portal-acl portalacl web-portal-form Not configured For Web-based AAA users, serves the Nortel login page. web-portal-sessiontimeout 5 Allows a Web Portal Web-based AAA session to remain in the Deassociated state 5 seconds before being terminated automatically. wep key-index No keys defined Uses dynamic WEP rather than static WEP.
AP Commands 313 Examples The following command maps service-profile wpa_clients to radio profile rp2: WSS# set radio-profile rp2 service-profile wpa_clients success: change accepted.
AP Commands • set service-profile wep key-index on page 342 • set service-profile wpa-ie on page 342 • show radio-profile on page 376 • show service-profile on page 380 set radio-profile shared-key-auth See set service-profile shared-key-auth on page 324. set radio-profile short-retry Deprecated in WSS Software Version 4.1. In 4.1, this parameter is associated with service profiles instead of radio profiles. See set service-profile short-retry-count on page 325.
AP Commands 315 set radio-profile wmm-powersave Enables Unscheduled Automatic Powersave Delivery (U-APSD) on AP radios managed by the radio profile. U-APSD enables WMM clients that use powersave mode to more efficiently request buffered unicast packets from AP radios. When U-APSD is enabled, a client can retrieve buffered unicast packets for a traffic priority enabled for UAPSD by sending a QoS data or QoS-Null frame for that priority.
AP Commands set service-profile attr Configures authorization attributes that are applied by default to users accessing the SSID managed by the service profile. These SSID default attributes are applied in addition to any supplied by the RADIUS server or from the local database. Syntax set service-profile name attr attribute-name value name Service profile name.
AP Commands 317 The following command assigns users accessing the SSID managed by service profile sp2 to the Mobility Profile tulip. WSS# set service-prof sp2 attr mobility-profile tulip success: change accepted. The following command limits the days and times when users accessing the SSID managed by service profile sp2 can access the network, to 5 p.m. to 2 a.m. every weekday, and all day Saturday and Sunday: WSS# set service-prof sp2 attr time-of-day Wk1700-0200,Sa,Su success: change accepted.
AP Commands See Also • set service-profile auth-psk on page 309 • set service-profile psk-phrase on page 322 • set service-profile wpa-ie on page 342 • show service-profile on page 380 set service-profile auth-fallthru Specifies the authentication type for users who do not match an 802.1X or MAC authentication rule for an SSID managed by the service profile.
AP Commands 319 The web-portal authentication type also requires additional configuration items. (See the “Configuring AAA for Network Users” chapter of the Nortel WLAN Security Switch 2300 Series Configuration Guide.) Examples The following command sets the fallthru authentication type for SSIDS managed by the service profile rnd_lab to web-portal: WSS# set service-profile rnd_lab auth-fallthru web-portal success: change accepted.
AP Commands set service-profile beacon Disables or reenables beaconing of the SSID managed by the service profile. An AP radio responds to an 802.11 probe any request with only the beaconed SSID(s). For a nonbeaconed SSID, radios respond only to directed 802.11 probe requests that match the nonbeaconed SSID’s SSID string. When you disable beaconing for an SSID, the radio still sends beacon frames, but the SSID name in the frames is blank.
AP Commands 321 Usage WLAN mesh services can be used in a wireless bridge configuration, implementing APs as bridge endpoints in a transparent Layer 2 bridge. A typical application of wireless bridging is to provide network connectivity between two buildings using a wireless link. A Mesh Portal AP serving as a bridge endpoint can support up to five Mesh APs serving as bridge endpoints.
AP Commands set service-profile cac-session Specifies the maximum number of active sessions a radio can have when session-based CAC is enabled. When an AP radio has reached the maximum allowed number of active sessions, the radio refuses connections from additional clients. Syntax set service-profile name cac-session max-sessions name Service profile name. max-sessions Maximum number of active sessions allowed on the radio. Defaults The default number of sessions allowed is 14. Access Enabled.
AP Commands 323 Examples The following command configures service profile sp2 to use CCMP encryption: WSS# set service-profile sp2 cipher-ccmp enable success: change accepted.
AP Commands set service-profile cipher-wep104 Enables dynamic Wired Equivalent Privacy (WEP) with 104-bit keys, in a service profile. Syntax set service-profile name cipher-wep104 {enable | disable} name Service profile name. enable Enables 104-bit WEP encryption for WPA clients. disable Disables 104-bit WEP encryption for WPA clients. Defaults 104-bit WEP encryption is disabled by default. Access Enabled. History Introduced in WSS Software Version 3.0.
AP Commands 325 set service-profile cipher-wep40 Enables dynamic Wired Equivalent Privacy (WEP) with 40-bit keys, in a service profile. Syntax set service-profile name cipher-wep40 {enable | disable} name Service profile name. enable Enables 40-bit WEP encryption for WPA clients. disable Disables 40-bit WEP encryption for WPA clients. Defaults 40-bit WEP encryption is disabled by default. Access Enabled. History Introduced in WSS Software Version 3.0.
AP Commands Syntax set service-profile name cos level name Service profile name. level CoS value assigned by the AP to all traffic in the service profile. Defaults The default static CoS level is 0. Access Enabled. History Introduced in WSS Software Version 4.1. Usage This command applies only when static CoS is enabled. If static CoS is disabled, prioritization is based on the QoS mode configured in the radio profile, and on any ACLs that set CoS.
AP Commands 327 See Also • set service-profile no-broadcast on page 320 • set service-profile proxy-arp on page 321 • show service-profile on page 380 set service-profile idle-client-probing Disables or reenables periodic keepalives from AP radios to clients on a service profile’s SSID. When idle-client probing is enabled, the AP radio sends a unicast null-data frame to each client every 10 seconds. Normally, a client that is still active sends an Ack in reply to the keepalive.
AP Commands Syntax set service-profile name keep-initial-vlan {enable | disable} name Service profile name. enable Enables radios to leave a roamed user on the same VLAN instead of reassigning the VLAN. disable Configures radios to reassign a roamed user’s VLAN. Defaults This option is disabled by default. Access Enabled. History Introduced in WSS Software Version 5.0.
AP Commands 329 Usage Use this command to exempt a service profile from RF load balancing. Exempting a service profile from RF load balancing means that even if an AP radio is attempting to steer clients away, it does not reduce or conceal the availability of the SSID named in the exempted service profile. Even if a radio is withholding probe responses to manage its load, the radio does respond to probes for an exempt SSID.
AP Commands set service-profile mesh Creates a service profile for use with WLAN mesh services. Syntax set service-profile name mesh mode {enable | disable} name Service profile name. enable Enables mesh services for the service profile. disable Disables mesh services for the service profile. Defaults None. Access Enabled. History Introduced in WSS Software version 6.0. Usage Use this command to configure mesh services for a service profile.
AP Commands 331 Syntax set service-profile name no-broadcast {enable | disable} name Service profile name. enable Enables the no-broadcast mode. AP radios are not allowed to send broadcast traffic to clients on the service profile’s SSID. disable Disables the no-broadcast mode. Defaults The no-broadcast mode is disabled by default. (Broadcast traffic not disabled.) Access Enabled. History Introduced in WSS Software Version 4.1.
AP Commands Usage To further reduce broadcast traffic on a service profile, use the set service-profile no-broadcast command to disable DHCP and ARP request broadcasts. Examples The following command enables proxy ARP on service profile sp1: WSS# set service-profile sp1 proxy-arp enable success: change accepted.
AP Commands 333 set service-profile psk-raw Configures a raw hexadecimal preshared key (PSK) to use for authenticating WPA clients, in a service profile. Radios use the PSK as a pairwise master key (PMK) to derive unique pairwise session keys for individual WPA clients. Syntax set service-profile name psk-raw hex name Service profile name. hex A 64-bit ASCII string representing a 32-digit hexadecimal number. Enter the two-character ASCII form of each hexadecimal number. Defaults None. Access Enabled.
AP Commands Syntax set service-profile name rsn-ie {enable | disable} name Service profile name. enable Enables the RSN IE. disable Disables the RSN IE. Defaults The RSN IE is disabled by default. Access Enabled. History Introduced in WSS Software Version 3.0. Usage When the RSN IE is enabled, the default authentication method is 802.1X. There is no default cipher suite. You must enable the cipher suites you want the radios to support.
AP Commands 335 Defaults Shared-key authentication is disabled by default. Access Enabled. History Introduced in WSS Software Version 3.0. Usage Shared-key authentication is supported only for encrypted SSIDs. In addition, if you enable shared-key authentication, RSN, WPA, TKIP, and CCMP must be disabled. By default, RSN, WPA, and CCMP are already disabled, but TKIP is enabled; you must manually disable TKIP. To disable TKIP, use the set service-profile cipher-tkip disable command.
AP Commands set service-profile soda agent-directory Specifies the directory on the WSS where the SODA agent files for a service profile are located. Syntax set service-profile name soda agent-directory directory name Service profile name. directory Directory on the WSS for SODA agent files. Defaults By default, the WSS expects SODA agent files to be located in a directory with the same name as the service profile. Access Enabled. History Introduced in WSS Software Version 4.1.
AP Commands 337 Access Enabled History Introduced in WSS Software Version 4.1. Usage When the SODA agent is enabled in a service profile, by default the SODA agent checks are downloaded to a client and run before the client is allowed on the network. You can use this command to disable the enforcement of the SODA security checks, so that the client is allowed access to the network immediately after the SODA agent is downloaded, rather than waiting for the security checks to be run.
AP Commands This functionality occurs only when the enforce checks option is enabled for the service profile. The enforce checks option is enabled by default. The page is assumed to reside in the root directory on the WSS. You can optionally specify a different directory where the page resides. Examples The following command specifies failure.html as the page to load when a client fails the SODA agent checks: WSS# set service-profile sp1 soda failure-page failure.html success: change accepted.
AP Commands 339 Examples The following command specifies logout.html as the page to load when a client closes the SODA virtual desktop: WSS# set service-profile sp1 soda logout-page logout.html success: change accepted. The following command specifies logout.html, in the soda-files directory, as the page to load when a client closes the SODA virtual desktop: WSS# set service-profile sp1 soda logout-page soda-files/logout.html success: change accepted.
AP Commands set service-profile soda remediation-acl Specifies an ACL to be applied to a client if it fails the checks performed by the SODA agent. Syntax set service-profile name soda remediation-acl acl-name name Service profile name. acl-name Name of an existing security ACL to use as a remediation ACL for this service profile. ACL names must start with a letter and are caseinsensitive. Defaults None. Access Enabled. History Introduced in WSS Software Version 4.1.
AP Commands 341 Access Enabled. History Introduced in WSS Software Version 4.1. Usage Use this command to specify a custom page that is loaded by the client when it passes the checks performed by the SODA agent. After this page is loaded, the client is placed in its assigned VLAN and granted access to the network. The page is assumed to reside in the root directory on the WSS. You can optionally specify a different directory where the page resides.
AP Commands Examples The following command applies the name guest to the SSID managed by service profile clear_wlan: WSS# set service-profile clear_wlan ssid-name guest success: change accepted. The following command applies the name corporate users to the SSID managed by service profile mycorp_srvcprf: WSS# set service-profile mycorp_srvcprf ssid-name “corporate users” success: change accepted.
AP Commands 343 any ACLs that mark CoS. This option provides a simple way to configure an SSID for priority traffic such as VoIP traffic. When static CoS is enabled, the standard WSS Software prioritization mechanism is not used. Instead, the AP sets CoS as follows: • For traffic from the AP to clients, the AP places the traffic into the forwarding queue that corresponds to the CoS level configured on the service profile.
AP Commands History Introduced in WSS Software Version 3.0. Usage Countermeasures apply only to TKIP and WEP clients. This includes WPA WEP clients and nonWPA WEP clients. CCMP clients are not affected. The TKIP cipher suite must be enabled. The WPA IE also must be enabled. Examples The following command changes the countermeasures wait time for service profile sp3 to 30,000 ms (30 seconds): WSS# set service-profile sp3 tkip-mc-time 30000 success: change accepted.
AP Commands 345 beacon-rate rate Data rate of beacon frames sent by AP radios. This rate is also used for probe-response frames. The valid rates depend on the radio type and are the same as the valid rates for mandatory. However, you cannot set the beacon rate to a disabled rate. multicast-rate {rate | auto} • Data rate of multicast frames sent by AP radios. • rate—Sets the multicast rate to a specific rate. The valid rates depend on the radio type and are the same as the valid rates for mandatory.
AP Commands See Also show service-profile on page 380 set service-profile user-idle-timeout Changes the number of seconds WSS Software will leave a session up for a client that is not sending data and is not responding to keepalives (idle-client probes). If the timer expires, the client’s session is changed to the Dissociated state. The timer is reset to 0 each time a client sends data or responds to an idle-client probe.
AP Commands 347 Syntax set service-profile name web-portal-acl aclname name Service profile name. aclname Name of the ACL to use for filtering Web-Portal user traffic during authentication. Defaults By default, a service profile’s web-portal-acl option is unset. However, when you change the service profile’s auth-fallthru option to web-portal, WSS Software sets the webportal-acl option to portalacl.
AP Commands History Version 4.0 Option name changed from web-aaa-form to web-portal-form, to reflect change to portal-based implementation. Usage Nortel recommends that you create a subdirectory for the custom page and place all the page’s files in that subdirectory. Do not place the custom page in the root directory of the switch’s user file area. If the custom login page includes gif or jpg images, their path names are interpreted relative to the directory from which the page is served. Note.
AP Commands 349 set service-profile web-portal-logout Changes the web portal logout mode. Syntax set service-profile name web-portal-logout mode {enable | disable} name Service profile name. mode To enable or disable web portal logout. Access Enabled. History Introduced in WSS Software Version 6.0. Examples The following command allows the web portal service to enable the web portal logout functionality. WSS# set service-profile sp1 web-portal-logout mode enable success: change accepted.
