V1 (WL1700-MS) Command Reference NWA-027517-001 ISSUE 1.
LIABILITY DISCLAIMER NEC Infrontia Corporation reserves the right to change the specifications, functions, or features, at any time, without notice. NEC Infrontia Corporation has prepared this document for use by its employees and customers. The information contained herein is the property of NEC Infrontia Corporation, and shall not be reproduced without prior written approval from NEC Infrontia Corporation.
Contents 1 Introducing the UNIVERGE WL System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 UNIVERGE WL System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Safety and Advisory Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 Access Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 4 System Services Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 5 Port Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 6 VLAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 7 Quality of Service Commands . . . . . . . . .
1 Introducing the UNIVERGE WL System UNIVERGE WL System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 This guide explains how to configure and manage a UNIVERGE WL Wireless Controller (hereinafter called ‘Controller’) using the UNIVERGE WL Control System command line interface (CLI) commands that you enter on a wireless LAN (WLAN) controller.
Documentation Chapter 1 The UNIVERGE WL System consists of the following components: l UNIVERGE WLMS—A full-featured graphical user interface (GUI) application used to plan, configure, deploy, and manage a WLAN and its users l UNIVERGE WL Wireless Controller —Distributed, intelligent machines for managing user connectivity, connecting and powering UNIVERGE WL Access Points, and connecting the WLAN to the wired network backbone l UNIVERGE WL Access Points —Wireless access points (APs) that transmit and
Documentation Chapter 1 Installation l UNIVERGE WL Installation Guide. Instructions and specifications for installing an WL Controller and UNIVERGE WL Access Point Note. SCA-WL10 has the same specifications as UNIVERGE WL5050. Safety and Advisory Notices The following kinds of safety and advisory notices appear in this manual. Caution! This situation or condition can lead to data loss or damage to the product or other property. Note. This information is of special interest.
Documentation Chapter 1 4 Convention Use [ ] (square brackets) Enclose optional parameters in command syntax. { } (curly brackets) Enclose mandatory parameters in command syntax. | (vertical bar) Separates mutually exclusive options in command syntax.
2 Using the Command-Line Interface CLI Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Command-Line Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Using CLI Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Understanding Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CLI Conventions Chapter 2 CLI Conventions Be aware of the following UNIVERGE WL Control System CLI conventions for command entry: l “Command Prompts” on page 6 l “Syntax Notation” on page 7 l “Text Entry Conventions and Allowed Characters” on page 7 l “User Globs, MAC Address Globs, and VLAN Globs” on page 9 l “Virtual LAN Identification” on page 11 Command Prompts By default, the UNIVERGE WL Control System CLI provides the following prompt for restricted users.
CLI Conventions Chapter 2 Syntax Notation The UNIVERGE WL Control System CLI uses standard syntax notation: l Bold monospace font identifies the command and keywords you must type. For example: set enablepass l Italic monospace font indicates a placeholder for a value. For example, you replace vlan-id in the following command with a virtual LAN (VLAN) ID: clear interface vlan-id ip l Curly brackets ({ }) indicate a mandatory parameter, and square brackets ([ ]) indicate an optional parameter.
CLI Conventions Chapter 2 In addition, the CLI does not support the use of international characters such as the accented É in DÉCOR. MAC Address Notation UNIVERGE WL Control System displays MAC addresses in hexadecimal numbers with a colon (:) delimiter between bytes—for example, 00:01:02:1a:00:01. You can enter MAC addresses with either hyphen (-) or colon (:) delimiters, but colons are preferred. For shortcuts: l You can exclude leading zeros when typing a MAC address.
CLI Conventions Chapter 2 For example, the address 10.0.0.0 and mask 0.255.255.255 match all IP addresses that begin with 10 in the first octet. The ACL mask must be a contiguous set of zeroes starting from the first bit. For example, 0.255.255.255, 0.0.255.255, and 0.0.0.255 are valid ACL masks. However, 0.255.0.255 is not a valid ACL mask.
CLI Conventions Chapter 2 User Glob User(s) Designated *.*@marketing.example.com All marketing users at example.com whose usernames contain periods * All users with usernames that have no delimiters EXAMPLE\* All users in the Windows Domain EXAMPLE with usernames that have no delimiters EXAMPLE\*.
CLI Conventions Chapter 2 To match all VLANs, use the double-asterisk (**) wildcard characters with no delimiters. To match any number of characters up to, but not including, a delimiter character in the glob, use the single-asterisk (*) wildcard. Valid VLAN glob delimiter characters are the at (@) sign and the period (.). For example, the VLAN glob bldg4.* matches bldg4.security and bldg4.hr and all other VLAN names with bldg4. at the beginning.
Command-Line Editing Chapter 2 Command-Line Editing UNIVERGE WL Control System editing functions are similar to those of many other network operating systems. Keyboard Shortcuts The following table lists the keyboard shortcuts for entering and editing CLI commands: Keyboard Shortcut(s) Function Ctrl+A Jumps to the first character of the command line. Ctrl+B or Left Arrow key Moves the cursor back one character. Ctrl+C Escapes and terminates prompts and tasks.
Command-Line Editing Chapter 2 History Buffer The history buffer stores the last 63 commands you entered during a terminal session. You can use the Up Arrow and Down Arrow keys to select a command that you want to repeat from the history buffer. Tabs The UNIVERGE WL Control System CLI uses the Tab key for command completion. You can type the first few characters of a command and press the Tab key to display the command(s) that begin with those characters.
Using CLI Help Chapter 2 Using CLI Help The CLI provides online help. To see the full range of commands available at your access level, type the help command.
Understanding Command Descriptions Chapter 2 dns https route telnet show show Show show DNS status ip https ip route table ip telnet To determine the port on which Telnet is running, type the following command: PROMPT# show ip telnet Server Status Port -------------------------Enabled 23 Understanding Command Descriptions Each command description in the WL Command Reference contains the following elements: l A command name, which shows the keywords but not the variables.
Understanding Command Descriptions Chapter 2 16 Using the Command-Line Interface
3 Access Commands Use access commands to control access to the UNIVERGE WL Control System (CLI). This chapter presents access commands alphabetically. Use the following table to locate commands in this chapter based on their use. Access Privileges enable on page 17 set enablepass on page 19 disable on page 17 quit on page 18 disable Changes the CLI session from enabled mode to restricted access. Syntax disable Defaults Access None. Enabled.
quit Chapter 3 Syntax enable Access All. Usage UNIVERGE WL Control System displays a password prompt to challenge you with the enable password. To enable a session, your or another administrator must have configured the enable password to this UNIVERGE WL Controller with the set enablepass command.
set enablepass Chapter 3 set enablepass Sets the password that provides enabled access (for configuration and monitoring) to the UNIVERGE WL Controller. Note. The enable password is case-sensitive. Syntax Defaults Access set enablepass None. Enabled. Usage After typing the set enablepass command, press Enter. If you are entering the first enable password on this UNIVERGE WL Controller, press Enter at the Enter old password prompt. Otherwise, type the old password.
set enablepass Chapter 3 20 Access Commands
4 System Services Commands Use system services commands to configure and monitor system information for a UNIVERGE WL Controller. This chapter presents system services commands alphabetically. Use the following table to located commands in this chapter based on their use.
clear banner motd Chapter 4 clear history on page 22 License set license on page 31 show license on page 39 Technical Support show tech-support on page 44 clear banner motd Deletes the message-of-the-day (MOTD) banner that is displayed before the login prompt for each CLI session on the UNIVERGE WL Controller. Syntax clear banner motd Defaults Access None. Enabled. Examples To clear a banner, type the following command: PROMPT# clear banner motd success: change accepted Note.
clear prompt Chapter 4 Access All. Examples To clear the history buffer, type the following command: PROMPT# clear history success: command buffer was flushed. See Also history on page 26 clear prompt Resets the system prompt to its previously configured value. If the prompt was not configured previously, this command resets the prompt to its default. Syntax clear prompt Defaults Access None. Enabled.
clear system Chapter 4 Syntax clear system [contact | countrycode | idle-timeout | ip-address | location | name] contact Resets the name of contact person for the UNIVERGE WL Controller to null. countrycode Resets the country code for the UNIVERGE WL Controller to null. idle-timeout Resets the number of seconds a CLI management session can remain idle to the default value (3600 seconds). ip-address Resets the IP address of the UNIVERGE WL Controller to null.
help Chapter 4 l show system on page 40 help Displays a list of commands that can be used to configure and monitor the UNIVERGE WL Controller. Syntax Defaults Access help None. All. Examples Use this command to see a list of available commands. If you have restricted access, you see fewer commands than if you have enabled access.
history Chapter 4 history Displays the command history buffer for the current CLI session. Syntax history Defaults Access None. All. Examples To show the history of your session, type the following command: PROMPT> history Show History (most recent first) -------------------------------[00] show config [01] show version [02] enable See Also clear history on page 22 set auto-config Enables a UNIVERGE WL Controller to contact a WLMS server for its configuration.
set auto-config Chapter 4 Usage A network administrator at the corporate office can preconfigure the UNIVERGE WL Controller in a WLMS network plan. The UNIVERGE WL Controller configuration must have a name for the UNIVERGE WL Controller, the serial number must match the UNIVERGE WL Controller’s serial number. The configuration should also include all other settings required for the deployment, including UNIVERGE WL Access Points configuration, SSIDs, AAA settings, and so on.
set auto-config Chapter 4 The IP address and DNS information are configured independently. You can configure the combination of settings that work with the network resources available at the deployment site. The following examples show some of the combinations you can configure. Examples The following commands stage a UNIVERGE WL Controller to use the auto-config option.
set banner motd Chapter 4 set banner motd Configures the banner string that is displayed before the beginning of each login prompt for each CLI session on the UNIVERGE WL Controller. Syntax set banner motd “text” “ Delimiting character that begins and ends the message; for example, double quotes (“). text Up to 4096 alphanumeric characters, including tabs and carriage returns, but not the delimiting character. Defaults Access None. Enabled.
set length Chapter 4 Defaults Access Configuration messages are enabled. Enabled. Usage This command remains in effect for the duration of the session, until you enter an exit or quit command, or until you enter another set confirm command. UNIVERGE WL Control System displays a message requiring confirmation when you enter certain commands that can have a potentially large impact on the network. For example: PROMPT# clear vlan red This may disrupt user connectivity.
set license Chapter 4 set license Installs an upgrade license key on a UNIVERGE WL Controller. Note. This command is not supported. set prompt Changes the CLI prompt for the UNIVERGE WL Controller to a string you specify. Syntax string set prompt string Alphanumeric string up to 32 characters long. To include spaces in the prompt, you must enclose the string in double quotation marks (“”).