AP Commands Syntax set service-profile name web-portal-session-timeout seconds name Service profile name. seconds Number of seconds WSS Software allows Web Portal Webbased AAA sessions to remain in the Deassociated state before being terminated automatically. You can specify from 5 to 2800 seconds. Defaults The default Web Portal Web-based AAA session timeout is 5 seconds. Access Enabled. History Introduced in WSS Software Version 4.1.
AP Commands 351 Usage Before using this command, you must configure values for the WEP keys you plan to use. Use the set service-profile wep key-index command. Examples The following command configures service profile sp2 to use WEP key 2 for encrypting multicast traffic: WSS# set service-profile sp2 wep active-multicast-index 2 success: change accepted.
AP Commands set service-profile wep key-index Sets the value of one of four static Wired-Equivalent Privacy (WEP) keys for static WEP encryption. Syntax set service-profile name wep key-index num key value name Service profile name. key-index num WEP key index. You can enter a value from 1 through 4. key value Hexadecimal value of the key. You can enter a 10-character ASCII string representing a 5-byte hexadecimal number or a 26-character ASCII string representing a 13-byte hexadecimal number.
AP Commands 353 Defaults The WPA IE is disabled by default. Access Enabled. History Introduced in WSS Software Version 3.0. Usage When the WPA IE is enabled, the default authentication method is 802.1X. There is no default cipher suite. You must enable the cipher suites you want the radios to support. Examples The following command enables the WPA IE in service profile sp2: WSS# set service-profile sp2 wpa-ie enable success: change accepted.
AP Commands Table 6: Output for show ap arp Field Description Host IP address, hostname, or alias. HW Address MAC address mapped to the IP address, hostname, or alias. VLAN VLAN the entry is for. State Entry state: • RESOLVING—WSS sent an ARP request for the entry and is waiting for the reply. Type • RESOLVED—Entry is resolved. • EXPIRED—Entry is expired. Entry type: • DYNAMIC—Entry was learned from network traffic and ages out if unused for longer than the ARP aging timeout.
AP Commands 355 Access Enabled. History Version 4.0 • New field added: fingerprint Note: This field applies to the display for APs only. Version 5.0 • Field force-image-download added: • Field auto-tune min-client-rate removed. • Field auto-tune max-retransmissions removed. Version 6.0 • Option dap removed. Usage WSS Software lists information separately for each AP.
AP Commands Table 7: Output for show ap config Field Description Port WSS port number. Note: This field is applicable only if the AP is directly connected to the WSS and the WSS’s port is configured as an AP access port. AP Connection ID for the AP. Note: This field is applicable only if the AP is configured on the WSS as a AP. serial-id Serial ID of the AP. Note: This field is displayed only for APs. AP model POE AP model number.
AP Commands 357 Table 7: Output for show ap config (continued) Field Description type Radio type: • 802.11a • 802.11b • 802.11g mode Radio state: • Enabled • Disabled channel Channel number. antennatype External antenna model, if applicable. tx pwr Transmit power, in dBm. profile Radio profile that manages the radio. Until you assign the radio to a radio profile, WSS Software assigns the radio to the default radio profile.
AP Commands • show ap unconfigured on page 374 • show radio-profile on page 376 show ap counters Displays AP and radio statistics counters. Syntax show ap counters [port-list [radio {1 | 2}]] port-list List of ports connected to the AP(s) for which to display statistics counters. ap-num Number of a AP for which to display statistics counters. radio 1 Shows statistics counters for radio 1. radio 2 Shows statistics counters for radio 2. (This option does not apply to single-radio models.
AP Commands 359 TKIP Pkt Replays CCMP Pkt Decrypt Err CCMP Pkt Transfer Ct Radio Recv Phy Err Ct Radio Adjusted Tx Pwr 802.3 Packet Tx Ct No Receive Descriptor 0 0 0 0 15 0 0 TKIP Decrypt Err CCMP Pkt Replays RadioResets Transmit Retries Noise Floor 802.3 Packet Rx Ct 0 0 0 60501 -93 0 TxUniPkt TxUniByte RxPkt UndcrptPkt TxMultiPkt TxMultiByte RxByte UndcrptByte PhyErr 1.0:1017 0 10170 2.0:5643 55683 822545 5.5:0 0 0 6.0: 0 0 9.0: 0 0 0 11.0: 0 0 0 12.0: 0 0 0 18.0: 0 0 0 24.0: 0 0 0 36.0: 0 0 0 48.
AP Commands Table 8: Output for show ap counters (continued) Field Description TKIP Pkt Replays Number of TKIP packets that were resent to the AP by a client. A low value (under about one hundred) does not necessarily indicate a problem. However, if this counter is increasing steadily or has a very high value (in the hundreds or more), a Denial of Service (DoS) attack might be occurring. Contact Nortel TAC.
AP Commands 361 Table 8: Output for show ap counters (continued) Field Description User Sessions Number of clients currently associated with the radio. Generally, this counter is equal to the number of sessions listed for the radio in show sessions output. However, the counter can differ from the counter in show sessions output if a client is associated with the radio but has not yet completed 802.1X authentication. In this case, the client is counted by this counter but not in the show sessions output.
AP Commands Table 8: Output for show ap counters (continued) Field Description The counters above are global for all data rates. The counters below are for individual data rates. Note: If counters for lower data rates are incrementing but counters for higher data rates are not incrementing, this can indicate poor throughput. The poor throughput can be caused by interference.
AP Commands 363 show ap fdb Displays the entries in a specified AP’s forwarding database. Syntax show ap fdb ap-number ap-number Index value that identifies the AP on the WSS switch. Defaults None. Access All. History Introduced in WSS Version 6.0. Examples The following command displays FDB entries for AP 7: WSS# show ap fdb 7 AP 7: # = System Entry.
AP Commands show ap qos-stats Displays statistics for AP forwarding queues. Syntax show ap qos-stats [ap-num] [clear] Syntax show ap qos-stats [port-list] [clear] ap-num Number of a AP for which to display QoS statistics counters. port-list List of ports connected to the AP(s) for which to display QoS statistics counters. clear Clears the counters after displaying their current values. Defaults None. Access Enabled. History Version 4.0 Command introduced. Version 4.1 TxDrop field added.
AP Commands 365 Table 10: Output for show ap qos-stats Field Description CoS CoS value associated with the forwarding queues. Queue Forwarding queue. AP or Port AP number or AP port number. radio Radio number. Tx Number of packets transmitted to the air from the queue. TxDrop Number of packets dropped from the queue instead of being transmitted. Some packet drops are normal, especially if the RF environment is noisy.
AP Commands RxShortFrames: RxCrcErrors: RxOverruns: RxDiscards: 0 TxUnderruns: 0 TxCarrierLoss: 0 TxDeferred: 0 0 0 150 AP: 1 ether: 2 ================================= RxUnicast: 64379 TxGoodFrames: 60621 RxMulticast: 21798 TxSingleColl: 32 RxBroadcast: 11 TxLateColl: 0 RxGoodFrames: 86188 TxMaxColl: 0 RxAlignErrs: 0 TxMultiColl: 12 RxShortFrames: 0 TxUnderruns: 0 RxCrcErrors: 0 TxCarrierLoss: 0 RxOverruns: 0 TxDeferred: 111 RxDiscards: 0 Table 44 describes the fields in this display.
AP Commands 367 Table 11: Output for show ap etherstats (continued) Field Description TxLateColl Number of frames that were not transmitted because they encountered a collision outside the normal collision window. TxMaxColl Number of frames that were not transmitted because they encountered the maximum allowed number of collisions. Typically, this occurs only during periods of heavy traffic on the network. TxMultiColl Number of transmitted frames that encountered more than one collision.
AP Commands TX: RX: 307 44279 315 215046 Table 45 on page 358 describes the fields in the show ap mesh-links output. Table 12: Output for show ap mesh-links Field Description AP Identifier for the AP on the WSS. Name V-LAN name. IP-addrs IP address of AP. Operational Mode Indicates whether the AP is a Mesh AP or Mesh Portal AP. Downlink Mesh-APs Information about the Mesh APs that are associated with the Mesh Portal AP. BSSID Indicates the BSSID of the Mesh AP.
AP Commands 369 radio 1 Shows status information for radio 1. radio 2 Shows status information for radio 2. (This option does not apply to single-radio models.) Defaults None. Access Enabled. History Version 4.0 • • • • New option added: terse New option added for show ap status: all New field added: fingerprint AP-WSS security status added to State field Note: The fingerprint field and security state apply to the display for APs only. Version 4.
AP Commands Radio 1 type: 802.11g, state: configure succeed [Enabled] (802.11b protect) operational channel: 1 operational power: 14 base mac: 00:0b:0e:00:d2:c0 bssid1: 00:0b:0e:00:d2:c0, ssid: public bssid2: 00:0b:0e:00:d2:c2, ssid: employee-net bssid3: 00:0b:0e:00:d2:c4, ssid: mycorp-tkip Radio 2 type: 802.
AP Commands 371 ap100 oa10.8.255.11 AP-122 00:0b:0e:da:da:82 E 1/17 E36/11 0d 0h 0m17s Table 46 and Table 46 describe the fields in these displays. Table 13: Output for show ap status Field Description AP Connection ID for the AP. Note: This field is applicable only if the AP is configured on the WSS as a AP. Port WSS port number. Note: This field is applicable only if the AP is directly connected to the WSS and the WSS’s port is configured as an AP access port. IP-addr IP address of the AP.
AP Commands Table 13: Output for show ap status (continued) Field State Description State of the AP: • init—The AP has been recognized by the WSS but has not yet begun booting. • booting—The AP has asked the WSS for a boot image. • image downloading—The AP is receiving a boot image from the WSS. • image downloaded—The AP has received a boot image from the WSS and is booting. • configuring—The AP has booted and is ready to receive or is already receiving configuration parameters from the WSS.
AP Commands 373 Table 13: Output for show ap status (continued) Field Description Radio 1 type Radio 2 type 802.11 type and configuration state of the radio. • The configure succeed state indicates that the AP has received configuration parameters for the radio and the radio is ready to accept client connections. • 802.11b protect indicates that the 802.11b/g radio is sending messages to 802.11b devices, while sending 802.11g traffic at higher data rates, to inform the 802.11b devices about the 802.
AP Commands Table 13: Output for show ap status (continued) Field Description Radio 1 type Radio 2 type (cont.) • Radar Detected indicates that DFS has detected radar on the channel. When this occurs, the AP stops transmitting on the channel for 30 minutes. If RF Auto-Tuning is enabled for channel assignment, the radio selects another channel and performs the initial channel availability check on the new channel, during which time the flag changes back to Radar Scan.
AP Commands 375 Table 13: Output for show ap status (continued) Field Description bssid, ssid SSIDs configured on the radio and their BSSIDs. RFID Reports Status of AeroScout asset tag support. • Active—The AeroScout Engine has enabled the tag report mode on the AP. • Inactive—The AeroScout Engine has not enabled, or has disabled, the tag report mode on the AP. Note: This field is displayed only if the rfid-mode option is enabled on the radio profile that manages the radio.
AP Commands Syntax show ap vlan ap-number ap-number Index value that identifies the AP on the WSS switch. Defaults None. Access All. History Introduced in WSS Version 6.0.
AP Commands 377 show auto-tune attributes Displays the current values of the RF attributes RF Auto-Tuning uses to decide whether to change channel or power settings. Syntax show auto-tune attributes [ap ap-num [radio {1 | 2| all}]] Syntax show auto-tune attributes [ap ap-num [radio {1 | 2| all}]] ap-num AP port connected to the AP for which to display RF attributes. ap-num Number of a AP for which to display RF attributes. radio 1 Shows RF attribute information for radio 1.
AP Commands Table 16: Output for show auto-tune attributes (continued) Field Description Packet Retransmission Count Number of retransmitted packets sent from the client to the radio on the active channel. Retransmissions can indicate that the client is not receiving ACKs from the AP radio. Phy Errors Count Number of frames received by the AP radio that had physical layer errors on the active channel. Phy errors can indicate interference from a non-802.11 device.
AP Commands 379 Usage For simplicity, this command displays a single entry for each Nortel radio, even if the radio is supporting multiple BSSIDs. However, BSSIDs for third-party 802.11 radios are listed separately, even if a radio is supporting more than one BSSID. Information is displayed for a radio if the radio sends beacon frames or responds to probe requests.
AP Commands show ap boot-configuration Displays information about the static IP address configuration (if any) on a AP. Syntax show ap boot-configuration ap-num ap-num Index value that identifies the AP on WSS. Defaults None. Access Enabled. History Version 4.1 Version 6.0 Command introduced in WSS Software. Option dap removed.
AP Commands 381 Table 18: Output for show ap boot-configuration (continued) Field Description Switch Whether the AP is configured to use a manually specified WSS as its boot device. Mesh Whether WLAN mesh services are enabled for this AP. IP address The static IP address assigned to this AP. Netmask The subnet mask assigned to this AP. Gateway The IP address of the default gateway assigned to this AP.
AP Commands If a AP is configured on this WSS (or another WSS in the same Mobility Domain) but does not have an active connection, the command does not display information for the AP. To show connection information for APs, use the show ap global command on one of the switches where the APs are configured.
AP Commands 383 show ap global Displays connection information for APs configured on a WSS. Syntax show ap global [ap-num | serial-id serial-ID] ap-num Number of a AP for which to display configuration settings. serial-id serial-ID AP serial ID. Defaults None. Access Enabled. Usage Connections are shown only for the APs that are configured on the WSS from which you enter the command, and only for the Mobility Domain the switch is in.
AP Commands Table 20: Output for show ap global (continued) Field Description WSS IP Address System IP address of the WSS on which the AP is configured. A separate row of output is displayed for each WSS on which the AP is configured.