set system contact Chapter 4 See Also l clear prompt on page 23 l set system name on page 38 l show config on page 600 set system contact Stores a contact name for the UNIVERGE WL Controller. Syntax set system contact string string Defaults Access Alphanumeric string up to 256 characters long. (blank spaces are available to input.) None. Enabled. To view the system contact string, type the show system command. Examples The following command sets the system contact information to tamara@example.
set system countrycode Chapter 4 set system countrycode Defines the country-specific IEEE 802.11 regulations to enforce on the UNIVERGE WL Controller. Syntax set system countrycode code code Table 1. Two-letter code for the country of operation for the UNIVERGE WL Controller. You can specify one of the codes listed in Table 1.
set system countrycode Chapter 4 Table 1.
set system idle-timeout Chapter 4 Defaults Access The factory default country code is None. Enabled. Usage You must set the system county code to a valid value before using any set ap commands to configure a UNIVERGE WL Access Points. Examples To set the country code to Canada, type the following command: Controller#set system country code CA success: change accepted. Note. Under no circumstances should you specify a country code that does not match the country of operation.
set system ip-address Chapter 4 Access Enabled. Usage This command applies to all types of CLI management sessions: console, Telnet, and SSH. The timeout change applies to existing sessions only, not to new sessions. Examples The following command sets the idle timeout to 1800 seconds (one half hour): PROMPT# set system idle-timeout 1800 success: change accepted.
set system location Chapter 4 See Also l clear system on page 23 l set interface on page 111 l show system on page 40 set system location Stores location information for the UNIVERGE WL Controller. Syntax string Defaults Access set system location string Alphanumeric string up to 256 characters long. (blank spaces are available to input.) None. Enabled. Usage You cannot include spaces in the system location string. To view the system location string, type the show system command.
set system name Chapter 4 set system name Changes the name of the UNIVERGE WL Controller from the default system name and also provides content for the CLI prompt, if you do not specify a prompt. Syntax set system name string string Alphanumeric string up to 99 characters long. (blank spaces are available to input.) UNIVERGE WLMS requires unique UNIVERGE WL Controller names. Defaults By default, the system name and command prompt have the same value.
show banner motd Chapter 4 show banner motd Shows the banner that was configured with the set banner motd command. Syntax show banner motd Defaults Access None. Enabled. Examples To display the banner with the message of the day, type the following command: PROMPT# show banner motd hello world See Also l clear banner motd on page 22 show license Note. This command is not supported. show load Displays CPU usage on a UNIVERGE WL Controller. Syntax Defaults Access show load None. Enabled.
show system Chapter 4 The overall field shows the CPU load as a percentage from the time the UNIVERGE WL Controller was booted. The delta field shows CPU load as a percentage from the last time the show load command was entered. See Also show system on page 40 show system Displays system information. Syntax show system Defaults Access None. Enabled.
show system Chapter 4 Table 2. show system Output Field Description Product Name UNIVERGE WL Controller model number. System Name System name (factory default, or optionally configured with set system name). System Countrycode Country-specific 802.11 code required for AP operation (configured with set system countrycode). System Location Record of UNIVERGE WL Controller’s physical location (optionally configured with set system location).
show system Chapter 4 Table 2. show system Output Field Description Fan status Operating status of the three WL5100 cooling fans: • OK—Fan is operating. • Failed—Even as for 1 in three fan in the case of not operating. UNIVERGE WL Control System sends an alert to the system log every 5 minutes until this condition is corrected. Fan 1 is located nearest the front of the chassis, and fan 3 is located nearest the back. In the case of WL1700-MS, nothing is displayed.
show system Chapter 4 Table 2. show system Output Field Description WL5100 Status of the Left and Right power supply units in the WL5100: • missing—Power supply is not installed or is inoperable. • DC ok—Power supply is producing DC power. • DC output failure—Power supply is not producing DC power. UNIVERGE WL Control System sends an alert to the system log every 5 minutes until this condition is corrected. • AC ok—Power supply is receiving AC power.
show tech-support Chapter 4 show tech-support Provides an in-depth snapshot of the status of the UNIVERGE WL Controller, which includes details about the boot image, the version, ports, and other configuration values. This command also displays the last 100 log messages. Syntax show tech-support [file [subdirname/]filename] [subdirname/]filename Defaults Access Optional subdirectory name, and a string up to 32 alphanumeric characters.
5 Port Commands This chapter presents port commands alphabetically. Use the following table to locate commands in this chapter based on their use.
clear port counters Chapter 5 Syntax clear ap {ap-number | all} ap-number Number of the UNIVERGE WL Access Points to be removed. all Clear all UNIVERGE WL Access Points. Defaults Access None. Enabled. Examples The following command clears UNIVERGE WL Access Points 1: PROMPT# clear ap 1 This will clear specified AP devices. Would you like to continue? (y/n) [n]y See Also l set ap on page 54 clear port counters Clears port statistics counters and resets them to 0.
clear port name Chapter 5 clear port name Removes the name assigned to a port. Syntax clear port port-list name port-list List of physical ports. UNIVERGE WL Control System removes the names from all the specified ports. Defaults Access None. Enabled. Examples The following command clears the names of ports 1: PROMPT# clear port 1 name See Also l set port name on page 57 l show port status on page 63 monitor port counters Displays and continually updates port statistics.
monitor port counters Chapter 5 receive-etherstats Displays Ethernet statistics for received packets first. transmit-etherstats Displays Ethernet statistics for transmitted packets first. Defaults All types of statistics are displayed for ports. UNIVERGE WL Control System refreshes the statistics every 5 seconds, and the interval cannot be configured.
monitor port counters Chapter 5 Table 3. Key Controls for Monitor Port Counters Display Key Effect on Monitor Display Esc Exits the monitor. UNIVERGE WL Control System stops displaying the statistics and displays a new command prompt. c Clears the statistics counters for the currently displayed statistics type. The counters begin incrementing again. For error reporting, the cyclic redundancy check (CRC) errors include misalignment errors. Jumbo packets with valid CRCs are not counted.
monitor port counters Chapter 5 Table 4. Output for monitor port counters Statistics Option Field Description Displayed for All Options Port Displays the port statistics. Status Port status. The status can be Up or Down. octets Rx Octets Total number of octets received by the port. This number includes octets received in frames that contained errors. Tx Octets Total number of octets received. This number includes octets received in frames that contained errors.
monitor port counters Chapter 5 Table 4. Output for monitor port counters Statistics Option Field Description receive-errors Rx Crc Number of frames received by the port that had the correct length but contained an invalid frame check sequence (FCS) value. This statistic includes frames with misalignment errors. Rx Error Total number of frames received in which the Physical layer (PHY) detected an error. Rx Short Number of frames received by the port that were fewer than 64 bytes long.
monitor port counters Chapter 5 Table 4. Output for monitor port counters Statistics Option Field Description collisions Single Coll Total number of frames transmitted that experienced one collision before 64 bytes of the frame were transmitted on the network. Multiple Coll Total number of frames transmitted that experienced more than one collision before 64 bytes of the frame were transmitted on the network.
reset port Chapter 5 Table 4. Output for monitor port counters Statistics Option Field Description transmit-etherstats Tx 64 Number of packets transmitted that were 64 bytes long. Tx 127 Number of packets transmitted that were from 65 through 127 bytes long. Tx 255 Number of packets transmitted that were from 128 through 255 bytes long. Tx 511 Number of packets transmitted that were from 256 through 511 bytes long.
set ap Chapter 5 Examples The following command resets port 1: PROMPT# reset port 1 See Also set port on page 55 set ap Configures a UNIVERGE WL Access Points, either directly connected to the UNIVERGE WL Controller or indirectly connected through an intermediate Layer 2 or Layer 3 network. Note. Before configuring a UNIVERGE WL Access Points, you must use the set system countrycode command to set the IEEE 802.11 country-specific regulations on the UNIVERGE WL Controller.
set port Chapter 5 model {WL1500-AP | WL1500-AP-JP | WL1700-MS(AP)} AP model. radiotype 11b | 11g Radio type: • 11b—802.11b • 11g—802.11g Defaults Access None. Enabled. Examples The following command configures UNIVERGE WL Access Points 1 for UNIVERGE WL Access Points model WL1500-AP with serial-ID G8TZUB0053: PROMPT# set ap 1 serial-id G8TZUB0053 model WL1500-AP success: change accepted.
set port duplex Chapter 5 disable Disables the specified ports. port-list List of physical ports. UNIVERGE WL Control System disables or reenables all the specified ports. Defaults Access All ports are enabled. Enabled. Usage A port that is administratively disabled cannot send or receive packets. This command does not affect the link state of the port.
set port name Chapter 5 Usage This command is allowed only when a current port speed is 10/100Mbps and current negotiation mode is not autonegotiation. UNIVERGE WL Controller Ethernet ports support half-duplex and full-duplex operation. Examples The following command sets the port duplex mode on ports 1 to half: PROMPT# set port duplex 1 half success: set port "1" to half set port name Assigns a name to a port. After naming a port, you can use the port name or number in other CLI commands.
set port negotiation Chapter 5 set port negotiation Disables or reenables autonegotiation on gigabit Ethernet or 10/100 Ethernet ports. Syntax set port negotiation port-list {enable | disable} port-list List of physical ports. UNIVERGE WL Control System disables or reenables autonegotiation on all the specified ports. enable Enables autonegotiation on the specified ports. disable Disables autonegotiation on the specified ports.
set port negotiation Chapter 5 Table 5.
set port speed Chapter 5 The slow throughput occurs because the side that is configured for autonegotiation falls back to half-duplex. A stream of large packets sent to a UNIVERGE WL Controller port with this configuration can cause forwarding on the link to stop.
set port trap Chapter 5 Usage It is recommended that you do not configure the mode of a UNIVERGE WL Controller port so that one side of the link is set to autonegotiation while the other side is set to full-duplex. Although UNIVERGE WL Control System allows this configuration, it can result in slow throughput on the link. The slow throughput occurs because the side that is configured for autonegotiation falls back to half-duplex.
show port counters Chapter 5 See Also l set ip snmp server on page 122 l set snmp community on page 130 l set snmp usm on page 146 l set snmp notify profile on page 132 l show snmp community on page 173 show port counters Displays port statistics. Syntax show port counters [octets | packets | receive-errors | transmit-errors | collisions | receive-etherstats | transmit-etherstats] [port port-list] octets Displays octet statistics. packets Displays packet statistics.
show port status Chapter 5 Port Status Rx Octets Tx Octets ================================================================= 1 Up 27965420 34886544 This command’s output has the same fields as the monitor port counters command. For descriptions of the fields, see Table 4 on page 50. See Also l clear port counters on page 46 l monitor port counters on page 47 show port status Displays configuration and status information for ports.
show port status Chapter 5 Table 6. Output for show port status Field Description Admin Administrative status of the port: • up—The port is enabled. • down—The port is disabled. Oper Operational status of the port: • up—The port is operational. • down—The port is not operational. Config Port speed configured on the port: • 10—10 Mbps. • 100—100 Mbps. • 1000—1000 Mbps. • auto—The port sets its own speed. Actual Speed and operating mode in effect on the port.