AP Commands 385 Table 21: Output for show ap unconfigured Field Description Serial Id Serial ID of the AP. Model AP model number. IP Address IP address of the AP. This is the address that the AP receives from a DHCP server. The AP uses this address to send a Find WSS message to request configuration information from WSS switches. However, the AP cannot use the address to establish a connection unless the AP first receives a configuration from a WSS.
AP Commands Examples The following command displays information about the AP radios that are in the same group as radio 1 on AP 3: WSS# show load-balancing group ap 3 radio 1 Radios in the same load-balancing group as: ap3/radio1 -------------------------------------------------IP address AP Radio Overlap ------------------ ---- ----- ------10.2.28.
AP Commands 387 Defaults None. Access Enabled. History Version 4.0 • New fields added: • Countermeasures • Active-Scan • WMM enabled • Name of the backoff timer field changed from Client Backoff Timer to Power Backoff Timer Version 4.1 • WMM enabled field renamed to QoS Mode. • Long Retry Limit and Short Retry Limit fields moved to show service-profile output. (These options are now configurable on a service-profile basis instead of a radio-profile basis.) • Allow 802.11g clients only field removed.
AP Commands Table 23: Output for show radio-profile Field Description Beacon Interval Rate (in milliseconds) at which each AP radio in the profile advertises the beaconed SSID. DTIM Interval Number of times after every beacon that each AP radio in the radio profile sends a delivery traffic indication map (DTIM). Max Tx Lifetime Number of milliseconds that a frame received by a radio in the radio profile can remain in buffer memory.
AP Commands 389 Table 23: Output for show radio-profile (continued) Field Description Countermeasures Indicates whether countermeasures are enabled. Active-Scan Indicates whether the active-scan mode of RF detection is enabled. RFID enabled Indicates whether AeroScout tag support is enabled. WMM Powersave Indicates whether U-APSD support is enabled.
AP Commands • set radio-profile mode on page 291 • set radio-profile preamble-length on page 294 • set radio-profile qos-mode on page 295 • set radio-profile rfid-mode on page 296 • set radio-profile rts-threshold on page 297 • set radio-profile service-profile on page 298 • set radio-profile wmm-powersave on page 305 show service-profile Displays service profile information. Syntax show service-profile {name | ?} name Displays information about the named service profile.
AP Commands 391 Version 4.1 New fields added: • • • • • • • • • • • • • • • • • • • • Version 5.
AP Commands Enforce SODA checks: yes SODA remediation ACL: Custom success web-page: Custom failure web-page: Custom logout web-page: Custom agent-directory: Static COS: no COS: 0 CAC mode: none CAC sessions: 14 User idle timeout: 180 Idle client probing: yes Keep initial vlan: no Web Portal Session Timeout: 5 Web Portal ACL: WEP Key 1 value: WEP Key 2 value: WEP Key 3 value: WEP Key 4 value: WEP Unicast Index: 1 WEP Multicast Index: 1 Shared Key Auth: NO WPA enabled: ciphers:
AP Commands 393 Table 24: Output for show service-profile (continued) Field Description No broadcast Indicates whether broadcast restriction is enabled. When this feature is enabled, WSS Software sends ARP requests and DHCP Offers and Acks as unicasts to their target clients instead of forwarding them as broadcasts. Short retry limit Number of times a radio serving the service-profile’s SSID can send a short unicast frame without receiving an acknowledgment.
AP Commands Table 24: Output for show service-profile (continued) Field Description Custom agent-directory The name of the directory for SODA agent files on the WSS, if different from the default. By default, SODA agent files are stored in a directory with the same name as the service profile. Static COS Indicates whether static CoS assignment is enabled. When this feature is enabled, APs assign the CoS value in the COS field to all user traffic forwarded by the AP.
AP Commands 395 Table 24: Output for show service-profile (continued) Field Description WEP Key 3 value State of static WEP key number 3: • none—The key is not configured. • preset—The key is configured. WEP Key 4 value State of static WEP key number 4: • none—The key is not configured. • preset—The key is configured. WEP Unicast Index Index of the static WEP key used to encrypt unicast traffic on an encrypted SSID.
AP Commands Table 24: Output for show service-profile (continued) Field Description 11a / 11b / 11g transmit rate fields Data transmission rate settings for each radio type: • beacon rate—Data rate of beacon frames sent by AP radios. • multicast rate—Data rate of multicast frames sent by AP radios. If the rate is auto, the AP sets the multicast rate to the highest rate that can reach all clients connected to the radio.
AP Commands 397 • set service-profile psk-raw on page 323 • set service-profile rsn-ie on page 323 • set service-profile shared-key-auth on page 324 • set service-profile short-retry-count on page 325 • set service-profile soda mode on page 329 • set service-profile ssid-name on page 331 • set service-profile ssid-type on page 332 • set service-profile static-cos on page 332 • set service-profile tkip-mc-time on page 333 • set service-profile transmit-rates on page 334 • set service-pro
AP Commands NN47250-100 (Version 02.
STP Commands Use Spanning Tree Protocol (STP) commands to configure and manage spanning trees on the virtual LANs (VLANs) configured on a WSS, to maintain a loop-free network. This chapter presents STP commands alphabetically. Use the following table to locate commands in this chapter based on their use.
STP Commands clear spantree portcost Resets to the default value the cost of a network port or ports on paths to the STP root bridge in all VLANs on a WSS. Syntax clear spantree portcost port-list port-list List of ports. The port cost is reset on the specified ports. Defaults None. Access Enabled. Usage This command resets the cost in all VLANs. To reset the cost for only specific VLANs, use the clear spantree portvlancost command.
STP Commands 401 See Also • clear spantree portvlanpri on page 391 • set spantree portpri on page 397 • set spantree portvlanpri on page 398 • show spantree on page 400 clear spantree portvlancost Resets to the default value the cost of a network port or ports on paths to the STP root bridge for a specific VLAN on a WSS, or for all VLANs. Syntax clear spantree portvlancost port-list {all | vlan vlan-id} port-list List of ports. The port cost is reset on the specified ports.
STP Commands Syntax clear spantree portvlanpri port-list {all | vlan vlan-id} port-list List of ports. The port priority is reset to 32 (the default) on the specified ports. all Resets the priority for all VLANs. vlan vlan-id VLAN name or number. WSS Software resets the priority for only the specified VLAN. Defaults None. Access Enabled. Usage WSS Software does not change a port’s priority for VLANs other than the one(s) you specify.
STP Commands 403 See Also show spantree statistics on page 407 set spantree Enables or disables STP on one VLAN or all VLANs configured on a WSS. Syntax set spantree {enable | disable} [{all | vlan vlan-id | port port-list vlan-id}] enable Enables STP. disable Disables STP. all Enables or disables STP on all VLANs. vlan vlan-id VLAN name or number. WSS Software enables or disables STP on only the specified VLAN, on all ports within the VLAN.
STP Commands Usage If you plan to use the backbone fast convergence feature, you must enable it on all the bridges in the spanning tree. Examples The following command enables backbone fast convergence: WSS# set spantree backbonefast enable success: change accepted.
STP Commands 405 Examples The following command changes the hello interval for all VLANs to 4 seconds: WSS# set spantree hello 4 all success: change accepted. See Also show spantree on page 400 set spantree maxage Changes the maximum age for an STP root bridge hello packet that is acceptable to a WSS acting as a designated bridge on one or all of its VLANs.
STP Commands Defaults The default port cost depends on the port speed and link type. Table 58 lists the defaults for STP port path cost. Table 1.
STP Commands 407 enable Enables port fast convergence. disable Disables port fast convergence. Defaults STP port fast convergence is disabled by default. Access Enabled. Usage Use port fast convergence on ports that are directly connected to servers, hosts, or other MAC stations. Examples The following command enables port fast convergence on ports 9, 11, and 13: WSS# set spantree portfast port 9,11,13 enable success: change accepted.
STP Commands Syntax set spantree portvlancost port-list cost cost {all | vlan vlan-id} port-list List of ports. WSS Software applies the cost change to all the specified ports. cost cost Numeric value. You can specify a value from 1 through 65,535. STP selects lower-cost paths over higher-cost paths. all Changes the cost on all VLANs. vlan vlan-id VLAN name or number. WSS Software changes the cost on only the specified VLAN.
STP Commands 409 Examples The following command sets the priority of ports 3 and 4 to 48 on VLAN mauve: WSS# set spantree portvlanpri 3-4 priority 48 vlan mauve success: change accepted. See Also • clear spantree portpri on page 390 • clear spantree portvlanpri on page 391 • set spantree portpri on page 397 • show spantree on page 400 set spantree priority Changes the STP root bridge priority of a WSS on one or all of its VLANs.
STP Commands Defaults Disabled. Access Enabled. Usage The uplink fast convergence feature is applicable to bridges that are acting as access switches to the network core (distribution layer) but are not in the core themselves. Do not enable the feature on WSSs that are in the network core. Examples The following command enables uplink fast convergence: WSS# set spantree uplinkfast enable success: change accepted.
STP Commands 411 Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Nortel WLAN—Security Switch 2300 Series Command Line Reference
STP Commands Port Vlan STP-State Cost Prio Portfast -----------------------------------------------------------------------------1 1 Forwarding 19 128 Disabled 2 1 STP Off 19 128 Disabled 3 1 Disabled 19 128 Disabled 4 1 Disabled 19 128 Disabled 5 1 Disabled 19 128 Disabled 6 1 Disabled 19 128 Disabled 7 1 Disabled 19 128 Disabled 8 1 Disabled 19 128 Disabled Table 59 describes the fields in this display. Table 2: Output for show spantree Field Description VLAN VLAN number.
STP Commands 413 Table 2: Output for show spantree (continued) Field Description STP-State or Port-State STP state of the port: • Blocking—The port is not forwarding Layer 2 traffic but is listening to and forwarding STP control traffic. • Disabled—This state can indicate any of the following conditions: • The port is inactive. • The port is disabled. • STP is enabled on the port but the port is not forwarding traffic. (The port is active and enabled but STP has just started to come up.
STP Commands Access All. Examples The following example shows the command output on a WSS with backbone fast convergence enabled: WSS# show spantree backbonefast Backbonefast is enabled See Also set spantree backbonefast on page 393 show spantree blockedports Lists information about WSS ports that STP has blocked on one or all of its VLANs. Syntax show spantree blockedports [vlan vlan-id] vlan vlan-id VLAN name or number.
STP Commands 415 See Also show spantree on page 400 show spantree portfast Displays STP uplink fast convergence information for all network ports or for one or more network ports. Syntax show spantree portfast [port-list] port-list List of ports. If you do not specify any ports, WSS Software displays uplink fast convergence information for all ports. Defaults None. Access All.
STP Commands Table 3: Output for show spantree portfast Field Description Port Port number. VLAN VLAN number. Portfast State of the uplink fast convergence feature: • Enable • Disable See Also set spantree portfast on page 396 show spantree portvlancost Displays the cost of a port on a path to the STP root bridge, for each of the port’s VLANs. Syntax show spantree portvlancost port-list port-list List of ports. Defaults None. Access All.
STP Commands 417 show spantree statistics Displays STP statistics for one or more WSS network ports. Syntax show spantree statistics [port-list [vlan vlan-id]] port-list List of ports. If you do not specify any ports, WSS Software displays STP statistics for all ports. vlan vlan-id VLAN name or number. If you do not specify a VLAN, WSS Software displays STP statistics for all VLANs. Defaults None. Access All. Usage The command displays statistics separately for each port.
STP Commands scp failure count root inc trans count (port/VLAN) inhibit loopguard loop inc trans count 0 1 (1) FALSE 0 (0) Status of Port Timers forward delay timer forward delay timer value message age timer message age timer value topology change timer topology change timer value hold timer hold timer value delay root port timer delay root port timer value delay root port timer restarted is INACTIVE 15 ACTIVE 0 INACTIVE 0 INACTIVE 0 INACTIVE 0 FALSE VLAN based information & statistics spanning tr
STP Commands 419 next state src MAC count total src MAC count curr_src_mac next_src_mac 0 21807 21825 00-0b-0e-00-04-30 00-0b-0e-02-76-f6 Table 61 describes the fields in this display. Table 4: Output for show spantree statistics Field Description Port Port number. VLAN VLAN ID. Spanning Tree enabled for vlan State of the STP feature on the VLAN. port spanning tree State of the STP feature on the port.
STP Commands Table 4: Output for show spantree statistics (continued) Field Description designated cost Total path cost to reach the root bridge. designated_bridge Bridge to which this switch forwards traffic away from the root bridge. designated_port STP port through which this switch forwards traffic away from the root bridge. top_change_ack Value of the topology change acknowledgment flag in the next configured bridge protocol data unit (BPDU) to be transmitted on the associated port.
STP Commands 421 Table 4: Output for show spantree statistics (continued) Field Description hold timer Status of the hold timer. This timer ensures that configured BPDUs are not transmitted too frequently through any bridge port. hold timer value Current value of the hold timer, in seconds. delay root port timer Status of the delay root port timer, which enables fast convergence when uplink fast convergence is enabled. delay root port timer value Current value of the delay root port timer.
STP Commands Table 4: Output for show spantree statistics (continued) Field Description num of similar BPDU’s to process Number of similar BPDUs received on a port that need to be processed. received_inferior_bpdu Indicates whether the port has received an inferior BPDU or a response to a Root Link Query (RLQ) BPDU. next state Port state before it is set by STP. src MAC count Number of BPDUs with the same source MAC address.
STP Commands 423 See Also set spantree uplinkfast on page 399 Nortel WLAN—Security Switch 2300 Series Command Line Reference
STP Commands NN47250-100 (Version 02.
IGMP Snooping Commands Use Internet Group Management Protocol (IGMP) snooping commands to configure and manage multicast traffic reduction on a WSS. This chapter presents IGMP snooping commands alphabetically. Use the following table to locate commands in this chapter based on their use.