6 VLAN Commands Use virtual LAN (VLAN) commands to configure and manage parameters for individual port VLANs on network ports, and to display information about clients roaming within a mobility domain. This chapter presents VLAN commands alphabetically. Use the following table to locate commands in this chapter based on their use.
clear fdb Chapter 6 clear fdb Deletes an entry from the forwarding database (FDB). Syntax clear fdb {perm | static | dynamic | port port-list} [vlan vlan-id] [tag tag-value] perm Clears permanent entries. A permanent entry does not age out and remains in the database even after a reboot, reset, or power cycle. You must specify a VLAN name or number with this option. static Clears static entries. A static entry does not age out, but is removed from the database after a reboot, reset, or power cycle.
clear security l2-restrict Chapter 6 Usage You can delete forwarding database entries based on entry type, port, or VLAN. A VLAN name or number is required for deleting permanent or static entries. Examples The following command clears all static forwarding database entries that match VLAN blue: PROMPT# clear fdb static vlan blue success: change accepted. The following command clears all dynamic forwarding database entries that match all VLANs: PROMPT# clear fdb dynamic success: change accepted.
clear security l2-restrict counters Chapter 6 Defaults If you do not specify a list of MAC addresses or all, all addresses are removed. Access Enabled. Usage If you clear all MAC addresses, Layer 2 forwarding is no longer restricted in the VLAN. Clients within the VLAN can communicate directly. There can be a slight delay before functions such as pinging between clients become available again after Layer 2 restrictions are lifted.
clear vlan Chapter 6 Defaults If you do not specify a VLAN or all, counters for all VLANs are cleared. Access Enabled. Usage To clear MAC addresses from the list of addresses that clients are allowed to send data, use the clear security l2-restrict command instead. Examples The following command clears Layer 2 forwarding restriction statistics for VLAN abc_air: PROMPT# clear security l2-restrict counters vlan abc_air success: change accepted.
clear vlan Chapter 6 port port-list List of physical ports. UNIVERGE WL Control System removes the specified ports from the VLAN. If you do not specify a list of ports, UNIVERGE WL Control System removes the VLAN entirely. tag tag-value Tag number that identifies a virtual port. UNIVERGE WL Control System removes only the specified virtual port from the specified physical ports. Defaults Access None. Enabled. Usage If you do not specify a port-list, the entire VLAN is removed from the configuration.
set fdb Chapter 6 set fdb Adds a permanent or static entry to the forwarding database. Syntax set fdb {perm | static} mac-addr port port-list vlan vlan-id [tag tag-value] perm Adds a permanent entry. A permanent entry does not age out and remains in the database even after a reboot, reset, or power cycle. static Adds a static entry. A static entry does not age out, but is removed from the database after a reboot, reset, or power cycle. mac-addr Destination MAC address of the entry.
set fdb agingtime Chapter 6 The following command adds a static entry for MAC address 00:2b:3c:4d:5e:6f on port 1 in the default VLAN: PROMPT# set fdb static 00:2b:3c:4d:5e:6f port 1 vlan default success: change accepted. See Also l clear fdb on page 66 l show fdb on page 77 set fdb agingtime Changes the aging timeout period for dynamic entries in the forwarding database. Syntax set fdb agingtime vlan-id age seconds vlan-id VLAN name or number.
set security l2-restrict Chapter 6 set security l2-restrict Restricts Layer 2 forwarding between clients in the same VLAN. When you restrict Layer 2 forwarding in a VLAN, UNIVERGE WL Control System allows Layer 2 forwarding only between a client and a set of MAC addresses, generally the VLAN default routers. Clients within the VLAN are not permitted to communicate among themselves directly. To communicate with another client, the client must use one of the specified default routers.
set vlan name Chapter 6 See Also l clear security l2-restrict on page 67 l clear security l2-restrict counters on page 68 l show security l2-restrict on page 84 set vlan name Creates a VLAN and assigns a number and name to it. Syntax set vlan vlan-num name name vlan-num VLAN number. You can specify a number from 2 through 4093. name String up to 16 alphabetic characters long. Defaults VLAN 1 is named default by default. No other VLANs have default names. Access Enabled.
set vlan port Chapter 6 Examples The following command assigns the name marigold to VLAN 3: PROMPT# set vlan 3 name marigold success: change accepted. See Also set vlan port on page 75 set vlan port Assigns one or more network ports to a VLAN. You also can add a virtual port to each network port by adding a tag value to the network port. Syntax set vlan vlan-id port port-list [tag tag-value] vlan-id VLAN name or number. port port-list List of physical ports.
set vlan tunnel-affinity Chapter 6 The following command adds port 16 to VLAN beige and assigns tag value 86 to the port: PROMPT# set vlan beige port 16 tag 86 success: change accepted. See Also l clear vlan on page 69 l set vlan name on page 74 l show vlan config on page 86 set vlan tunnel-affinity Changes a UNIVERGE WL Controller preferences within a mobility domain for tunneling user traffic for a VLAN.
show fdb Chapter 6 If more than one UNIVERGE WL Controller has the highest affinity value, UNIVERGE WL Control System randomly selects one of the UNIVERGE WL Controllers for the tunnel. Examples The following command changes the VLAN affinity for VLAN beige to 10: PROMPT# set vlan beige tunnel-affinity 10 success: change accepted. See Also l show roaming vlan on page 83 l show vlan config on page 86 show fdb Displays entries in the forwarding database.
show fdb Chapter 6 system Displays system entries. A system entry is added by UNIVERGE WL Control System. For example, the authentication protocols can add entries for wired and wireless authentication users. all Displays all entries in the database, or all the entries that match a particular port or ports or a particular VLAN. port port-list Destination port(s) for which to display entries. Defaults Access None. All.
show fdb agingtime Chapter 6 Table 7. Output for show fdb Field Description VLAN VLAN number. TAG VLAN tag value. If the interface is untagged, the TAG field is blank. Dest MAC/Route Des MAC address of the forwarding entry destination. CoS Type of entry. The entry types are explained in the first row of the command output. Note: This Class of Service (CoS) value is not associated with UNIVERGE WL Control System quality of service (QoS) features.
show fdb count Chapter 6 Defaults Access None. All. Examples The following command displays the aging timeout period for all VLANs: PROMPT# show fdb agingtime VLAN 2 aging time = 600 sec VLAN 1 aging time = 300 sec Because the forwarding database aging timeout period can be configured only on an individual VLAN basis, the command lists the aging timeout period for each VLAN separately. See Also set fdb agingtime on page 72 show fdb count Lists the number of entries in the forwarding database.
show roaming station Chapter 6 Examples The following command lists the number of dynamic entries that the forwarding database contains: PROMPT# show fdb count dynamic Total Matching Entries = 2 See Also show fdb on page 77 show roaming station Displays a list of the stations roaming to the UNIVERGE WL Controller through a VLAN tunnel. Syntax show roaming station [vlan vlan-id] [peer ip-addr] vlan vlan-id Output is restricted to stations using this VLAN.
show roaming station Chapter 6 Table 8 describes the fields in the display. Table 8. Output for show roaming station Field Description User Name Name of the user. This is the name used for authentication. The name resides in a RADIUS server database or the local user database on a UNIVERGE WL Controller. Station Address IP address of the user device. VLAN Name of the VLAN that the RADIUS server or UNIVERGE WL Controller local user database assigned the user.
show roaming vlan Chapter 6 show roaming vlan Shows all VLANs in the mobility domain, the UNIVERGE WL Controllers servicing the VLANs, and their tunnel affinity values configured on each UNIVERGE WL Controller for the VLANs. Syntax show roaming vlan Defaults Access None. Enabled. Examples The following command shows the current roaming VLANs: PROMPT# show roaming vlan VLAN Switch IP Address Affinity ----------------- ------------------- ----------vlan-cs 192.168.14.2 5 vlan-eng 192.168.14.
show security l2-restrict Chapter 6 show security l2-restrict Displays configuration information and statistics for Layer 2 forwarding restriction. Syntax show security l2-restrict [vlan vlan-id | all] vlan-id VLAN name or number. all Displays information for all VLANs. Defaults If you do not specify a VLAN name or all, information is displayed for all VLANs. Access Enabled.
show tunnel Chapter 6 Table 10. Output for show security l2-restrict Field Description Permit MAC MAC addresses that clients in the VLAN are allowed to send traffic at Layer 2. Hits Number of packets whose source MAC address was a client in this VLAN, and whose destination MAC address was one of those listed under Permit MAC.
show vlan config Chapter 6 Table 11. Output for show tunnel Field Description VLAN VLAN name. Local Address IP address of the local end of the tunnel. This is the UNIVERGE WL Controller IP address where you enter the command. Remote Address IP address of the remote end of the tunnel. This is the system IP address of another UNIVERGE WL Controller in the mobility domain. State Tunnel state: • Up • Dormant Port Tunnel port ID. LVID Local VLAN ID. RVID Remote VLAN ID.
show vlan config Chapter 6 Admin VLAN Tunl VLAN Name Status State Affin Port ---- ----------- ------ ----- ----- -----------2 burgundy Up Up 5 2 3 4 6 11 t:10.10.40.4 Port Tag State ---- -----none none none none none none Up Up Up Up Up Up Table 12 describes the fields in this display. Table 12. Output for show vlan config Field Description VLAN VLAN number. Name VLAN name. Admin Status Administrative status of the VLAN: • Down—The VLAN is disabled. • Up—The VLAN is enabled.
show vlan config Chapter 6 Table 12. Output for show vlan config Field Description Tag Tag value assigned to the port. Port State Link state of the port: • Down—The port is not connected. • Up—The port is connected.