IGMP Snooping Commands Examples The following command clears IGMP statistics for all VLANs: WSS# clear igmp statistics IGMP statistics cleared for all vlans See Also show igmp statistics on page 431 set igmp Disables or reenables IGMP snooping on one VLAN or all VLANs on a WSS. Syntax set igmp {enable | disable} [vlan vlan-id] enable Enables IGMP snooping. disable Disables IGMP snooping. vlan vlan-id VLAN name or number.
IGMP Snooping Commands 427 Examples The following command changes the last member query interval on VLAN orange to 5 tenths of a second: WSS# set igmp lmqi 5 vlan orange success: change accepted. See Also • set igmp oqi on page 418 • set igmp qi on page 420 • set igmp mrouter on page 417 set igmp mrouter Adds or removes a port in a WSS’s list of ports on which it forwards traffic to multicast routers.
IGMP Snooping Commands Syntax set igmp mrsol {enable | disable} [vlan vlan-id] enable Enables multicast router solicitation. disable Disables multicast router solicitation. vlan vlan-id VLAN name or number. If you do not specify a VLAN, multicast router solicitation is disabled or enabled on all VLANs. Defaults Multicast router solicitation is disabled on all VLANs by default. Access Enabled.
IGMP Snooping Commands 429 Syntax set igmp oqi seconds [vlan vlan-id] oqi seconds Number of seconds that the WSS waits for a general query to arrive before electing itself the querier. You can specify a value from 1 through 65,535. vlan vlan-id VLAN name or number. If you do not specify a VLAN, the timer change applies to all VLANs. Defaults The default other-querier-present interval is 255 seconds (4.25 minutes). Access Enabled.
IGMP Snooping Commands Usage Proxy reporting reduces multicast overhead by sending only one membership report for a group to the multicast routers and discarding other membership reports for the same group. If you disable proxy reporting, the WSS sends all membership reports to the routers, including multiple reports for the same group. Examples The following example disables proxy reporting on VLAN orange: WSS# set igmp proxy-report disable vlan orange success: change accepted.
IGMP Snooping Commands 431 Syntax set igmp qri tenth-seconds [vlan vlan-id] qri tenth-seconds Amount of time (in tenths of a second) that the WSS waits for a receiver to respond to a group-specific query message before removing the receiver from the receiver list for the group. You can specify a value from 1 through 65,535. vlan vlan-id VLAN name or number. If you do not specify a VLAN, the timer change applies to all VLANs.
IGMP Snooping Commands Examples The following example enables the pseudo-querier on the orange VLAN: WSS# set igmp querier enable vlan orange success: change accepted. See Also show igmp querier on page 427 set igmp receiver Adds or removes a network port in the list of ports on which a WSS forwards traffic to multicast receivers. Static multicast receiver ports are immediately added to or removed from the list of receiver ports and do not age out.
IGMP Snooping Commands 433 Defaults The default robustness value for all VLANs is 2. Access Enabled. Examples The following example changes the robustness value on VLAN orange to 4: WSS# set igmp rv 4 vlan orange success: change accepted. See Also • set igmp oqi on page 418 • set igmp qi on page 420 • set igmp qri on page 420 show igmp Displays IGMP configuration information and statistics for one VLAN or all VLANs. Syntax show igmp [vlan vlan-id] vlan vlan-id VLAN name or number.
IGMP Snooping Commands Port Querier-IP Querier-MAC TTL ---- --------------- ----------------- ----1 193.122.135.
IGMP Snooping Commands 435 Table 1: Output for show igmp (continued) Field Description Multicast router information List of multicast routers and active multicast groups. The fields containing this information are described separately. The show igmp mrouter command shows the same information. Port Number of the physical port through which the WSS can reach the router. Mrouter-IPaddr IP address of the multicast router interface. Mrouter-MAC MAC address of the multicast router interface.
IGMP Snooping Commands Table 1: Output for show igmp (continued) Field Description TTL Number of seconds before this entry ages out if the WSS does not receive a query message from the querier. IGMP vlan member ports Physical ports in the VLAN. This list includes all network ports configured to be in the VLAN and all ports WSS Software dynamically assigns to the VLAN when a user assigned to the VLAN becomes a receiver.
IGMP Snooping Commands 437 Table 2: Output for show igmp mrouter Field Description Multicast routers for vlan VLAN containing the multicast routers. Ports are listed separately for each VLAN. Port Number of the physical port through which the WSS can reach the router. Mrouter-IPaddr IP address of the multicast router. Mrouter-MAC MAC address of the multicast router.
IGMP Snooping Commands Examples The following command displays querier information for VLAN orange: WSS# show igmp querier vlan orange Querier for vlan orange NN47250-100 (Version 02.
IGMP Snooping Commands 439 Port Querier-IP Querier-MAC TTL ---- --------------- ----------------- -----------------1 193.122.135.
IGMP Snooping Commands Syntax show igmp receiver-table [vlan vlan-id] [group group-ip-addr/mask-length] vlan vlan-id VLAN name or number. If you do not specify a VLAN, WSS Software displays the multicast receivers on all VLANs. group group-ip-addr/mask-length IP address and subnet mask of a multicast group, in CIDR format (for example, 239.20.20.10/24). If you do not specify a group address, WSS Software displays the multicast receivers for all groups. Defaults None. Access All.
IGMP Snooping Commands 441 Table 4: Output for show igmp receiver-table Field Description VLAN VLAN that contains the multicast receiver ports. Ports are listed separately for each VLAN. Session IP address of the multicast group being received. Port Physical port through which the WSS can reach the receiver. Receiver-IP IP address of the receiver. Receiver-MAC MAC address of the receiver.
IGMP Snooping Commands DVMRP 4 4 PIM V1 0 0 PIM V2 0 0 Topology notifications: 0 Packets with unknown IGMP type: 0 Packets with bad length: 0 Packets with bad checksum: 0 Packets dropped: 4 0 0 0 Table 67 describes the fields in this display. Table 5: Output for show igmp statistics Field Description IGMP statistics for vlan VLAN name. Statistics are listed separately for each VLAN.
IGMP Snooping Commands 443 Table 5: Output for show igmp statistics (continued) Field Description IGMP message type Type of IGMP message, continued: • Mrouter-Term—Multicast router termination messages. A multicast router sends this type of message when multicast forwarding is disabled on the router interface, the router interface is administratively disabled, or the router itself is gracefully shutdown. • Mrouter-Sol—Multicast router solicitation messages.
IGMP Snooping Commands NN47250-100 (Version 02.
Session Management Commands Use session management commands to display and clear administrative and network user sessions. This chapter presents session management commands alphabetically. Use the following table to locate commands in this chapter based on their use.
Session Management Commands To clear Telnet client session 0, type the following command: WSS# clear sessions telnet client 0 See Also show sessions on page 437 clear sessions network Clears all network sessions for a specified username or set of usernames, MAC address or set of MAC addresses, virtual LAN (VLAN) or set of VLANs, or session ID.
Session Management Commands 447 To clear the session of user Natasha, type the following command: 23x0# clear sessions network user Natasha To clear the sessions of users whose name begins with the characters Jo, type the following command: 23x0# clear sessions network user Jo* To clear the sessions of all users on VLAN red, type the following command: 23x0# clear sessions network vlan red See Also • show sessions on page 437 • show sessions network on page 439 show sessions Displays session informat
Session Management Commands To view information about console users’ sessions, type the following command: WSS> show sessions console Tty Username Time (s) ------- -------------------- -------console 8573 1 console session To view information about Telnet users sessions, type the following command: WSS> show sessions telnet Tty Username Time (s) ------- -------------------- -------tty2 sea 7395 To view information about Telnet client sessions, type the following command: WSS# show sessions telnet cli
Session Management Commands 449 Table 2: show sessions telnet client Output Field Description Session Session number assigned by WSS Software when the client session is established. Server Address IP address of the remote device. Server Port TCP port number of the remote device’s TCP server. Client Port TCP port number WSS Software is using for the client side of the session.
Session Management Commands Defaults None. Access All. History Version 4.1 Output added to the show network sessions verbose command to indicate the user’s authorization attributes and whether they were supplied through AAA or through configured SSID defaults in a service profile. Version 5.0 • Host name field added to show sessions network verbose output. • AP serial number added to show sessions network verbose output.
Session Management Commands 451 WSS> show sessions network User Sess IP or MAC VLAN Port/ Name ID Address Name Radio ------------------------------ ---- ----------------- --------------- ----EXAMPLE\Natasha 4* 10.10.40.17 vlan-eng 3/1 host/laptop11.exmpl.com 6* 10.10.40.16 vlan-eng 3/2 nin@exmpl.com 539* 10.10.40.17 vlan-eng 1/1 EXAMPLE\hosni 302* 10.10.40.10 vlan-eng 3/1 563 00:0b:be:15:46:56 (none) 1/2 jose@exmpl.com 380* 10.30.40.8 vlan-eng 1/1 00:30:65:16:8d:69 443* 10.10.40.
Session Management Commands The following command displays information about network session 88: WSS# show sessions network session-id 88 Local Id: 88 Global Id: SESS-88-00040f-876766-623fd6 State: ACTIVE SSID: Rack-39-PM Port/Radio: 10/1 MAC Address: 00:0f:66:f4:71:6d User Name: last-resort-Rack-39-PM IP Address: 10.2.39.
Session Management Commands 453 Table 3: show sessions network (summary) Output (continued) Field Description IP or MAC Address IP address of the session user, or the user’s MAC address if the user has not yet received an IP address. VLAN Name Name of the VLAN associated with the session. Port/Radio Number of the port and radio through which the user is accessing this session. Table 4: Additional show sessions network verbose Output Field Description Client MAC MAC address of the session user.
Session Management Commands Table 4: Additional show sessions network verbose Output (continued) Field now on Description Shows the following information about the AP and radio the session is currently on: • IP address and port number of the WSS managing the AP • Serial number and radio number of the AP • Amount of time the session has been on this AP from Shows information about the APs from which the session has roamed. (See the descriptions above for the now on field.
Session Management Commands 455 Table 5: show sessions network session-id Output Field Description Local Id Identifier for the session on this particular switch. (This is the session ID you specify when entering the show sessions network session-id command.) Global Id Unique session identifier within the Mobility Domain. State Status of the session: • AUTH, ASSOC REQ—Client is being associated by the 802.1X protocol. • AUTH AND ASSOC—Client is being associated by the 802.
Session Management Commands Table 5: show sessions network session-id Output (continued) Field Description Tag System-wide supported VLAN tag type. Session Start Indicates when the session started. Last Auth Time Indicates when the most recent authentication of the session occurred. Last Activity Indicates when the last activity (transmission) occurred on the session. Session Timeout Assigned session timeout in seconds.
Session Management Commands 457 See Also clear sessions network on page 436 Nortel WLAN—Security Switch 2300 Series Command Line Reference
Session Management Commands NN47250-100 (Version 02.
Security ACL Commands Use security ACL commands to configure and monitor security access control lists (ACLs). Security ACLs filter packets to restrict or permit network usage by certain users or traffic types, and can assign to packets a class of service (CoS) to define the priority of treatment for packet filtering. (Security ACLs are different from the location policy on a WSS, which helps you locally control user access. For location policy commands, see Chapter , “AAA Commands,” on page 165.
Security ACL Commands Defaults None. Access Enabled. Usage This command deletes security ACLs only in the edit buffer. You must use the commit security acl command with this command to delete the ACL or ACE from the running configuration and nonvolatile storage.
Security ACL Commands 461 clear security acl map Deletes the mapping between a security ACL and a virtual LAN (VLAN), one or more physical ports, or a virtual port. Or deletes all ACL maps to VLANs, ports, and virtual ports on a WSS. Note. Security ACLs are applied to users or groups dynamically via the Filter-Id attribute. To delete a security ACL from a user or group in the local WSS database, use the command clear user attr, clear mac-user attr, clear usergroup attr, or clear macusergroup attr.
Security ACL Commands To clear all physical ports, virtual ports, and VLANs on a WSS of the ACLs mapped for incoming and outgoing traffic, type the following command: WSS# clear security acl map all success: change accepted. See Also • clear security acl on page 449 • set security acl map on page 459 • show security acl map on page 464 commit security acl Saves a security ACL, or all security ACLs, in the edit buffer to the running configuration and nonvolatile storage on the WSS.
Security ACL Commands 463 See Also • clear security acl on page 449 • rollback security acl on page 453 • set security acl on page 454 • show security acl on page 461 • show security acl info on page 463 hit-sample-rate This command has been renamed in WSS Software Version 4.1. To configure the hit sample rate, see set security acl hit-sample-rate on page 460. rollback security acl Clears changes made to the security ACL edit buffer since it was last saved.
Security ACL Commands set security acl In the edit buffer, creates a security access control list (ACL), adds one access control entry (ACE) to a security ACL, and/or reorders ACEs in the ACL. The ACEs in an ACL filter IP packets by source IP address, a Layer 4 protocol, or IP, ICMP, TCP, or UDP packet information.
Security ACL Commands 465 By UDP packets set security acl ip acl-name {permit [cos cos] | deny} udp {source-ip-addr mask | any [operator port [port2]]} {destination-ip-addr mask | any [operator port [port2]]} [[precedence precedence] [tos tos] | [dscp codepoint]] [before editbufferindex | modify editbuffer-index] [hits] acl-name Security ACL name. ACL names must be unique within the WSS switch, must start with a letter, and are case-insensitive.
Security ACL Commands protocol IP protocol by which to filter packets: • • • • • ip tcp udp icmp A protocol number between 0 and 255. (For a complete list of IP protocol names and numbers, see www.iana.org/assignments/protocol-numbers.) source-ip-addr mask | any IP address and wildcard mask of the network or host from which the packet is being sent. Specify both address and mask in dotted decimal notation. For more information, see “Wildcard Masks” on page 12.
Security ACL Commands 467 precedence precedence Filters packets by precedence level. Specify a value from 0 through 7: • • • • • • • • tos tos 0—routine precedence 1—priority precedence 2—immediate precedence 3—flash precedence 4—flash override precedence 5—critical precedence 6—internetwork control precedence 7—network control precedence Filters packets by type of service (TOS) level. Specify one of the following values, or any sum of these values up to 15.
Security ACL Commands History WSS Software Version 4.1 The any option is supported for the source or destination IP address and mask. This option is equivalent to 0.0.0.0 255.255.255.255. Note: The any option is shown in the configuration file as 0.0.0.0 255.255.255.255, regardless of whether you specify any or 0.0.0.0 255.255.255.255 when you configure the ACE. The dscp codepoint is added. This option enables you to filter based on a packet’s Differentiated Services Code Point (DSCP) value.
Security ACL Commands 469 set security acl map Assigns a committed security ACL to a VLAN, physical port or ports, virtual port, or AP on the WSS. Note. To assign a security ACL to a user or group in the local WSS database, use the command set user attr, set mac-user attr, set usergroup attr, or set mac-usergroup attr with the Filter-Id attribute. To assign a security ACL to a user or group with Filter-Id on a RADIUS server, see the documentation for your RADIUS server.
Security ACL Commands • commit security acl on page 452 • set mac-user attr on page 197 • set mac-usergroup attr on page 203 • set security acl on page 454 • set user attr on page 207 • set usergroup on page 208 • show security acl map on page 464 set security acl hit-sample-rate Specifies the time interval, in seconds, at which the packet counter for each security ACL is sampled for display. The counter counts the number of packets filtered by the security ACL—or “hits.
Security ACL Commands 471 WSS# show security acl hits ACL hit counters Index Counter ACL-name ----- -------------------- ----------1 0 acl_2 2 0 acl_175 3 916 acl_153 See Also • show security acl hits on page 462 • show security acl info on page 463 show security acl Displays a summary of the security ACLs that are mapped. Syntax show security acl Defaults None. Access Enabled. Usage This command lists only the ACLs that have been mapped to something (a user, or VLAN, or port, and so on).
Security ACL Commands show security acl editbuffer Displays a summary of the security ACLs that have not yet been committed to the configuration. Syntax show security acl [info all] editbuffer info all Displays the ACEs in each uncommitted ACL. Without this option, only the ACE names are listed. Defaults None. Access Enabled.
Security ACL Commands 473 Syntax show security acl hits Defaults None. Access Enabled. Usage For WSS Software to count hits for a security ACL, you must specify hits in the set security acl commands that define ACE rules for the ACL.
Security ACL Commands set security acl ip acl_123 (hits #5 462) --------------------------------------------------------1. permit IP source IP 192.168.1.11 0.0.0.255 destination IP any enable-hits 2. deny IP source IP 192.168.2.11 0.0.0.0 destination IP any set security acl ip acl_134 (hits #3 0) --------------------------------------------------------1. permit IP source IP 192.168.0.1 0.0.0.
Security ACL Commands 475 See Also • clear security acl map on page 451 • set security acl map on page 459 • show security acl on page 461 show security acl resource-usage Displays statistics about the resources used by security ACL filtering on the WSS. Syntax show security acl resource-usage Defaults None. Access Enabled. Usage Use this command with the help of the Nortel Enterprise Technical Support (NETS) to diagnose an ACL resource problem. (To contact NETS, see “How to get help” on page 3.
Security ACL Commands L4 global : True No rules : False Non-IP rules : False Root in first : True Static default action : False No per-user (MAC) mapping : True Out mapping : False In mapping : True No VLAN or PORT mapping : False No VPORT mapping : True Table 73 explains the fields in the show security acl resource-usage output. Table 1: show security acl resource-usage Output Field Description Number of rules Number of security ACEs currently mapped to ports or VLANs.
Security ACL Commands 477 Table 1: show security acl resource-usage Output (continued) Field Description Port number Control value for handling fragmented IP packets. Note: The current WSS Software version filters only the first packet of a fragmented IP packet and passes the remaining fragments. Number of action types Number of actions that can be performed by ACLs. This value is always 2, because ACLs can either permit or deny.
Security ACL Commands Table 1: show security acl resource-usage Output (continued) Field In mapping Description Application of security ACLs to incoming traffic on the WSS: • True—Security ACLs are mapped to incoming traffic. • False—No security ACLs are mapped to incoming traffic. No VLAN or PORT mapping No VPORT mapping Application of security ACLs to WSS VLANs or ports on the WSS: • True—No security ACLs are mapped to VLANs or ports. • False—Security ACLs are mapped to VLANs or ports.
Cryptography Commands A digital certificate is a form of electronic identification for computers. The WSS requires digital certificates to authenticate its communications to WLAN Management Software and Web View, to Web-based AAA clients, and to Extensible Authentication Protocol (EAP) clients for which the WSS performs all EAP processing. Certificates can be generated on the WSS or obtained from a certificate authority (CA).
Cryptography Commands crypto ca-certificate Installs a certificate authority’s own PKCS #7 certificate into the WSS certificate and key storage area. Syntax crypto ca-certificate {admin | eap | web} PEM-formatted-certificate admin Stores the certificate authority’s certificate that signed the administrative certificate for the WSS. The administrative certificate authenticates the WSS to WLAN Management Software or Web View.
Cryptography Commands 481 mzerMClaweVQQTTooewi\wpoer0QWNFNkj90044mbdrl1277SWQ8G7DiwYUtrqoQplKJvxz ..... Lm8wmVYxP56M;CUAm908C2foYgOY40= -----END CERTIFICATE----See Also show crypto ca-certificate on page 479 crypto certificate Installs one of the WSS’s PKCS #7 certificates into the certificate and key storage area on the WSS. The certificate, which is issued and signed by a certificate authority, authenticates the WSS either to WLAN Management Software or Web View, or to 802.1X supplicants (clients).
Cryptography Commands -----BEGIN CERTIFICATE----MIIBdTCP3wIBADA2MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQOExGjAYBgNVB AMU EXR1Y2hwdWJzQHRycHouY29tMIGfMAOGCSqGSIb3DQEBAQAA4GNADCBiQKBgQC4 ..... 2L8Q9tk+G2As84QYLm8wmVY>xP56M;CUAm908C2foYgOY40= -----END CERTIFICATE----See Also • crypto generate request on page 473 • crypto generate self-signed on page 475 crypto generate key Generates an RSA public-private encryption key pair that is required for a Certificate Signing Request (CSR) or a selfsigned certificate.
Cryptography Commands 483 SSH requires an SSH authentication key, but you can allow WSS Software to generate it automatically. The first time an SSH client attempts to access the SSH server on a WSS, the switch automatically generates a 1024-byte SSH key. If you want to use a 2048-byte key instead, use the crypto generate key ssh 2048 command to generate one.
Cryptography Commands Email Address string (Optional) Specify your email address, in up to 80 alphanumeric characters with no spaces. Unstructured Name string (Optional) Specify any name, in up to 80 alphanumeric characters with no spaces. Defaults None. Access Enabled. History Version 4.1 • webaaa option renamed to web • Maximum string length for State Name increased from two to 64 alphanumeric characters.
Cryptography Commands 485 -----END CERTIFICATE REQUEST----See Also • crypto certificate on page 471 • crypto generate key on page 472 crypto generate self-signed Generates a self-signed certificate for either an administrative certificate for use with WLAN Management Software or an EAP certificate for use with 802.1X wireless users. Syntax crypto generate self-signed {admin | eap | web} admin Generates an administrative certificate to authenticate the WSS to WLAN Management Software or Web View.
Cryptography Commands Defaults None. Access Enabled. History Version 4.1 webaaa option renamed to web Usage To use this command, you must already have generated a public-private encryption key pair with the crypto generate key command. Examples To generate a self-signed administrative certificate, type the following command: WSS# crypto generate self-signed admin Country Name: State Name: Locality Name: Organizational Name: Organizational Unit: Common Name: wss1@example.
Cryptography Commands 487 one-time-password Password of at least 1 alphanumeric character, with no spaces, for clients other than Microsoft Windows clients. The password must be the same as the password protecting the PKCS #12 object file. Note: On a WSS that handles communications to and from Microsoft Windows clients, use a one-time password of 31 characters or fewer.
Cryptography Commands web Unpacks a PKCS #12 object file for a Web-based AAA certificate and key pair—and optionally the certificate authority’s own certificate—for authenticating the WSS to Web-based AAA clients. file-location-url Location of the PKCS #12 object file to be installed. Specify a location of between 1 and 128 alphanumeric characters, with no spaces. Defaults The password you enter with the crypto otp command must be the same as the one protecting the PKCS #12 file. Access Enabled.
Cryptography Commands 489 show crypto ca-certificate Displays information about the certificate authority’s PEM-encoded PKCS #7 certificate. Syntax show crypto ca-certificate {admin | eap | web} admin Displays information about the certificate authority’s certificate that signed the administrative certificate for the WSS. The administrative certificate authenticates the WSS to WLAN Management Software or Web View.
Cryptography Commands • show crypto certificate on page 480 show crypto certificate Displays information about one of the cryptographic certificates installed on the WSS. Syntax show crypto certificate {admin | eap | web} admin Displays information about the administrative certificate that authenticates the WSS to WLAN Management Software or Web View. eap Displays information about the EAP certificate that authenticates the WSS to 802.1X supplicants (clients).
Cryptography Commands 491 See Also • crypto generate self-signed on page 475 • show crypto ca-certificate on page 479 show crypto key domain Displays the checksum (also called a fingerprint) of the public key used to authenticate management traffic between WSSs. Syntax show crypto key domain Defaults None. Access Enabled. History Introduced in WSS Software 5.0.
Cryptography Commands NN47250-100 (Version 02.
RADIUS and Server Groups Commands Use RADIUS commands to set up communication between a WSS and groups of up to four RADIUS servers for remote authentication, authorization, and accounting (AAA) of administrators and network users. This chapter presents RADIUS commands alphabetically. Use the following table to locate commands in this chapter based on their uses.
RADIUS and Server Groups Commands retransmit Number of transmission attempts made before declaring an unresponsive RADIUS server unavailable. timeout Number of seconds to wait for the RADIUS server to respond before retransmitting. • Defaults Global RADIUS parameters have the following default values: deadtime—0 (zero) minutes (The WSS does not designate unresponsive RADIUS servers as unavailable.
RADIUS and Server Groups Commands 495 Examples To clear the system IP address as the permanent source address for RADIUS client requests, type the following command: WSS# clear radius client system-ip success: change accepted. See Also • set radius client system-ip on page 488 • show aaa on page 210 clear radius proxy client Removes RADIUS proxy client entries for third-party APs. Syntax clear radius proxy client all Defaults None. Access Enabled. History Introduced in WSS Software 4.0.
RADIUS and Server Groups Commands clear radius server Removes the named RADIUS server from the WSS configuration. Syntax clear radius server server-name server-name Name of a RADIUS server configured to perform remote AAA services for the WSS. Defaults None. Access Enabled. History Introduced in WSS Software 1.0. Examples The following command removes the RADIUS server rs42 from a list of remote AAA servers: WSS# clear radius server rs42 success: change accepted.
RADIUS and Server Groups Commands 497 See Also set server group on page 492 set radius Configures global defaults for RADIUS servers that do not explicitly set these values themselves. By default, the WSS automatically sets all these values except the password (key).
RADIUS and Server Groups Commands History Version 4.1 encrypted-key option added Usage You can specify only one parameter per command line. Examples The following commands sets the dead time to 5 minutes, the RADIUS key to goody, the number of retransmissions to 1, and the timeout to 21 seconds on all RADIUS servers connected to the WSS: 23x0# set radius deadtime 5 success: change accepted. 23x0# set radius key goody success: change accepted. 23x0# set radius retransmit 1 success: change accepted.
RADIUS and Server Groups Commands 499 set radius proxy client Adds a RADIUS proxy entry for a third-party AP. The proxy entry specifies the IP address of the AP and the UDP ports on which the WSS listens for RADIUS traffic from the AP. Syntax set radius proxy client address ip-address [acct-port acct-udp-port-number] [port udp-port-number] key string address ip-address IP address of the third-party AP. Enter the address in dotted decimal notation.
RADIUS and Server Groups Commands tag tag-value 802.1Q tag value in packets sent by the third-party AP for the SSID. ssid ssid-name SSID supported by the third-party AP. Defaults None. Access Enabled. History Introduced in WSS Software 4.0. Usage AAA for third-party AP users has additional configuration requirements. See the “Configuring AAA for Users of Third-Party APs” section in the “Configuring AAA for Network Users” chapter of the Nortel WLAN 2300 System Software Configuration Guide.
RADIUS and Server Groups Commands 501 deadtime minutes Number of minutes the WSS waits after declaring an unresponsive RADIUS server unavailable before retrying that RADIUS server. Specify between 0 (zero) and 1440 minutes (24 hours). A zero value causes the switch to identify unresponsive servers as available. key string | encrypted- Password (shared secret key) the WSS uses to authenticate to RADIUS key string servers. You must provide the same password that is defined on the RADIUS server.
RADIUS and Server Groups Commands Examples To set a RADIUS server named RS42 with IP address 198.162.1.1 to use the default accounting and authorization ports with a timeout interval of 30 seconds, two transmit attempts, 5 minutes of dead time, a key string of keys4u, and the default authorization password of nortel, type the following command: 23x0# set radius server RS42 address 198.162.1.
RADIUS and Server Groups Commands 503 See Also • clear server group on page 486 • set server group load-balance on page 493 • show aaa on page 210 set server group load-balance Enables or disables load balancing among the RADIUS servers in a server group. Syntax set server group group-name load-balance {enable | disable} group-name Server group name of up to 32 characters. load-balance enable | disable Enables or disables load balancing of authentication requests among the servers in the group.
RADIUS and Server Groups Commands NN47250-100 (Version 02.