7 Quality of Service Commands Use Quality of Service (QoS) commands to configure packet prioritization in UNIVERGE WL Control System. Packet prioritization ensures that UNIVERGE WL Controllers and UNIVERGE WL Access Points give preferential treatment to high-priority traffic such as voice and video. (To override the prioritization for specific traffic, use access controls lists [ACLs] to set the Class of Service [CoS] for the packets. See Chapter 14, “Security ACL Commands,” on page 453.
clear qos Chapter 7 clear qos Resets the UNIVERGE WL Controller mapping of Differentiated Services Code Point (DSCP) values to internal QoS values. The UNIVERGE WL Controller internal QoS map ensures that prioritized traffic remains prioritized while transiting the UNIVERGE WL Controller.
set qos cos-to-dscp-map Chapter 7 PROPMT# clear qos dscp-to-qos-map 44 success: change accepted. set qos cos-to-dscp-map Changes the value that UNIVERGE WL Control System maps an internal QoS value when marking outbound packets. Syntax set qos cos-to-dscp-map level dscp dscp-value level Internal CoS value. You can specify a number from 0 to 7. dscp dscp-value DSCP value. You can specify the value as a decimal number. Valid values are 0 to 63.
show qos Chapter 7 Syntax set qos dscp-to-cos-map dscp-range cos level dscp-range DSCP range. You can specify the values as decimal numbers. Valid decimal values are 0 to 63. To specify a range, use the following format: 40-56. Specify the lower number first. cos level Internal QoS value. You can specify a number from 0 to 7. Defaults Access The defaults are listed by the show qos command. Enabled.
show qos dscp-table Chapter 7 Examples The following command displays the default QoS settings: PROPMT# show qos default Ingress QoS Classification Map (dscp-to-cos) Ingress DSCP CoS Level ================================================================= 00-09 0 0 0 0 0 0 0 0 1 1 10-19 1 1 1 1 1 1 2 2 2 2 20-29 2 2 2 2 3 3 3 3 3 3 30-39 3 3 4 4 4 4 4 4 4 4 40-49 5 5 5 5 5 5 5 5 6 6 50-59 6 6 6 6 6 6 7 7 7 7 60-63 7 7 7 7 Egress QoS Marking Map (cos-to-dscp) CoS Level 0 1 2 3 4 5 6 7 ======================
show qos dscp-table Chapter 7 See Also 94 show qos on page 92 Quality of Service Commands
8 IP Services Commands Use IP services commands to configure and manage IP interfaces, management services, the Domain Name Service (DNS), Network Time Protocol (NTP), aliases, and to ping a host or trace a route. This chapter presents IP services commands alphabetically. Use the following table to locate commands in this chapter based on their use.
Chapter 8 DNS set ip dns on page 116 set ip dns domain on page 117 set ip dns server on page 118 show ip dns on page 164 clear ip dns domain on page 99 clear ip dns server on page 99 IP Alias set ip alias on page 115 show ip alias on page 163 clear ip alias on page 98 Time and Date set timedate on page 154 set timezone on page 155 set summertime on page 151 show timedate on page 176 show timezone on page 177 show summertime on page 175 clear timezone on page 107 clear summertime on page 105 NTP set
clear interface Chapter 8 set snmp usm on page 146 set snmp notify profile on page 132 set snmp notify target on page 137 set ip snmp server on page 122 show snmp status on page 174 show snmp community on page 173 show snmp usm on page 175 show snmp notify profile on page 173 show snmp notify target on page 174 show snmp counters on page 173 clear snmp community on page 103 clear snmp usm on page 105 clear snmp notify profile on page 103 clear snmp notify target on page 104 Ping ping on page 107 Telnet c
clear ip alias Chapter 8 Usage If the interface you want to remove is configured as the system IP address, removing the address can interfere with system tasks using the system IP address, including the following: l Mobility domain operations l Topology reporting for dual-homed AP l Default source IP address used in unsolicited communications such as AAA accounting reports and SNMP traps Examples The following command removes the IP interface configured on VLAN mauve: PROMPT# clear interface mauve ip
clear ip dns domain Chapter 8 l show ip alias on page 163 clear ip dns domain Removes the default DNS domain name. Syntax Defaults Access clear ip dns domain None. Enabled. Examples The following command removes the default DNS domain name from a UNIVERGE WL Controller: PROMPT# clear ip dns domain Default DNS domain name cleared.
clear ip route Chapter 8 Examples The following command removes DNS server 10.10.10.69 from a UNIVERGE WL Controller configuration: PROMPT# clear ip dns server 10.10.10.69 success: change accepted. See Also l clear ip dns domain on page 99 l set ip dns on page 116 l set ip dns domain on page 117 l set ip dns server on page 118 l show ip dns on page 164 clear ip route Removes a route from the IP route table.
clear ip telnet Chapter 8 Examples The following command removes the route to destination 10.10.10.68/ 24 through router 10.10.10.1: PROMPT# clear ip route 10.10.10.68/24 10.10.10.1 success: change accepted. See Also l set ip route on page 120 l show ip route on page 167 clear ip telnet Resets the Telnet server TCP port number to its default value. A UNIVERGE WL Controller listens for Telnet management traffic on the Telnet server port.
clear ntp server Chapter 8 clear ntp server Removes an NTP server from a UNIVERGE WL Controller configuration. Syntax clear ntp server {ip-addr | all} ip-addr IP address of the server to remove, in dotted decimal notation. all Removes all NTP servers from the configuration. Defaults Access None. Enabled. Examples The following command removes NTP server 192.168.40.240 from a UNIVERGE WL Controller configuration: PROMPT# clear ntp server 192.168.40.240 success: change accepted.
clear snmp community Chapter 8 Examples To reset the NTP interval to the default value, type the following command: PROMPT# clear ntp update-interval success: change accepted. See Also l clear ntp server on page 102 l set ntp on page 127 l set ntp server on page 128 l set ntp update-interval on page 129 l show ntp on page 170 clear snmp community Clears an SNMP community string.
clear snmp notify target Chapter 8 Syntax clear snmp notify profile profile-name profile-name Defaults Access Name of the notification profile you are clearing. None. Enabled. Examples The following command clears notification profile snmpprof_rfdetect: PROMPT# clear snmp notify profile snmpprof_rfdetect success: change accepted. See Also l set snmp notify profile on page 132 l show snmp notify profile on page 173 clear snmp notify target Clears an SNMP notification target.
clear snmp usm Chapter 8 See Also l set snmp notify target on page 137 l show snmp notify target on page 174 clear snmp usm Clears an SNMPv3 user. Syntax clear snmp usm usm-username usm-username Defaults Access Name of the SNMPv3 user you want to clear. None. Enabled. Examples The following command clears SNMPv3 user snmpmgr1: PROMPT# clear snmp usm snmpmgr1 success: change accepted.
clear system ip-address Chapter 8 See Also l clear timezone on page 107 l set summertime on page 151 l set timedate on page 154 l set timezone on page 155 l show summertime on page 175 l show timedate on page 176 l show timezone on page 177 clear system ip-address Clears the system IP address. Caution! Clearing the system IP address disrupts the system tasks that use the address. Syntax clear system ip-address Defaults Access None. Enabled.
clear timezone Chapter 8 See Also l set system ip-address on page 153 l show system on page 40 clear timezone Clears the time offset for the UNIVERGE WL Controller real-time clock from Coordinated Universal Time (UTC). UTC is also know as Greenwich Mean Time (GMT). Syntax Defaults Access clear timezone None. Enabled. Examples To return the UNIVERGE WL Controller real-time clock to UTC, type the following command: PROMPT# clear timezone success: change accepted.
ping Chapter 8 Syntax ping host [count num-packets] [dnf] [flood] [interval time] [size size] host IP address, MAC address, hostname, alias, or user to ping. count num-packets Number of ping packets to send. You can specify from 0 through 2,147,483,647. If you enter 0, UNIVERGE WL Control System pings continuously until you interrupt the command. dnf Enables the Do Not Fragment bit in the ping packet to prevent fragmenting the packet.
set arp Chapter 8 A UNIVERGE WL Controller cannot ping itself. UNIVERGE WL Control System does not support this. A UNIVERGE WL Controller does not support interval option. Examples The following command pings a device that has IP address 10.1.1.1: PROMPT# ping 10.1.1.1 PING 10.1.1.1 (10.1.1.1) from 10.9.4.34 : 56(84) bytes of data. 64 bytes from 10.1.1.1: icmp_seq=1 ttl=255 time=0.769 ms 64 bytes from 10.1.1.1: icmp_seq=2 ttl=255 time=0.628 ms 64 bytes from 10.1.1.1: icmp_seq=3 ttl=255 time=0.
set arp agingtime Chapter 8 Examples The following command adds a static ARP entry that maps IP address 10.10.10.1 to MAC address 00:bb:cc:dd:ee:ff: PROMPT# set arp static 10.10.10.1 00:bb:cc:dd:ee:ff success: added arp 10.10.10.1 at 00:bb:cc:dd:ee:ff on VLAN 1 See Also l set arp agingtime on page 110 l show arp on page 156 set arp agingtime Changes the aging timeout for dynamic ARP entries.
set interface Chapter 8 See Also l set arp on page 109 l show arp on page 156 set interface Configures an IP interface on a VLAN. Syntax set interface vlan-id ip {ip-addr mask | ip-addr/mask-length} vlan-id VLAN name or number. ip-addr mask IP address and subnet mask in dotted decimal notation (for example, 10.10.10.10 255.255.255.0). ip-addr/mask-length IP address and subnet mask length in CIDR format (for example, 10.10.10.10/24). Defaults Access Usage None. Enabled.
set interface dhcp-client Chapter 8 The following command configures IP interface 10.10.20.10 255.255.255.0 on VLAN mauve: PROMPT# set interface mauve ip 10.10.20.10 255.255.255.0 success: set ip address 10.10.20.10 netmask 255.255.255.0 on vlan mauve See Also l clear interface on page 97 l set interface status on page 115 l show interface on page 161 set interface dhcp-client Configures the DHCP client on a VLAN and allows the VLAN to obtain its IP interface from a DHCP server.
set interface dhcp-server Chapter 8 Examples The following command enables the DHCP client on VLAN corpvlan: PROMPT# set interface corpvlan ip dhcp-client enable success: change accepted. See Also l clear interface on page 97 l show dhcp-client on page 157 l show interface on page 161 set interface dhcp-server Configures the UNIVERGE WL Control System DHCP server. Note.
set interface dhcp-server Chapter 8 primary-dns ip-addr [secondary-dns ip-addr] IP addresses of the DHCP client’s DNS servers. default-router ip-addr IP address of the DHCP client’s default router. Defaults Access The DHCP server is enabled by default. Enabled. Usage By default, all addresses except the host address of the VLAN, the network broadcast address, and the subnet broadcast address are included in the range.
set interface status Chapter 8 l set ip dns server on page 118 l show dhcp-server on page 159 set interface status Administratively disables or reenables an IP interface. Syntax set interface vlan-id status {up | down} vlan-id VLAN name or number. up Enables the interface. down Disables the interface. Defaults Access IP interfaces are enabled by default. Enabled.
set ip dns Chapter 8 Syntax set ip alias name ip-addr name String of up to 32 alphanumeric characters, with no spaces. ip-addr IP address in dotted decimal notation. Defaults Access None. Enabled. Examples The following command configures the alias HR1 for IP address 192.168.1.2: PROMPT# set ip alias HR1 192.168.1.2 success: change accepted. See Also l clear ip alias on page 98 l show ip alias on page 163 set ip dns Enables or disables DNS on a UNIVERGE WL Controller.
set ip dns domain Chapter 8 See Also l clear ip dns domain on page 99 l clear ip dns server on page 99 l set ip dns domain on page 117 l set ip dns server on page 118 l show ip dns on page 164 set ip dns domain Configures a default domain name for DNS queries. The UNIVERGE WL Controller appends the default domain name to domain names or hostnames you enter in commands.
set ip dns server Chapter 8 See Also l clear ip dns domain on page 99 l clear ip dns server on page 99 l set ip dns on page 116 l set ip dns server on page 118 l show ip dns on page 164 set ip dns server Specifies a DNS server to use for resolving hostnames you enter in CLI commands. Syntax set ip dns server ip-addr {primary | secondary} ip-addr IP address of a DNS server, in dotted decimal or CIDR notation.
set ip https server Chapter 8 success: change accepted. PROMPT# set ip dns server 10.10.30.69/24 secondary success: change accepted. See Also l clear ip dns domain on page 99 l clear ip dns server on page 99 l set ip dns on page 116 l set ip dns domain on page 117 l show ip dns on page 164 set ip https server Enables the HTTPS server on a UNIVERGE WL Controller. The HTTPS server is required for WebView access to the UNIVERGE WL Controller.
set ip route Chapter 8 l set ip telnet on page 125 l set ip telnet server on page 126 l show ip https on page 165 l show ip telnet on page 169 set ip route Adds a static route to the IP route table. Syntax set ip route {default | ip-addr mask | ip-addr/mask-length} default-router metric default Default route. A UNIVERGE WL Controller uses the default route if an explicit route is not available for the destination. Note: default is an alias for IP address 0.0.0.0/0.
set ip route Chapter 8 Usage UNIVERGE WL Control System can use a static route only if a direct route in the route table resolves the static route. UNIVERGE WL Control System adds routes with next-hop types Local and Direct when you add an IP interface to a VLAN, if the VLAN is up. If one of these added routes can resolve the static route, UNIVERGE WL Control System can use the static route.
set ip snmp server Chapter 8 The following command adds an explicit route from a UNIVERGE WL Controller to any host on the 192.168.4.x subnet through the local router 10.5.4.2, and gives the route a cost of 1: PROMPT# set ip route 192.168.4.0 255.255.255.0 10.5.4.2 1 success: change accepted. The following command adds another explicit route, using CIDR notation to specify the subnet mask: PROMPT# set ip route 192.168.5.0/24 10.5.5.2 1 success: change accepted.
set ip ssh Chapter 8 l set snmp community on page 130 l set snmp usm on page 146 l set snmp notify profile on page 132 l show snmp community on page 173 set ip ssh Changes the TCP port number on which a UNIVERGE WL Controller listens for Secure Shell (SSH) management traffic. Caution! If you change the SSH port number from an SSH session, UNIVERGE WL Control System immediately ends the session. To open a new management session, you must configure the SSH client to use the new TCP port number.
set ip ssh server Chapter 8 set ip ssh server Disables or reenables the SSH server on a UNIVERGE WL Controller. Caution! If you disable the SSH server, SSH access to the UNIVERGE WL Controller is also disabled. Syntax set ip ssh server {enable | disable} enable Enables the SSH server. disable Disables the SSH server. Defaults Access The SSH server is enabled by default. Enabled. Usage SSH requires an SSH authentication key. You can generate one or allow UNIVERGE WL Control System to generate one.
set ip telnet Chapter 8 set ip telnet Changes the TCP port number on which a UNIVERGE WL Controller listens for Telnet management traffic. Caution! If you change the Telnet port number from a Telnet session, UNIVERGE WL Control System immediately ends the session. To open a new management session, you must Telnet to the UNIVERGE WL Controller with the new Telnet port number. Syntax set ip telnet port-num port-num Defaults Access TCP port number. The default Telnet port number is 23. Enabled.
set ip telnet server Chapter 8 set ip telnet server Enables the Telnet server on a UNIVERGE WL Controller. Caution! If you disable the Telnet server, Telnet access to the UNIVERGE WL Controller is also disabled. Syntax set ip telnet server {enable | disable} enable Enables the Telnet server. disable Disables the Telnet server. Defaults Access The Telnet server is enabled by default. Enabled. Usage The maximum number of Telnet sessions supported on a UNIVERGE WL Controller is eight.
set ntp Chapter 8 set ntp Enables or disables the NTP client on a UNIVERGE WL Controller. Syntax set ntp {enable | disable} enable Enables the NTP client. disable Disables the NTP client. Defaults Access The NTP client is disabled by default. Enabled. Usage If NTP is configured on a system whose current time differs from the NTP server time by more than 10 minutes, convergence of the UNIVERGE WL Controller time can take many NTP update intervals.
set ntp server Chapter 8 set ntp server Configures a UNIVERGE WL Controller to use an NTP server. Syntax set ntp server ip-addr ip-addr Defaults Access IP address of the NTP server, in dotted decimal notation. None. Enabled. Usage You can configure up to three NTP servers. UNIVERGE WL Control System queries all the servers and selects the best response based on the method described in RFC 1305, Network Time Protocol (Version 3) Specification, Implementation and Analysis.
set ntp update-interval Chapter 8 set ntp update-interval Changes how often a UNIVERGE WL Control System sends queries to the NTP servers for updates. Syntax set ntp update-interval seconds seconds Number of seconds between queries. You can specify from 16 through 1024 seconds. Defaults Access The default NTP update interval is 64 seconds. Enabled. Examples The following command changes the NTP update interval to 128 seconds: PROMPT# set ntp update-interval 128 success: change accepted.
set snmp community Chapter 8 set snmp community Configures a community string for SNMPv1 or SNMPv2c. Note. For SNMPv3, use the set snmp usm command to configure an SNMPv3 user. SNMPv3 does not use community strings. Syntax set snmp community name comm-string access {read-only | read-notify | notify-only | read-write | notify-read-write} comm-string Name of the SNMP community. Specify between 1 and 32 alphanumeric characters, with no spaces.
set snmp community Chapter 8 Usage SNMP community strings are passed as clear text in SNMPv1 and SNMPv2c. UNIVERGE WL Control System recommends that you use strings that cannot easily be guessed by unauthorized users. For example, do not use the well-known strings public and private. If you are using SNMPv3, you can configure SNMPv3 users to use authentication and to encrypt SNMP data.
set snmp notify profile Chapter 8 set snmp notify profile Configures an SNMP notification profile. A notification profile is a named list of all the notification types that can be generated by a UNIVERGE WL Controller, and for each notification type, the action to take (drop or send) when an event occurs. You can configure up to ten notification profiles.
set snmp notify profile Chapter 8 notification-type Name of the notification type: • APBootTraps—Generated when a UNIVERGE WL Access Point boots. • ApNonOperStatusTraps—Generated to indicate a UNIVERGE WL Access Point radio is nonoperational. • ApOperRadioStatusTraps—Generated when the status of a UNIVERGE WL Access Point radio changes. • APTimeoutTraps—Generated when an AP fails to respond to the UNIVERGE WL Controller.
set snmp notify profile Chapter 8 notification-type (cont.) 134 • CounterMeasureStopTraps—Generated when UNIVERGE WL Control System stops countermeasures against a rogue access point. • DAPConnectWarningTraps—Generated when a UNIVERGE WL Access Points whose fingerprint has not been configured in UNIVERGE WL Control System establishes a management session with the UNIVERGE WL Controller. • DeviceFailTraps—Generated when an event with an Alert severity occurs.
set snmp notify profile Chapter 8 notification-type (cont.) • RFDetectDoSPortTraps—Generated when UNIVERGE WL Control System detects an associate request flood, reassociate request flood, or disassociate request flood. • RFDetectDoSTraps—Generated when UNIVERGE WL Control System detects a DoS attack other than an associate request flood, reassociate request flood, or disassociate request flood. • RFDetectInterferingRogueAPTraps—Generated when an interfering device is detected.
set snmp notify profile Chapter 8 Examples The following command changes the action in the default notification profile from drop to send for all notification types: PROMPT# set snmp notify profile default send all success: change accepted. The following commands create notification profile snmpprof_rfdetect, and change the action to send for all RF detection notification types: PROMPT# set snmp notify profile snmpprof_rfdetect send RFDetectAdhocUserTraps success: change accepted.
set snmp notify target Chapter 8 See Also l clear snmp notify profile on page 103 l set ip snmp server on page 122 l set snmp community on page 130 l set snmp notify target on page 137 l set snmp protocol on page 143 l set snmp security on page 144 l set snmp usm on page 146 l show snmp notify profile on page 173 set snmp notify target Configures a notification target for notifications from SNMP.
set snmp notify target Chapter 8 138 target-num ID for the target. This ID is local to the UNIVERGE WL Controller and does not need to correspond to a value on the target itself. You can specify a number from 1 to 10. ip-addr[:udp-port-number] IP address of the server. You also can specify the UDP port number to send notifications to. username USM username. This option is applicable only when the SNMP version is usm.
set snmp notify target Chapter 8 retries num Specifies the number of times the UNIVERGE WL Control System SNMP engine will resend a notification that has not been acknowledged by the target. You can specify from 0 to 3 retries. timeout num Specifies the number of seconds UNIVERGE WL Control System waits for acknowledgement of a notification. You can specify from 1 to 5 seconds.
set snmp notify target Chapter 8 profile profile-name Notification profile this SNMP user will use to specify the notification types to send or drop. security {unsecured | authenticated | encrypted} Specifies the security level, and is applicable only when the SNMP version is usm: • unsecured—Message exchanges are not authenticated, nor are they encrypted. This is the default. • authenticated—Message exchanges are authenticated, but are not encrypted.