802.1X Management Commands Use 802. IEEE X management commands to modify the default settings for IEEE 802.1X sessions on a WSS. For best results, change the settings only if you are aware of a problem with the WSS’s 802.1X performance. This chapter presents 802.1X commands alphabetically. Use the following table to locate commands in this chapter based on their use. For information about configuring 802.1X commands for user authentication, see Chapter , “AAA Commands,” on page 165. Caution! 802.
802.1X Management Commands set dot1x timeout supplicant on page 505 clear dot1x timeout supplicant on page 499 Settings, Active Clients, and Statistics show dot1x on page 507 clear dot1x bonded-period Resets the Bonded Auth period to its default value. Syntax clear dot1x max-req Defaults The default bonded authentication period is 0 seconds. Access Enabled. History Introduced in WSS Software Version 2.1.
802.1X Management Commands 507 clear dot1x port-control Resets all wired authentication ports on the WSS to default 802.1X authentication. Syntax clear dot1x port-control Defaults By default, all wired authentication ports are set to auto and they process authentication requests as determined by the set authentication dot1X command. Access Enabled. History Introduced in WSS Software 1.0. Usage This command is overridden by the set dot1x authcontrol command.
802.1X Management Commands Access Enabled. History Introduced in WSS Software 1.0. Examples Type the following command to reset the maximum number of reauthorization attempts to the default: WSS# clear dot1x reauth-max success: change accepted. See Also • set dot1x reauth-max on page 504 • show dot1x on page 507 clear dot1x reauth-period Resets the time period that must elapse before a reauthentication attempt, to the default time period.
802.1X Management Commands 509 See Also • set dot1x timeout auth-server on page 505 • show dot1x on page 507 clear dot1x timeout supplicant Resets to the default setting the number of seconds that must elapse before the WSS times out an authentication session with a supplicant (client). Syntax clear dot1x timeout supplicant Defaults The default for the authentication timeout sessions is 30 seconds. Access Enabled. History Introduced in WSS Software 1.0.
802.1X Management Commands set dot1x authcontrol Provides a global override mechanism for 802.1X authentication configuration on wired authentication ports. Syntax set dot1x authcontrol {enable | disable} enable Allows all wired authentication ports running 802.1X to use the authentication specified per port by the set dot1X port-control command. disable Forces all wired authentication ports running 802.1X to unconditionally accept all 802.
802.1X Management Commands 511 Nortel recommends that you try 60 seconds, and change the period to a longer value only if clients are unable to authenticate within 60 seconds. The bonded authentication period applies only to 802.1X authentication rules that contain the bonded option. Examples To set the bonded authentication period to 60 seconds, type the following command: WSS# set dot1x bonded-period 60 success: change accepted.
802.1X Management Commands History Introduced in WSS Software 1.0. Usage To support SSIDs that have both 802.1X and static WEP clients, WSS Software sends a maximum of two ID requests, even if this parameter is set to a higher value. Setting the parameter to a higher value does affect all other types of EAP messages. Examples Type the following command to set the maximum number of EAP request retransmissions to three attempts: WSS# set dot1x max-req 3 success: dot1x max request set to 3.
802.1X Management Commands 513 set dot1x quiet-period Sets the number of seconds a WSS remains quiet and does not respond to a supplicant after a failed authentication. Syntax set dot1x quiet-period seconds seconds Specify a value between 0 and 65,535. Defaults The default is 60 seconds. Access Enabled. History Introduced in WSS Software 1.0. Examples Type the following command to set the quiet period to 90 seconds: WSS# set dot1x quiet-period 90 success: dot1x quiet period set to 90.
802.1X Management Commands set dot1x reauth-max Sets the number of reauthentication attempts that the WSS makes before the supplicant (client) becomes unauthorized. Syntax set dot1x reauth-max number-of-attempts number-of-attempts Specify a value between 1 and 10. Defaults The default number of reauthentication attempts is 2. Access Enabled. History Introduced in WSS Software 1.0.
802.1X Management Commands 515 See Also • clear dot1x reauth-period on page 498 • show dot1x on page 507 set dot1x timeout auth-server Sets the number of seconds that must elapse before the WSS times out a request to a RADIUS authentication server. Syntax set dot1x timeout auth-server seconds seconds Specify a value between 1 and 65,535. Defaults The default is 30 seconds. Access Enabled. History Introduced in WSS Software 1.0.
802.1X Management Commands See Also • clear dot1x timeout auth-server on page 498 • show dot1x on page 507 set dot1x tx-period Sets the number of seconds that must elapse before the WSS retransmits an EAPoL packet. Syntax set dot1x tx-period seconds seconds Specify a value between 1 and 65,535. Defaults The default is 5 seconds. Access Enabled. History Introduced in WSS Software 1.0.
802.1X Management Commands 517 Usage Reauthentication is not required for WEP key rotation to take place. Broadcast and multicast keys are always rotated at the same time, so all members of a given radio, VLAN, or encryption type receive the new keys at the same time.
802.1X Management Commands Access Enabled. Examples Type the following command to display the 802.
802.1X Management Commands 519 port 10, authcontrol: auto, max-sessions: 1 port 11, authcontrol: auto, max-sessions: 1 port 12, authcontrol: auto, max-sessions: 1 port 13, authcontrol: auto, max-sessions: 1 port 14, authcontrol: auto, max-sessions: 1 port 15, authcontrol: auto, max-sessions: 1 port 16, authcontrol: auto, max-sessions: 1 port 22, authcontrol: auto, max-sessions: 16 Type the following command to display 802.1X statistics: WSS# show dot1x stats 802.
802.1X Management Commands Table 1: show dot1x stats Output (continued) Field Description Reauths While Authenticating Number of times that the WSS state wildcard transitions from AUTHENTICATING to ABORTING, as a result of a reauthentication request (reAuthenticate = TRUE). Starts While Authenticating Number of times that the WSS state wildcard transitions from AUTHENTICATING to ABORTING, as a result of an EAPoLStart message being received from the Supplicant (client).
RF Detection Commands WSS Software automatically performs RF detection scans on enabled and disabled radios to detect rogue access points. A rogue access point is a BSSID (MAC address associated with an SSID) that does not belong to a Nortel device and is not a member of the ignore list configured on the seed switch of the Mobility Domain. WSS Software can issue countermeasures against rogue devices to prevent clients from being able to use them.
RF Detection Commands clear rfdetect attack-list Removes a MAC address from the attack list. Syntax clear rfdetect attack-list mac-addr mac-addr MAC address you want to remove from the attack list. Defaults None. Access Enabled. History Introduced in WSS Software Version 4.0. Examples The following command clears MAC address 11:22:33:44:55:66 from the attack list: WSS# clear rfdetect attack-list 11:22:33:44:55:66 success: 11:22:33:44:55:66 is no longer in attacklist.
RF Detection Commands 523 clear rfdetect ignore Removes a device from the ignore list for RF scans. WSS Software does not generate log messages or traps for the devices in the ignore list. Syntax clear rfdetect ignore mac-addr mac-addr Basic service set identifier (BSSID), which is a MAC address, of the device to remove from the ignore list. Defaults None. Access Enabled. History Introduced in WSS Software Version 3.0.
RF Detection Commands clear rfdetect vendor-list Removes an entry from the permitted vendor list. Syntax clear rfdetect vendor-list {client | ap} mac-addr | all client | ap Specifies whether the entry is for an AP brand or a client brand. mac-addr | all Organizationally Unique Identifier (OUI) to remove. Defaults None. Access Enabled. History Introduced in WSS Software Version 4.0.
RF Detection Commands 525 Examples The following command adds MAC address aa:bb:cc:44:55:66 to the attack list: WSS# set rfdetect attack-list 11:22:33:44:55:66 success: MAC 11:22:33:44:55:66 is now in attacklist. See Also • clear rfdetect attack-list on page 512 • show rfdetect attack-list on page 519 • set radio-profile countermeasures on page 287 set rfdetect black-list Adds an entry to the client black list. The client black list specifies clients that are not allowed on the network.
RF Detection Commands Defaults WSS Software reports all non-Nortel BSSIDs detected during an RF scan. Access Enabled. History Introduced in WSS Software Version 3.0. Usage Use this command to identify third-party APs and other devices you are already aware of and do not want WSS Software to report following RF scans. If you try to initiate countermeasures against a device on the ignore list, the ignore list takes precedence and WSS Software does not issue the countermeasures.
RF Detection Commands 527 See Also show log buffer on page 579 set rfdetect signature Enables AP signatures. An AP signature is a set of bits in a management frame sent by an AP that identifies that AP to WSS Software. If someone attempts to spoof management packets from a Nortel AP, WSS Software can detect the spoof attempt. Syntax set rfdetect signature {enable | disable} enable Enables AP signatures. disable Disables AP signatures. Defaults AP signatures are disabled by default. Access Enabled.
RF Detection Commands Access Enabled. History Introduced in WSS Software Version 4.0. Usage The permitted SSID list applies only to the WSS on which the list is configured. WSSs do not share permitted SSID lists. If you add a device that WSS Software has classified as a rogue to the permitted SSID list, but not to the ignore list, WSS Software can still classify the device as a rogue. Adding an entry to the permitted SSID list merely indicates that the device is using an allowed SSID.
RF Detection Commands 529 See Also • clear rfdetect vendor-list on page 514 • show rfdetect vendor-list on page 531 show rfdetect attack-list Displays information about the MAC addresses in the attack list. Syntax show rfdetect attack-list Defaults None. Access Enabled. History Introduced in WSS Software Version 4.0.
RF Detection Commands • set rfdetect black-list on page 515 show rfdetect clients Displays the wireless clients detected by a WSS. Syntax show rfdetect clients [mac mac-addr] mac mac-addr Displays detailed information for a specific client. Defaults None. Access Enabled. History Introduced in WSS Software Version 4.0.
RF Detection Commands 531 Table 1: show rfdetect clients Output (continued) Field Description AP Vendor Company that manufactures or sells the AP with which the rogue client is associated. Port/Radio/Channel Port number, radio number, and channel number of the radio that detected the rogue. For a AP, the connection number is labeled ap. (This stands for ap.) NoL Number of listeners. This is the number of AP radios that detected the rogue client.
RF Detection Commands Table 2: show rfdetect clients mac Output (continued) Field Description Typ Classification of the rogue device: • rogue—Wireless device that is on the network but is not supposed to be on the network. • intfr—Wireless device that is not part of your network and is not a rogue, but might be causing RF interference with AP radios. • known—Device that is a legitimate member of the network. Dst MAC addressed to which the last 802.11 packet detected from the client was addressed.
RF Detection Commands 533 Table 3: show rfdetect countermeasures Output Field Description Rogue MAC BSSID of the rogue. Type Classification of the rogue device: • rogue—Wireless device that is on the network but is not supposed to be on the network. • intfr—Wireless device that is not part of your network and is not a rogue, but might be causing RF interference with AP radios. • known—Device that is a legitimate member of the network.
RF Detection Commands 802.11 probe request flood 802.11 authentication flood 802.11 null data flood 802.11 mgmt type 6 flood 802.11 mgmt type 7 flood 802.11 mgmt type d flood 802.11 mgmt type e flood 802.11 mgmt type f flood 802.11 association flood 802.11 reassociation flood 802.
RF Detection Commands 535 WSS# show rfdetect data Total number of entries: 197 Flags: i = infrastructure, a = ad-hoc c = CCMP, t = TKIP, 1 = 104-bit WEP, 4 = 40-bit WEP, w = WEP(non-WPA) BSSID Vendor Type Port/Radio/Ch Flags RSSI Age SSID ----------------- ------- ----- ------------- ------ ---- --- ----------------00:07:50:d5:cc:91 Cisco intfr 3/1/6 i----w -61 6 r27-cisco1200-2 00:07:50:d5:dc:78 Cisco intfr 3/1/6 i----w -82 6 r116-cisco1200-2 00:09:b7:7b:8a:54 Cisco intfr 3/1/2 i----- -57 6 00:0a:5e:4b:4a
RF Detection Commands • See Also show rfdetect mobility-domain on page 526 • show rfdetect visible on page 531 show rfdetect ignore Displays the BSSIDs of third-party devices that WSS Software ignores during RF scans. WSS Software does not generate log messages or traps for the devices in the ignore list. Syntax show rfdetect ignore Defaults None. Access Enabled.
RF Detection Commands 537 History Version 3.0 Command introduced. Version 4.0 • bssid and ssid options added. • Vendor, Type, and Flags fields added. Usage This command is valid only on the seed switch of the Mobility Domain. To display rogue information for an individual switch, use the show rfdetect data command on that switch.
RF Detection Commands Device-type: interfering Adhoc: no Crypto-types: clear RSSI: -76 SSID: nrtl-webaaa Two types of information are shown. The lines that are not indented show the BSSID, vendor, and information about the SSID. The indented lines that follow this information indicate the listeners (AP radios) that detected the SSID. Each set of indented lines is for a separate AP listener. In this example, two BSSIDs are mapped to the SSID.
RF Detection Commands 539 Table 5: show rfdetect mobility-domain Output (continued) Field Description BSSID MAC address of the SSID used by the detected device. Vendor Company that manufactures or sells the rogue device. Type Classification of the rogue device: • rogue—Wireless device that is not supposed to be on the network. The device has an entry in a WSS’s FDB and is therefore on the network. • intfr—Wireless device that is not part of your network but is not a rogue.
RF Detection Commands Table 6: show rfdetect mobility-domain ssid or bssid Output (continued) Field Description Crypto-Types Encryption type: • • • • • • clear (no encryption) ccmp tkip wep104 (WPA 104-bit WEP) wep40 (WPA 40-bit WEP) wep (non-WPA WEP) WSS-IPaddress System IP address of the WSS that detected the rogue. Port/Radio/Channel Port number, radio number, and channel number of the radio that detected the rogue. For a AP, the connection number is labeled ap. (This stands for ap.