set snmp notify target Chapter 8 retries num Specifies the number of times the UNIVERGE WL Control System SNMP engine will resend a notification that has not been acknowledged by the target. You can specify from 0 to 3 retries. timeout num Specifies the number of seconds UNIVERGE WL Control System waits for acknowledgement of a notification. You can specify from 1 to 5 seconds.
set snmp notify target Chapter 8 SNMPv1 with Traps To configure a notification target for traps from SNMPv1, use the following command: Syntax set snmp notify target target-num ip-addr[:udp-port-number] v1 community-string [profile profile-name] target-num ID for the target. This ID is local to the UNIVERGE WL Controller and does not need to correspond to a value on the target itself. You can specify a number from 1 to 10. ip-addr[:udp-port-number] IP address of the server.
set snmp protocol Chapter 8 This command configures target 1 at IP address 10.10.40.9. The target SNMP engine ID is based on its address. The UNIVERGE WL Control System SNMP engine sends notifications based on the default profile, and requires the target to acknowledge receiving them. The following command configures a notification target for unacknowledged notifications: PROMPT# set snmp notify target 2 10.10.40.10 v1 trap success: change accepted.
set snmp security Chapter 8 enable Enables the specified SNMP version(s). disable Disables the specified SNMP version(s). Defaults Access All SNMP versions are disabled by default. Enabled. Usage SNMP requires the UNIVERGE WL Controller system IP address to be set. SNMP does not work without the system IP address. You also must enable the SNMP service using the set ip snmp server command.
set snmp security Chapter 8 Syntax set snmp security {unsecured | authenticated | encrypted | auth-req-unsec-notify} unsecured SNMP message exchanges are not secure. This is the only value supported for SNMPv1 and SNMPv2c. authenticated SNMP message exchanges are authenticated but are not encrypted. encrypted SNMP message exchanges are authenticated and encrypted.
set snmp usm Chapter 8 set snmp usm Creates a USM user for SNMPv3. Note. This command does not apply to SNMPv1 or SNMPv2c. For these SNMP versions, use the set snmp community command to configure community strings.
set snmp usm Chapter 8 usm-username Name of the SNMPv3 user. Specify between 1 and 32 alphanumeric characters, with no spaces. snmp-engine-id {ip ip-addr | local | hex Specifies a unique identifier for the hex-string} SNMP engine. To send informs, you must specify the engine ID of the inform receiver. To send traps and to allow get and set operations and so on, specify local as the engine ID. • hex hex-string—ID is a hexadecimal string.
set snmp usm Chapter 8 access {read-only | read-notify | notify-only | read-write | notify-read-write} 148 Specifies the access level of the user: • read-only—An SNMP management application using the string can get (read) object values on the UNIVERGE WL Controller but cannot set (write) them. • read-notify—An SNMP management application using the string can get object values on the UNIVERGE WL Controller but cannot set them. The UNIVERGE WL Controller can use the string to send notifications.
set snmp usm Chapter 8 auth-type {none | md5 | sha} {auth-pass-phrase string | auth-key hex-string} Specifies the authentication type used to authenticate communications with the remote SNMP engine. You can specify one of the following: • none—No authentication is used. • md5—Message-digest algorithm 5 is used. • sha—Secure Hashing Algorithm (SHA) is used. If the authentication type is md5 or sha, you can specify a passphrase or a hexadecimal key.
set snmp usm Chapter 8 encrypt-type {none | des | 3des | aes} {encrypt-pass-phrase string | encrypt-key hex-string} Specifies the encryption type used for SNMP traffic. You can specify one of the following: • none—No encryption is used. This is the default. • des—Data Encryption Standard (DES) encryption is used. • 3des—Triple DES encryption is used. • aes—Advanced Encryption Standard (AES) encryption is used. If the encryption type is des, 3des, or aes, you can specify a passphrase or a hexadecimal key.
set summertime Chapter 8 success: change accepted. See Also l clear snmp usm on page 105 l set ip snmp server on page 122 l set snmp community on page 130 l set snmp notify target on page 137 l set snmp notify profile on page 132 l set snmp protocol on page 143 l set snmp security on page 144 l show snmp usm on page 175 set summertime Offsets the real-time clock of a UNIVERGE WL Controller by +1 hour and returns it to standard time for daylight savings time or a similar summertime period.
set summertime Chapter 8 hour Hour to start or end the time change—a value between 0 and 23 on the 24-hour clock. min Minute to start or end the time change—a value between 0 and 59. end End of the time change period. Defaults If you do not specify a start and end time, the system implements the time change starting at 2:00 a.m. on the first Sunday in April and ending at 2:00 a.m. on the last Sunday in October, according to the North American standard. Access Enabled.
set system ip-address Chapter 8 set system ip-address Configures the system IP address.
set timedate Chapter 8 set timedate Sets the time of day and date on the UNIVERGE WL Controller. Syntax set timedate {date mmm dd yyyy [time hh:mm:ss]} date mmm dd yyyy System date: • mmm—month. • dd—day. • yyyy—year. time hh:mm:ss System time, in hours, minutes, and seconds. Defaults Access None. Enabled. Usage The day of week is automatically calculated from the day that you set.
set timezone Chapter 8 l show timedate on page 176 l show timezone on page 177 set timezone Sets the number of hours, and optionally, the number of minutes, that the UNIVERGE WL Controller real-time clock is offset from Coordinated Universal Time (UTC). These values are also used by Network Time Protocol (NTP), if it is enabled. Syntax set timezone zone-name {-hours [minutes]} zone-name Time zone name of up to 32 alphabetic characters. You can use a standard name or any name you like.
show arp Chapter 8 l show timedate on page 176 l show timezone on page 177 show arp Displays the ARP table. Syntax show arp [ip-addr] ip-addr IP address. Defaults Access If you do not specify an IP address, the entire ARP table is displayed. All. Examples The following command displays ARP entries: PROMPT# show arp ARP aging time: 1200 seconds Host -------------------------10.5.4.51 10.5.4.
show dhcp-client Chapter 8 Table 13. Output for show arp Field Description Type Entry type: • DYNAMIC—Entry was learned from network traffic and ages out if unused for longer than the ARP aging timeout. • LOCAL—Entry for the UNIVERGE WL Controller MAC address. Each VLAN has one local entry for the UNIVERGE WL Controller MAC address. • PERMANENT—Entry does not age out and remains in the configuration even following a reboot. • STATIC—Entry does not age out but is removed after a reboot.
show dhcp-client Chapter 8 Examples The following command displays DHCP client information: PROMPT# show dhcp-client Interface: corpvlan(4) Configuration Status: Enabled DHCP State: IF_UP Lease Allocation: 65535 seconds Lease Remaining: 65532 seconds IP Address: 10.3.1.110 Subnet Mask: 255.255.255.0 Default Gateway: 10.3.1.1 DHCP Server: 10.3.1.4 DNS Servers: 10.3.1.29 DNS Domain Name: mycorp.com Table 14 describes the fields in this display. Table 14.
show dhcp-server Chapter 8 Table 14. Output for show dhcp-client Field Description DNS Servers DNS server IP address(es) received from the DHCP server. DNS Domain Name Default DNS domain name received from the DHCP server. See Also set interface dhcp-client on page 112 show dhcp-server Displays UNIVERGE WL Control System DHCP server information. Syntax show dhcp-server [interface vlan-id] [verbose] interface vlan-id Displays the IP addresses leased by the specified VLAN.
show dhcp-server Chapter 8 Status: Address Range: UP 10.0.0.1-10.0.0.253 Interface: default(1) Status: UP Address Range: 10.10.20.2-10.10.20.254 Hardware Address: 00:01:02:03:04:05 State: BOUND Lease Allocation: 43200 seconds Lease Remaining: 12345 seconds IP Address: 10.10.20.2 Subnet Mask: 255.255.255.0 Default Router: 10.10.20.1 DNS Servers: 10.10.20.4 10.10.20.5 DNS Domain Name: mycorp.com Table 15 and Table 16 describe the fields in these displays. Table 15.
show interface Chapter 8 Table 16. Output for show dhcp-server verbose Field Description Hardware Address MAC address of the DHCP client. State State of the address lease: • SUSPEND—UNIVERGE WL Control System is checking for the presence of another DHCP server on the subnet. This is the initial state of the UNIVERGE WL Control System DHCP server. The UNIVERGE WL Control System DHCP server remains in this state if another DHCP server is detected.
show interface Chapter 8 Syntax show interface [vlan-id] vlan-id VLAN name or number. Defaults If you do not specify a VLAN ID, interfaces for all VLANs are displayed. Access All. Usage The IP interface table flags an address assigned by a DHCP server with an asterisk ( * ). Examples The following command displays all the IP interfaces configured on a UNIVERGE WL Controller: PROMPT# show interface VLAN Name Address ---- ------------- -------------1 default 10.10.10.10 2 mauve 10.10.20.
show ip alias Chapter 8 See Also l clear interface on page 97 l set interface on page 111 l set interface status on page 115 show ip alias Displays the IP aliases configured on the UNIVERGE WL Controller. Syntax show ip alias [name] name Defaults Access Alias string. If you do not specify an alias name, all aliases are displayed. Enabled.
show ip dns Chapter 8 l set ip alias on page 115 show ip dns Displays the DNS servers used by the UNIVERGE WL Controller. Syntax show ip dns Defaults Access None. All. Examples The following command displays the DNS information: PROMPT# show ip dns Domain Name: example.com DNS Status: enabled IP Address Type ----------------------------------10.1.1.1 PRIMARY 10.1.1.2 SECONDARY 10.1.2.1 SECONDARY Table 19 describes the fields in this display. Table 19.
show ip https Chapter 8 See Also l clear ip dns domain on page 99 l clear ip dns server on page 99 l set ip dns on page 116 l set ip dns domain on page 117 l set ip dns server on page 118 show ip https Displays information about the HTTPS management port. Syntax Defaults Access show ip https None. All.
show ip https Chapter 8 Table 20. Output for show ip https Field Description HTTPS is enabled/disabled State of the HTTPS server: • Enabled • Disabled HTTPS is set to use port TCP port number on which the UNIVERGE WL Controller listens for HTTPS connections. Last 10 connections List of the last 10 devices to establish connections to the UNIVERGE WL Controller HTTPS server. IP Address IP address of the device that established the connection.
show ip route Chapter 8 show ip route Displays the IP route table on the UNIVERGE WL Controller. Syntax show ip route [destination] destination Defaults Access Route destination IP address, in dotted decimal notation. None. All. Usage When you add an IP interface to an available VLAN, UNIVERGE WL Control System adds direct and local routes for the interface to the route table. If the VLAN is down, UNIVERGE WL Control System does not add the routes.