RF Detection Commands 541 mycorp corporate guest See Also • clear rfdetect ssid-list on page 513 • set rfdetect ssid-list on page 517 show rfdetect vendor-list Displays the entries in the permitted vendor list. Syntax show rfdetect vendor-list Defaults None. Access Enabled. History Introduced in WSS Software Version 4.0.
RF Detection Commands Syntax show rfdetect visible mac-addr Syntax show rfdetect visible ap ap-num [radio {1 | 2}] Syntax show rfdetect visible ap ap-num [radio {1 | 2}] mac-addr Base MAC address of the Nortel radio. Note: To display the base MAC address of a Nortel radio, use the show ap status command. ap-num Port connected to the AP for which to display neighboring BSSIDs. ap-num Number of a AP for which to display neighboring BSSIDs. radio 1 Shows neighbor information for radio 1.
RF Detection Commands 543 Table 83 describes the fields in this display. Table 7: show rfdetect visible Output Field Description Transmit MAC MAC address the rogue device that sent the 802.11 packet detected by the AP radio. Vendor Company that manufactures or sells the rogue device. Type Classification of the rogue device: • rogue—Wireless device that is on the network but is not supposed to be on the network.
RF Detection Commands Defaults None. Access Enabled. History Introduced in WSS Software Version 5.0. Name of the command changed from test rflink to rfping in WSS Software Version 6.0. Usage Use this command to send test packets to a specified client. The output of the command indicates the number of test packets received and acknowledged by the client, as well as the client’s signal strength and signal-to-noise ratio.
File Management Commands Use file management commands to manage system files and to display software and boot information. This chapter presents file management commands alphabetically. Use the following table to locate commands in this chapter based on their use.
File Management Commands Syntax backup system [tftp:/ip-addr/]filename [all | critical] [tftp:/ip-addr/]filename Name of the archive file to create. You can store the file locally in the switch’s nonvolatile storage or on a TFTP server. all Backs up system files and all the files in the user files area. The user files area contains the set of files listed in the file section of dir command output.
File Management Commands 547 clear boot backup-configuration Clears the filename specified as the backup configuration file. In the event that WSS Software cannot read the configuration file at boot time, a backup configuration file is not used. Syntax clear boot backup-configuration Defaults None. Access Enabled. History Introduced in WSS Software Version 4.1.
File Management Commands • Copies a file from a TFTP server to nonvolatile storage. • Copies a file from nonvolatile storage or temporary storage to a TFTP server. • Copies a file from one area in nonvolatile storage to another. • Copies a file to a new filename in nonvolatile storage. Syntax copy source-url destination-url source-url Name and location of the file to copy.
File Management Commands 549 Examples The following command copies a file called floorwss from nonvolatile storage to a TFTP server: WSS# copy floorwss tftp://10.1.1.1/floorwss success: sent 365 bytes in 0.401 seconds [ 910 bytes/sec] The following command copies a file called closetwss from a TFTP server to nonvolatile storage: WSS# copy tftp://10.1.1.1/closetwss closetwss success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec] The following command copies system image WSS020101.
File Management Commands Syntax delete url url Filename. Specify between 1 and 128 alphanumeric characters, with no spaces. If the file is in a subdirectory, specify the subdirectory name, followed by a forward slash, in front of the filename. For example: subdir_a/file_a. Defaults None. Access Enabled. Usage You might want to copy the file to a TFTP server as a backup before deleting the file.
File Management Commands 551 History Version 4.
File Management Commands The following command limits the output to the contents of the /tmp/core subdirectory: WSS# dir core: =============================================================================== file: Filename Size Created core:command_audit.
File Management Commands 553 Syntax install soda agent agent-file agent-directory directory agent-file Name of a .zip file on the WSS containing SODA agent files. directory Directory on the WSS where SODA agent files are to be installed. The command automatically creates this directory. Defaults None. Access Enabled. History Introduced in WSS Software Version 4.1. Usage Use this command to install a .zip file containing SODA agent files into a directory on the WSS.
File Management Commands Defaults The default file location is nonvolatile storage. Note. The current version supports loading a configuration file only from the switch’s nonvolatile storage. You cannot load a configuration file directly from a TFTP server. If you do not specify a filename, WSS Software uses the same configuration filename that was used for the previous configuration load.
File Management Commands 555 Examples The following command calculates the checksum for image file WSS040003.020 in boot partition 0: pubs# md5 boot0:WSS040003.020 MD5 (boot0:WSS040003.020) = b9cf7f527f74608e50c70e8fb896392a See Also • copy on page 537 • dir on page 540 mkdir Creates a new subdirectory in nonvolatile storage. Syntax mkdir [subdirname] subdirname Subdirectory name. Specify between 1 and 32 alphanumeric characters, with no spaces. Defaults None. Access Enabled.
File Management Commands temporary files: Filename Size Total: 0 bytes used, 93537 Kbytes free Created See Also • dir on page 540 • rmdir on page 548 reset system Restarts a WSS and reboots the software. Syntax reset system [force] force Immediately restarts the system and reboots, without comparing the running configuration to the configuration file. Defaults None. Access Enabled.
File Management Commands 557 restore Unzips a system archive created by the backup command and copies the files from the archive onto the switch. Syntax restore system [tftp:/ip-addr/]filename [all | critical] [force] [tftp:/ip-addr/]filename Name of the archive file to load. The archive can be located in the switch’s nonvolatile storage or on a TFTP server. all Restores system files and the user files from the archive.
File Management Commands If the configuration running on the switch is different from the one in the archive or you renamed the configuration file, and you want to retain changes that were made after the archive was created, see the “Managing System Files” chapter of the Nortel WLAN 2300 System Software Configuration Guide. Examples The following command restores system-critical files on a switch, from archive sysa_bak: WSS# restore system tftp:/10.10.20.9/sysa_bak success: received 11908 bytes in 0.
File Management Commands 559 Syntax save config [filename] filename Name of the configuration file. Specify between 1 and 128 alphanumeric characters, with no spaces. To save the file in a subdirectory, specify the subdirectory name, followed by a forward slash, in front of the filename. For example: backup_configs/config_c. Defaults By default, WSS Software saves the running configuration as the configuration filename used during the last reboot. Access Enabled.
File Management Commands Examples The following command specifies a file called backup.cfg as the backup configuration file on the WSS: WSS# set boot backup-configuration backup.cfg success: backup boot config filename set. See Also • clear boot backup-configuration on page 537 • show boot on page 551 set boot configuration-file Changes the configuration file to load after rebooting. Syntax set boot configuration-file filename filename Filename.
File Management Commands 561 History Introduced in WSS Software Version 1.1. Usage To determine the boot partition that was used to load the currently running software image, use the dir command. Examples The following command sets the boot partition for the next software reload to partition 1: WSS# set boot partition boot1 success: Boot partition set to boot1.
File Management Commands Table 2: Output for show boot Field Description Configured boot version Software version the switch will run next time the software is rebooted. Configured boot image Boot partition and image filename WSS Software will use to boot next time the software is rebooted. Configured boot configuration Configuration filename WSS Software will use to boot next time the software is rebooted.
File Management Commands 563 show config Displays the configuration running on the WSS. Syntax show config [area area] [all] area area area area, cont. Configuration area.
File Management Commands Access Enabled. History Version 4.0 • New options added for remote traffic monitoring: snoop • rfdevice changed to rfdetect Version 4.1 New options added: l2acl, network-domain, and qos Version 5.0 Option portgroup renamed to port-group for consistency with clear port-group, set port-group, and show port-group commands. Usage If you do not use one of the optional parameters, configuration commands that set nondefault values are displayed for all configuration areas.
File Management Commands 565 Build Information: (build#67) TOP 2005-09-21 04:41:00 Model: WSS Hardware Mainboard: version 24 ; revision 3 ; FPGA version 24 PoE board: version 1 ; FPGA version 6 Serial number 0321300013 Flash: 5.0.0.14 - md0a Kernel: 3.0.0#20: Fri Sep 22 17:43:51 PDT 2005 BootLoader: 5.00 / 5.0.0 The following command displays additional software build information and AP information: WSS# show version details WLAN Security Switch 2300 Series, Version: 5.0.
File Management Commands Table 3: Output for show version Field Description Build Information Factory timestamp of the image file. Label Software version and build date. Build Suffix Build suffix. Model Build model. Hardware Version information for the WSS’s motherboard and Power over Ethernet (PoE) board. Serial number Serial number of the WSS. Flash Flash memory version. Kernel Kernel version. BootLoader Boot code version. Port/ap Port number connected to an AP.
File Management Commands 567 See Also • install soda agent on page 542 • set service-profile soda mode on page 329 Nortel WLAN—Security Switch 2300 Series Command Line Reference
File Management Commands NN47250-100 (Version 02.
Trace Commands Use trace commands to perform diagnostic routines. While WSS Software allows you to run many types of traces, this chapter describes commands for those traces you are most likely to use. For a complete listing of the types of traces WSS Software allows, type the set trace ? command. Caution! Using the set trace command can have adverse effects on system performance.
Trace Commands clear trace Deletes running trace commands and ends trace processes. Syntax clear trace {trace-area | all} trace-area Ends a particular trace process. Specify one of the following keywords to end the traces documented in this chapter: • • • • all authorization—Ends an authorization trace dot1x—Ends an 802.1X trace authentication—Ends an authentication trace sm—Ends a session manager trace Ends all trace processes. Defaults None. Access Enabled.
Trace Commands 571 History Introduced in WSS Software Version 3.0. Examples To save trace data into the file trace1 in the subdirectory traces, type the following command: WSS# save trace traces/trace1 set trace authentication Traces authentication information. Syntax set trace authentication [mac-addr mac-address] [port port-num] [user username] [level level] mac-addr mac-address Traces a MAC address. Specify a MAC address, using colons to separate the octets (for example, 00:11:22:aa:bb:cc).
Trace Commands Syntax set trace authorization [mac-addr mac-address] [port port-num] [user username] [level level] mac-addr mac-address Traces a MAC address. Specify a MAC address, using colons to separate the octets (for example, 00:11:22:aa:bb:cc). port port-num Traces a port number. Specify a WSS port number between 1 and 22. user username Traces a user. Specify a username of up to 80 alphanumeric characters with no spaces.
Trace Commands 573 Defaults The default trace level is 5. Access Enabled. Examples The following command starts a trace for the 802.1X sessions for MAC address 00:01:02:03:04:05: WSS# set trace dot1x mac-addr 00:01:02:03:04:05: success: change accepted. See Also • clear trace on page 560 • show trace on page 564 set trace sm Traces session manager activity. Syntax set trace sm [mac-addr mac-address] [port port-num] [user username] [level level] mac-addr mac-address Traces a MAC address.
Trace Commands show trace Displays information about traces that are currently configured on the WSS, or all possible trace options. Syntax show trace [all] all Displays all possible trace options and their configuration. Defaults None. Access Enabled. Examples To view the traces currently running, type the following command: WSS# show trace milliseconds spent printing traces: 1885.
Snoop Commands Use snoop commands to monitor wireless traffic, by using a AP as a sniffing device. The AP copies the sniffed 802.11 packets and sends the copies to an observer, which is typically a protocol analyzer such as Ethereal or Tethereal. (For more information, including setup instructions for the monitoring station, see the “Remotely Monitoring Traffic” section in the “Troubleshooting a WSS” chapter of the Nortel WLAN Security Switch 2300 Series Configuration Guide.
Snoop Commands clear snoop map Removes a snoop filter from an AP radio. Examples clear snoop map filter-name ap ap-num radio {1 | 2} filter-name Name of the snoop filter. ap ap-num Number of a AP to which to snoop filter is mapped. radio 1 Radio 1 of the AP. radio 2 Radio 2 of the AP. (This option does not apply to single-radio models.) Defaults None. Access Enabled. History Introduced in WSS Software Version 4.0.
Snoop Commands 577 set snoop Configures a snoop filter. Syntax set snoop filter-name [condition-list] [observer ip-addr] [snap-length num] filter-name Name for the filter. The name can be up to 15 alphanumeric characters, with no spaces. condition-list Match criteria for packets. Conditions in the list are ANDed. Therefore, to be copied and sent to an observer, a packet must match all criteria in the condition-list.
Snoop Commands History Version 4.0 Command introduced Version 5.0 New Boolean operators: lt (less than) and gt (greater than). The new options apply to src-mac, dest-mac, and host-mac. Usage Traffic that matches a snoop filter is copied after it is decrypted. The decrypted (clear) version is sent to the observer. For best results: • Do not specify an observer that is associated with the AP where the snoop filter is running. This configuration causes an endless cycle of snoop traffic.
Snoop Commands 579 filter-name Name of the snoop filter. ap ap-num Number of a AP to which to map the snoop filter. radio 1 Radio 1 of the AP. radio 2 Radio 2 of the AP. (This option does not apply to single-radio models.) Defaults Snoop filters are unmapped by default. Access Enabled. History Introduced in WSS Software Version 4.0. Usage You can map the same filter to more than one radio. You can map up to eight filters to the same radio.
Snoop Commands Defaults Snoop filters are disabled by default. Access Enabled. History Introduced in WSS Software Version 4.0. Usage The filter mode is not retained if you change the filter configuration or disable and reenable the radio, or when the AP or the WSS is restarted. You must reenable the filter to place it back into effect.
Snoop Commands 581 show snoop info Shows the configured snoop filters. Syntax show snoop filter-name filter-name Name of the snoop filter. Defaults None. Access Enabled. History Introduced in WSS Software Version 4.0. Examples The following command shows the snoop filters configured in the examples above: WSS# show snoop info snoop1: observer 10.10.30.2 snap-length 100 all packets snoop2: observer 10.10.30.
Snoop Commands ap: 3 Radio: 2 See Also • clear snoop map on page 566 • set snoop map on page 568 • show snoop on page 570 show snoop stats Displays statistics for enabled snoop filters. Examples show snoop stats [filter-name [ap-num [radio {1 | 2}]]] filter-name Name of the snoop filter. ap ap-num Number of a AP to which the snoop filter is mapped. radio 1 Radio 1 of the AP. radio 2 Radio 2 of the AP. (This option does not apply to single-radio models.) Defaults None. Access Enabled.
Snoop Commands 583 Table 88 describes the fields in this display. Table 1: show snoop stats Output Field Description Filter Name of the snoop filter. ap AP containing the radio to which the filter is mapped. Radio Radio to which the filter is mapped. Rx Match Number of packets received by the radio that match the filter. Tx Match Number of packets sent by the radio that match the filter.
Snoop Commands NN47250-100 (Version 02.
System Log Commands Use the system log commands to record information for monitoring and troubleshooting. WSS Software system logs are based on RFC 3164, which defines the log protocol. This chapter presents system log commands alphabetically. Use the following table to locate commands in this chapter based on their use.
System Log Commands • set log on page 576 set log Enables or disables logging of WSS and AP events to the WSS log buffer or other logging destination and sets the level of the events logged. For logging to a syslog server only, you can also set the facility logged.
System Log Commands 587 severity severity-level Logs events at a severity level greater than or equal to the level specified. Specify one of the following: • emergency—The WSS is unusable. • alert—Action must be taken immediately. • critical—You must resolve the critical conditions. If the conditions are not resolved, the WSS can reboot or shut down. • error—The WSS is missing data or is unable to form a connection. • warning—A possible problem exists.
System Log Commands Usage Using the command with only enable or disable turns logging on or off for the target at all levels. For example, entering set log buffer enable with no other keywords turns on logging to the system buffer of all facilities at all levels. Entering set log buffer disable with no other keywords turns off all logging to the buffer.
System Log Commands 589 Examples The following command enables mark messages: WSS# set log mark enable success: change accepted. See Also show log config on page 581 set log trace mbytes This command is deprecated in WSS Software Version 4.0. show log buffer Displays system information stored in the nonvolatile log buffer or the trace buffer.
System Log Commands severity severity-level Displays messages at a severity level greater than or equal to the level specified. Specify one of the following: • emergency—The WSS is unusable. • alert—Action must be taken immediately. • critical—You must resolve the critical conditions. If the conditions are not resolved, the WSS can reboot or shut down. • error—The WSS is missing data or is unable to form a connection. • warning—A possible problem exists.
System Log Commands 591 See Also • clear log on page 575 • show log config on page 581 show log config Displays log configuration information. Syntax show log config Defaults None. Access Enabled.
System Log Commands Syntax show log trace [{+|-|/}number-of-messages] [facility facility-name] [matching string] [severity severity-level] trace Displays the log messages in the trace buffer. +|-|/number-of-messages Displays the number of messages specified as follows: • A positive number (for example, +100), displays that number of log entries starting from the oldest in the log. • A negative number (for example, -100) displays that number of log entries starting from newest in the log.
System Log Commands 593 History Version 5.0 Option COPP removed. The option is not applicable to WSS Software Version 5.0.
System Log Commands NN47250-100 (Version 02.
Boot Prompt Commands Boot prompt commands enable you to perform basic tasks, including booting a system image file, from the boot prompt (boot>). A CLI session enters the boot prompt if WSS Software does not boot successfully or you intentionally interrupt the boot process. To interrupt the boot process, press q followed by Enter (return). Caution! Generally, boot prompt commands are used only for troubleshooting.
Boot Prompt Commands autoboot Displays or changes the state of the autoboot option. The autoboot option controls whether a WSS automatically boots a system image after initializing the hardware, following a system reset or power cycle. Syntax autoboot [ON | on | OFF | off] ON Enables the autoboot option. on Same effect as ON. OFF Disables the autoboot option. off Same effect as OFF. Defaults The autoboot option is enabled by default. Access Boot prompt.
Boot Prompt Commands 597 boot Loads and executes a system image file. Syntax boot [BT=type] [DEV=device] [FN=filename] [HA=ip-addr] [FL=num] [OPT=option] [OPT+=option] BT=type Boot type: • c—Compact flash. Boots using nonvolatile storage or a flash card. • n—Network. Boots using a TFTP server.
Boot Prompt Commands Usage If you use an optional parameter, the parameter setting overrides the setting of the same parameter in the currently active boot profile. However, the boot profile itself is not changed. To display the currently active boot profile, use the show command. To change the currently active boot profile, use the change command. Examples The following command loads system image file WSS010101.020 from boot partition 1: boot> boot FN=WSS010101.
Boot Prompt Commands 599 Access Boot prompt. Usage After you type the change command, the system interactively displays the current setting of each parameter and prompts you for the new setting. When prompted, type the new setting, press Enter to accept the current setting, or type . (period) to change the setting to its default value. To back up to the previous parameter, type - (hyphen). For information about each of the boot parameters you can set, see show on page 596.
Boot Prompt Commands create Creates a new boot profile. (For information about boot profiles, see show on page 596.) Syntax create Defaults The new boot profile has the same settings as the currently active boot profile by default. Access Boot prompt. Usage A WSS can have up to four boot profiles. The boot profiles are stored in slots, numbered 0 through 3. When you create a new profile, the system uses the next available slot for the profile.
Boot Prompt Commands 601 Examples To remove the currently active boot profile, type the following command: boot> delete BOOT Index: 1 BOOT TYPE: c DEVICE: boot1: FILENAME: default FLAGS: 00000000 OPTIONS: run=nos;boot=0 See Also • change on page 588 • create on page 590 • next on page 595 • show on page 596 dhcp Displays or changes the state of the DHCP option. The DHCP option controls whether a WSS uses DCHP to obtain its IP address when it is booted using a TFTP server.
Boot Prompt Commands diag Accesses the diagnostic mode. Syntax diag Defaults The diagnostic mode is disabled by default. Access Boot prompt. Usage Access to the diagnostic mode requires a password, which is not user configurable. Use this mode only if advised to do so by Nortel. dir Displays the boot code and system image files on a WSS. Syntax dir [c: | d: | e: | f: | boot0 | boot1] c: Nonvolatile storage area containing boot partition 0 (primary).
Boot Prompt Commands 603 fver Displays the version of a system image file installed in a specific location on a WSS. Syntax fver {c: | d: | e: | f: | boot0: | boot1:} [filename] c: Nonvolatile storage area containing boot partition 0 (primary). d: Nonvolatile storage area containing boot partition 1 (secondary). e: Primary partition of the flash card in the flash card slot. f: Secondary partition of the flash card in the flash card slot. boot0: Boot partition 0. boot1: Boot partition 1.
Boot Prompt Commands Examples The following command displays detailed information for the fver command: boot> help fver fver Display the version of the specified device:filename. USAGE: fver [c:file|d:file|e:file|f:file|boot0:file|boot1:file|boot2:file|boo t3:file] Command to display the version of the compressed image file associated with the given device:filename. See Also ls on page 594 ls Displays a list of the boot prompt commands. Syntax ls Defaults None. Access Boot prompt.
Boot Prompt Commands 605 See Also help on page 593 next Activates and displays the boot profile in the next boot profile slot. (For information about boot profiles, see show on page 596.) Syntax next Defaults None. Access Boot prompt. Usage A WSS contains 4 boot profile slots, numbered 0 through 3. This command activates the boot profile in the next slot, in ascending numerical order. If the currently active slot is 3, the command activates the boot profile in slot 0.
Boot Prompt Commands boot> reset Nortel WSS Bootstrap 1.17 Release Testing Low Memory 1 ............ Testing Low Memory 2 ............ CISTPL_VERS_1: 4.1 <5/3 0.6> Reset Cause (0x02) is COLD Nortel WSS Bootstrap/Bootloader Version 1.6.5 Release Bootstrap 0 version: 1.17 Active Bootloader 0 version: 1.6.5 Active Bootstrap 1 version: 1.17 Bootloader 1 version: 1.6.3 WSS Board Revision: 3. WSS Controller Revision: 24.
Boot Prompt Commands 607 Examples To display the currently active boot profile, type the following command at the boot prompt: boot> show BOOT Index: 0 BOOT TYPE: c DEVICE: boot1: FILENAME: default FLAGS: 00000000 OPTIONS: run=nos;boot=0 The following is an example of a boot profile from a 2350 that is booted with a software image downloaded from a TFTP server. In the example, when the 2350 boots, it downloads a system image file called bootfile located on a TFTP server with address 172.16.0.1.
Boot Prompt Commands Table 1: Output for show (continued) Field Description DEVICE Location of the system image file: • c:—Nonvolatile storage area containing boot partition 0 • d:—Nonvolatile storage area containing boot partition 1 • e:—Primary partition of the flash card in the flash card slot • f:—Secondary partition of the flash card in the flash card slot • boot0—boot partition 0 • boot1—boot partition 1 When the boot type is Network, the device can be one of the following: • emac1—Port 1 on
Boot Prompt Commands 609 • next on page 595 test Displays or changes the state of the poweron test flag. The poweron test flag controls whether a WSS performs a set of self tests prior to the boot process. Syntax test [ON | on | OFF | off] ON Enables the poweron test flag. on Same effect as ON. OFF Disables the poweron test flag. off Same effect as OFF. Defaults The poweron test flag is disabled by default. Access Boot prompt.
Boot Prompt Commands Bootloader 1 version: 1.6.3 WSS Board Revision: 3. WSS Controller Revision: 24. POE Board Revision: 1 POE Controller Revision: 6 See Also • dir on page 592 • fver on page 593 NN47250-100 (Version 02.
Command Index Numerics 84100 CommandName clear ap radio 237 A access levels, command line 17 administrative access mode 9 advisory notices, explanations of 7 all access 17 asterisks (*) in MAC addresses 12 in user globs 12 asterisks.
Command Index clear port type 27 clear port-group 25 clear prompt 55 clear radio-profile 242 clear radius 483 clear radius client system-ip 484 clear radius proxy client 485 clear radius proxy port 485 clear radius server 486 clear rfdetect attack-list 512 clear rfdetect black-list 512 clear rfdetect ignore 513 clear rfdetect ssid-list 513 clear rfdetect vendor-list 514 clear security l2-restrict 75 clear security l2-restrict counters 75 clear server group 486 clear server group load-balance 486 clear s
Command Index 613 D K delete 539, 590 delimiter characters, for user globs 12 dhcp 591 diag 592 dir 540, 592 disable 19 documentation, product 6 dotted decimal notation, in IP addresses 12 double asterisks (**) in user globs 12 in VLAN globs 14 wildcard 16 keyboard shortcuts for command entry 15 E enable 19 enabled access 17 Ethernet ports port list conventions 14 F fver 593 G globs, VLAN defined 13 globs.
Command Index P password invalid for last-resort users 206 ping 107 port lists conventions for 14 product documentation 6 Q quickstart quit 20 57 R reset 595 reset ap 245 reset port 32 reset system 546 restore 547 rmdir 548 S safety notices, explanations of 7 save config 548 set {ap | dap} radio mode 270 set accounting system 181 set ap auto 245 set ap auto mode 247 set ap auto persistent 247 set ap auto radiotype 248 set ap bias 249 set ap blink 250 set ap boot-configuration 370 set ap boot-config
Command Index 615 set igmp 416 set igmp lmqi 416 set igmp mrouter 417 set igmp mrsol 417 set igmp mrsol mrsi 418 set igmp oqi 418 set igmp proxy-report 419 set igmp qi 420 set igmp qri 420 set igmp querier 421 set igmp receiver 422 set igmp rv 422 set interface 109 set interface dhcp-client 110 set interface dhcp-server 111 set interface status 112 set ip alias 113 set ip dns 113 set ip dns domain 114 set ip dns server 115 set ip https server 116 set ip route 116 set ip snmp server 118 set ip ssh 118 set ip
Command Index set radio-profile max-tx-lifetime 290 set radio-profile mode 291 set radio-profile preamble-length 294 set radio-profile psk-phrase 294 set radio-profile psk-raw 294 set radio-profile rts-threshold 297 set radio-profile service-profile 298 set radio-profile shared-key-auth 304 set radio-profile short-retry 304 set radio-profile tkip-mc-time 304 set radio-profile wep active-multicast-index 304 set radio-profile wep active-unicast-index 304 set radio-profile wep key-index 304 set radio-profi
Command Index 617 set spantree maxage 395 set spantree portcost 395 set spantree portfast 396 set spantree portpri 397 set spantree portvlancost 397 set spantree portvlanpri 398 set spantree priority 399 set spantree uplinkfast 399 set summertime 140 set system contact 62 set system countrycode 63 set system idle-timeout 64 set system ip-address 65, 141 set system location 65 set system name 66 set timedate 142 set timezone 143 set vlan name 79 set vlan port 80 set vlan tunnel-affinity 81 show 596 show {ap
Command Index show rfdetect counters 523 show rfdetect data 524 show rfdetect ignore 526 show rfdetect mobility-domain 526 show rfdetect ssid-list 530 show rfdetect vendor-list 531 show rfdetect visible 531 show roaming station 84 show roaming vlan 85 show security l2-restrict 87 show service-profile 380 show sessions 437 show sessions network 439 show snmp community 158 show snmp counters 158 show snmp notify profile 158 show snmp notify target 159 show snmp status 159 show snmp usm 160 show spantree 4
Command Index 619 in MAC addresses 12 in user globs 12 in VLAN globs 14 Nortel WLAN Security Switch 2300 Series Command Line Reference
Command Index NN47250-100 (320658-G Version 02.
Nortel WLAN—Security Switch 2300 Series Command Line Reference Nortel WLAN—Security Switch 2300 Series Release 6.0.7 Document Number: NN47250-100 Document Status: Standard Document Version: 02.51 Release Date: June 2008 Copyright © Nortel Networks Limited 2007-2008 Alll Rights Reserved The information in this document is subject to change without notice.