show ip route Chapter 8 Table 21. Output for show ip route 168 Field Description Destination/Mask IP address and subnet mask of the route destination. The 244.0.0.0 route is automatically added by UNIVERGE WL Control System and supports the IGMP snooping feature. Proto Protocol that added the route to the IP route table. The protocol can be one of the following: • IP—UNIVERGE WL Control System added the route. • Static—An administrator added the route. Metric Cost for using the route.
show ip telnet Chapter 8 Table 21. Output for show ip route Field Description Gateway Next-hop router for reaching the route destination. Note: This field applies only to static routes. VLAN:Interface Destination VLAN, protocol type, and IP address of the route. Because direct routes are for local interfaces, a destination IP address is not listed. The destination for the IP multicast route is MULTICAST.
show ntp Chapter 8 Examples The following command shows the status and port number for the Telnet management interface to the UNIVERGE WL Controller: PROMPT> show ip telnet Server Status Port --------------------------------Enabled 23 Table 22 describes the fields in this display. Table 22. Output for show ip telnet Field Description Server Status State of the HTTPS server: • Enabled • Disabled Port TCP port number on which the UNIVERGE WL Controller listens for Telnet management traffic.
show ntp Chapter 8 Examples To display NTP information for a UNIVERGE WL Controller, type the following command: PROMPT> show ntp NTP client: enabled Current update-interval: 20(secs) Current time: Fri Feb 06 2004, 12:02:57 Timezone is set to 'PST', offset from UTC is -8:0 hours. Summertime is enabled. Last NTP update: Fri Feb 06 2004, 12:02:46 NTP Server Peer state Local State --------------------------------------------------192.168.1.5 SYSPEER SYNCED Table 23 describes the fields in this display.
show ntp Chapter 8 Table 23. Output for show ntp Field Description Summertime Summertime period configured on the UNIVERGE WL Controller. UNIVERGE WL Control System offsets the system time +1 hour and returns it to standard time for daylight savings time or a similar summertime period that you set. Note: This field is displayed only if you enable summertime. Last NTP update Time when the UNIVERGE WL Controller received the most recent update from an NTP server.
show snmp community Chapter 8 l set summertime on page 151 l set timezone on page 155 l show timezone on page 177 show snmp community Displays the configured SNMP community strings. Syntax Defaults Access show snmp community None. Enabled. See Also l clear snmp community on page 103 l set snmp community on page 130 show snmp counters Displays SNMP statistics counters. Syntax Defaults Access show snmp counters None. Enabled. show snmp notify profile Displays SNMP notification profiles.
show snmp notify target Chapter 8 l clear snmp notify profile on page 103 l set snmp notify profile on page 132 show snmp notify target Displays SNMP notification targets. Syntax Defaults Access show snmp notify target None. Enabled. See Also l clear snmp notify target on page 104 l set snmp notify target on page 137 show snmp status Displays SNMP version and status information. Syntax Defaults Access show snmp status None. Enabled.
show snmp usm Chapter 8 l show snmp community on page 173 l show snmp counters on page 173 l show snmp notify profile on page 173 l show snmp notify target on page 174 l show snmp usm on page 175 show snmp usm Displays information about SNMPv3 users. Defaults Access None. Enabled. See Also l clear snmp usm on page 105 l show snmp usm on page 175 show summertime Shows a UNIVERGE WL Controller offset time from its real-time clock time.
show timedate Chapter 8 See Also l clear summertime on page 105 l clear timezone on page 107 l set summertime on page 151 l set timedate on page 154 l set timezone on page 155 l show timedate on page 176 l show timezone on page 177 show timedate Shows the date and time of day currently set on a UNIVERGE WL Controller real-time clock. Syntax Defaults Access show timedate None. All.
show timezone Chapter 8 l show timezone on page 177 show timezone Shows the time offset for the real-time clock from UTC on a UNIVERGE WL Controller. Syntax show timezone Defaults Access None. All.
telnet Chapter 8 hostname Hostname of the remote device. port port-num TCP port number on which the TCP server on the remote device listens for Telnet connections. Defaults UNIVERGE WL Control System attempts to establish Telnet connections with TCP port 23 by default. Access Enabled. Usage To end a Telnet session from the remote device, press Ctrl+t or type exit in the management session on the remote device.
traceroute Chapter 8 See Also l clear sessions on page 531 l show sessions on page 534 traceroute Traces the route from the UNIVERGE WL Controller to an IP host. Syntax traceroute host [dnf] [no-dns] [port port-num] [queries num] [size size] [ttl hops] [wait ms] host IP address, hostname, or alias of the destination host. Specify the IP address in dotted decimal notation. dnf Sets the Do Not Fragment bit in the ping packet to prevent the packet from being fragmented.
traceroute Chapter 8 l ttl—30 l wait—5000 Access Usage All. To stop a traceroute command that is in progress, press Ctrl+C. Examples The following example traces the route to host server1: PROMPT# traceroute server1 traceroute to server1.example.com (192.168.22.7), 30 hops max, 38 byte packets 1 engineering-1.example.com (192.168.192.206) 2 ms 1 ms 1 ms 2 engineering-2.example.com (192.168.196.204) 2 ms 3 ms 2 ms 3 gateway_a.example.com (192.168.1.201) 6 ms 3 ms 3 ms 4 server1.example.com (192.168.
traceroute Chapter 8 Table 24. Error Messages for traceroute Field Description !N No route to host. The network is unreachable. !H No route to host. The host is unreachable. !P Connection refused. The protocol is unreachable. !F Fragmentation needed but Do Not Fragment (DNF) bit was set. !S Source route failed. !A Communication administratively prohibited. ? Unknown error occurred.
traceroute Chapter 8 182 IP Services Commands
9 AAA Commands Use authentication, authorization, and accounting (AAA) commands to provide a secure network connection and a record of user activity. Location policy commands override any virtual LAN (VLAN) or security ACL assignment by AAA or the local UNIVERGE WL Controller database to help you control access locally. (Security ACLs are packet filters. For command descriptions, see Chapter 14, “Security ACL Commands,” on page 453.) This chapter presents AAA commands alphabetically.
Chapter 9 set usergroup on page 238 clear usergroup on page 198 set user group on page 237 clear user group on page 197 clear usergroup attr on page 199 Local Authorization for set mac-user on page 221 MAC Users clear mac-user on page 191 set mac-user attr on page 222 clear mac-user attr on page 192 set mac-usergroup attr on page 230 clear mac-usergroup attr on page 194 clear mac-user group on page 193 clear mac-usergroup on page 193 Web authorization set web-portal on page 240 Accounting set accounting
clear accounting Chapter 9 clear accounting Removes accounting services for specified wireless users with administrative access or network access. Syntax clear accounting {admin | dot1x | system} {user-glob} admin Users with administrative access to the UNIVERGE WL Controller through a console connection or through a Telnet or WebView connection. dot1x Users with network access through theUNIVERGE WL Controller. Users with network access are authorized to use the network through either an IEEE 802.
clear authentication admin Chapter 9 l show accounting statistics on page 243 clear authentication admin Removes an authentication rule for administrative access through Telnet or Web View. Syntax clear authentication admin user-glob user-glob Defaults Access A single user or set of users.
clear authentication console Chapter 9 l show aaa on page 240 clear authentication console Removes an authentication rule for administrative access through the Console. Syntax clear authentication console user-glob user-glob Defaults Access A single user or set of users.
clear authentication dot1x Chapter 9 l show aaa on page 240 clear authentication dot1x Removes an 802.1X authentication rule. Syntax clear authentication dot1x {ssid ssid-name} user-glob ssid ssid-name SSID name to which this authentication rule applies. user-glob User-glob associated with the rule you are removing. Defaults Access None. Enabled. Examples The following command removes 802.1X authentication for network users with usernames ending in @thiscorp.
clear authentication last-resort Chapter 9 clear authentication last-resort Deprecated in WL1700-MS of UNIVERGE WL Control System V1. The last-resort user is not required or supported in WL1700-MS of UNIVERGE WL Control System V1. Instead, a user who accesses the network on an SSID by using the fallthru access type last-resort is automatically a last-resort user. The authorization attributes assigned to the user come from the default authorization attributes set on the SSID.
clear authentication web Chapter 9 clear authentication web Removes a Web Authentication rule. Syntax clear authentication web {ssid ssid-name} user-glob ssid ssid-name SSID name to which this authentication rule applies. user-glob User-glob associated with the rule you are removing. Defaults Access None. Enabled. Examples The following command removes Web Authentication for SSID research and userglob temp*@thiscorp.com: PROMPT# clear authentication web ssid research temp*@thiscorp.
clear mac-user Chapter 9 Defaults Access None. Enabled. Usage To determine the index numbers of location policy rules, use the show location policy command. Removing all the ACEs from the location policy disables this function on the UNIVERGE WL Controller. Examples The following command removes location policy rule 4 from a UNIVERGE WL Controller’s location policy: PROMPT# clear location policy 4 success: clause 4 is removed.
clear mac-user attr Chapter 9 See Also l set mac-usergroup attr on page 230 l set mac-user attr on page 222 l show aaa on page 240 clear mac-user attr For a user authenticating with a MAC address, this command removes an authorization attribute from the user profile in the local database on the UNIVERGE WL Controller. (To remove an authorization attribute in RADIUS, see the documentation for your RADIUS server.
clear mac-user group Chapter 9 clear mac-user group Removes a user profile from a MAC user group in the local database on the UNIVERGE WL Controller, for a user authenticating with a MAC address. (To remove a MAC user group profile in RADIUS, see the documentation for your RADIUS server.) Syntax clear mac-user mac-addr group mac-addr Defaults Access MAC address of the user, in hexadecimal numbers separated by colons (:). You can omit leading zeros. None. Enabled.
clear mac-usergroup attr Chapter 9 Syntax clear mac-usergroup group-name group-name Defaults Access Name of an existing MAC user group. None. Enabled. Usage To remove a user from a MAC user group, use the clear mac-user group command. Examples The following command deletes the MAC user group eastcoasters from the local database: PROMPT# clear mac-usergroup eastcoasters success: change accepted.
clear mobility-profile Chapter 9 Defaults Access Usage None. Enabled. To remove the group itself, use the clear mac-usergroup command. Examples The following command removes the members of the MAC user group eastcoasters from a VLAN assignment by deleting the VLAN-Name attribute from the group: PROMPT# clear mac-usergroup eastcoasters attr vlan-name success: change accepted.
clear user Chapter 9 clear user Removes a user profile from the local database on the UNIVERGE WL Controller, for a user with a password. (To remove a user profile in RADIUS, see the documentation for your RADIUS server.) Syntax clear user username username Defaults Access Username of a user with a password. None. Enabled. Usage Deleting the user profile from the database deletes the assignment of any profile attributes to the user.
clear user group Chapter 9 Syntax clear user username attr attribute-name username Username of a user with a password. attribute-name Name of an attribute used to authorize the user for a particular service or session characteristic. (For a list of authorization attributes, see Table 25 on page 223.) Defaults Access None. Enabled. Examples The following command removes the Session-Timeout attribute from Hosni’s user profile: PROMPT# clear user Hosni attr session-timeout success: change accepted.
clear usergroup Chapter 9 Usage Removing the user from the group removes the group name from the user profile, but does not delete either the user or the user group from the local UNIVERGE WL Controller database. To remove the group, use clear usergroup. Examples The following command removes the user Nin from the user group Nin is in: PROMPT# clear user Nin group success: change accepted.
clear usergroup attr Chapter 9 See Also l clear usergroup attr on page 199 l set usergroup on page 238 l show aaa on page 240 clear usergroup attr Removes an authorization attribute from a user group in the local database on the UNIVERGE WL Controller. (To remove an authorization attribute in RADIUS, see the documentation for your RADIUS server.) Syntax clear usergroup group-name attr attribute-name group-name Name of an existing user group.
set accounting {admin | console} Chapter 9 set accounting {admin | console} Sets up accounting services for specified wireless users with administrative access, and defines the accounting records and where they are sent. Syntax set accounting {admin | console} {user-glob} {start-stop | stop-only} method1 [method2] [method3] [method4] admin Users with administrative access to the UNIVERGE WL Controller through Telnet or WebView.
set accounting {dot1x | mac | web | last-resort} Chapter 9 At least one of up to four methods that UNIVERGE WL Control System uses to process accounting records. Specify one or more of the following methods in priority order. If the first method does not succeed, UNIVERGE WL Control System tries the second method, and so on. A method can be one of the following: • local—Stores accounting records in the local database on the UNIVERGE WL Controller.
set accounting {dot1x | mac | web | last-resort} Chapter 9 Syntax set accounting {dot1x | mac | web | last-resort} {ssid ssid-name} {user-glob | mac-addr-glob} {start-stop | stop-only} method1 [method2] [method3] [method4] dot1x Users with network access through the UNIVERGE WL Controller who are authenticated by 802.1X.
set authentication admin Chapter 9 stop-only Sends accounting records only at the end of a network session. method1 method2 method3 method4 At least one of up to four methods that UNIVERGE WL Control System uses to process accounting records. Specify one or more of the following methods in priority order. If the first method does not succeed, UNIVERGE WL Control System tries the second method, and so on.
set authentication admin Chapter 9 Syntax set authentication admin user-glob method1 [method2] [method3] [method4] user-glob Single user or set of users with administrative access over the network through Telnet or Web View. Specify a username, use the double-asterisk wildcard character (**) to specify all usernames, or use the single-asterisk wildcard character (*) to specify a set of usernames up to or following the first delimiter character— either an at sign (@) or a period (.).
set authentication admin Chapter 9 Defaults By default, authentication is deactivated for all admin users. The default authentication method in an admin authentication rule is local. UNIVERGE WL Control System checks the local UNIVERGE WL Controller database for authentication. Access Enabled. Note. The syntax descriptions for the set authentication commands are separated for clarity. However, the options and behavior for the set authentication admin command are the same as in previous releases.
set authentication console Chapter 9 See Also l clear authentication admin on page 186 l set authentication console on page 206 l set authentication dot1x on page 209 l set authentication mac on page 213 l set authentication web on page 215 l show aaa on page 240 set authentication console Configures authentication and defines where it is performed for specified users with administrative access through a console connection.
set authentication console Chapter 9 method1 method2 method3 method4 At least one of up to four methods that UNIVERGE WL Control System uses to handle authentication. Specify one or more of the following methods in priority order. UNIVERGE WL Control System applies multiple methods in the order you enter them. A method can be one of the following: • local—Uses the local database of usernames and user groups on the UNIVERGE WL Controller for authentication.
set authentication console Chapter 9 Access Enabled.. Note. The syntax descriptions for the set authentication commands are separated for clarity. However, the options and behavior for the set authentication console command are the same as in previous releases. Usage You can configure different authentication methods for different groups of users. (For details, see “User Globs, MAC Address Globs, and VLAN Globs” on page 9.
set authentication dot1x Chapter 9 set authentication dot1x Configures authentication and defines how it is performed for specified wireless authentication clients who use an IEEE 802.1X authentication protocol to access the network through the UNIVERGE WL Controller. Syntax set authentication dot1x {ssid ssid-name} user-glob [bonded] protocol method1 [method2] [method3] [method4] ssid ssid-name SSID name to which this authentication rule applies. To apply the rule to all SSIDs, type any.
set authentication dot1x Chapter 9 210 protocol Protocol used for authentication. Specify one of the following: • eap-tls—EAP with Transport Layer Security (TLS): • Provides mutual authentication, integrity-protected negotiation, and key exchange • Requires X.
set authentication dot1x Chapter 9 Defaults By default, authentication is unconfigured for all clients on the UNIVERGE WL Controller. Connection, authorization, and accounting are also disabled for these users. Bonded authentication is disabled by default. Access Enabled. Usage You can configure different authentication methods for different groups of users by “globbing.” (For details, see “User Globs” on page 9.) You can configure a rule either for wireless access to an SSID.
set authentication last-resort Chapter 9 If the username does not match an authentication rule for the SSID the user is attempting to access, UNIVERGE WL Control System uses the fallthru authentication type configured for the SSID, which can be last-resort, web-portal (for Web Authentication), or none. Examples The following command configures EAP-TLS authentication in the local UNIVERGE WL Controller database for SSID mycorp and 802.
set authentication mac Chapter 9 set authentication mac Configures authentication and defines where it is performed for specified non-802.1X users with network access through a media access control (MAC) address. Syntax set authentication mac {ssid ssid-name} mac-addr-glob method1 [method2] [method3] [method4] ssid ssid-name SSID name to which this authentication rule applies. To apply the rule to all SSIDs, type any. mac-addr-glob A single user or set of users with access via a MAC address.
set authentication mac Chapter 9 If you specify multiple authentication methods in the set authentication mac command, UNIVERGE WL Control System applies them in the order in which they appear in the command, with these results: l If the first method responds with pass or fail, the evaluation is final. l If the first method does not respond, UNIVERGE WL Control System tries the second method, and so on.
set authentication web Chapter 9 set authentication web Configures an authentication rule that allows a user to log into the network using a web page served by the UNIVERGE WL Controller. The rule can be activated if the user is not otherwise granted or denied access by 802.1X, or granted access by MAC authentication. Syntax set authentication web {ssid ssid-name} user-glob method1 [method2] [method3] [method4] user-glob A single user or a set of users.
set authentication web Chapter 9 You can configure a rule either for wireless access to an SSID. If the rule is for wireless access to an SSID, specify the SSID name or specify any to match on all SSID names. If you specify multiple authentication methods in the set authentication web command, UNIVERGE WL Control System applies them in the order in which they appear in the command, with these results: l If the first method responds with pass or fail, the evaluation is final.
set location policy Chapter 9 set location policy Creates and enables a location policy on a UNIVERGE WL Controller. A location policy enables you to locally set or change authorization attributes for a user after the user is authorized by AAA, without making changes to the AAA server.
set location policy Chapter 9 Condition options—UNIVERGE WL Control System takes the action specified by the rule if all conditions in the rule are met. You can specify one or more of the following conditions: 218 ssid operator ssid-name SSID with which the user is associated. The operator must be eq, which applies the location policy rule to all users associated with the SSID. Asterisks (wildcards) are not supported in SSID names. You must specify the complete SSID name.
set location policy Chapter 9 modify rule-number Replaces the rule in the location policy with the new rule. Specify the number of the existing location policy rule. (To determine the number, use the show location policy command.) port port-list List of physical port(s) that determines if the location policy rule applies.
set location policy Chapter 9 Examples The following command denies network access to all users at *.theirfirm.com, causing them to fail authorization: PROMPT# set location policy deny if user eq *.theirfirm.com The following command authorizes access to the guest_1 VLAN for all users who are not at *.wodefirm.com: PROMPT# set location policy permit vlan guest_1 if user neq *.wodefirm.com The following command authorizes users at *.ny.ourfirm.com to access the bld4.
set mac-user Chapter 9 set mac-user Configures a user profile in the local database on the UNIVERGE WL Controller for a user who can authenticate by a MAC address, and optionally adds the user to a MAC user group. (To configure a MAC user profile in RADIUS, see the documentation for your RADIUS server.) Syntax set mac-user mac-addr [group group-name] mac-addr MAC address of the user, in hexadecimal numbers separated by colons (:). You can omit leading zeros.
set mac-user attr Chapter 9 set mac-user attr Assigns an authorization attribute in the local database on the UNIVERGE WL Controller to a user authenticating with a MAC address. (To assign authorization attributes through RADIUS, see the documentation for your RADIUS server.) Syntax set mac-user mac-addr attr attribute-name value mac-addr MAC address of the user, in hexadecimal numbers separated by colons (:). You can omit leading zeros.
set mac-user attr Chapter 9 Table 25. Authentication Attributes for Local Users Attribute Description Valid Value(s) encryption-type Type of encryption required for access by the client. Clients who attempt to use an unauthorized encryption method are rejected.
set mac-user attr Chapter 9 Table 25. Authentication Attributes for Local Users Attribute Description Valid Value(s) filter-id Security access control (network access list (ACL), to permit or deny traffic received mode only) (input) or sent (output) by the UNIVERGE WL Controller. (For more information about security ACLs, see Chapter 14, “Security ACL Commands,” on page 453.
set mac-user attr Chapter 9 Table 25. Authentication Attributes for Local Users Attribute Description Valid Value(s) service-type Type of access the user One of the following numbers: is requesting. • 2—Framed; for network user access • 6—Administrative; for administrative access to the UNIVERGE WL Controller, with authorization to access the enabled (configuration) mode. The user must enter the enable command and the correct enable password to access the enabled mode.
set mac-user attr Chapter 9 Table 25. Authentication Attributes for Local Users Attribute Description Valid Value(s) start-date Date and time at which the user becomes eligible to access the network. UNIVERGE WL Control System does not authenticate the user unless the attempt to access the network occurs at or after the specified date and time, but before the end-date (if specified). Date and time, in the following format: YY/MM/DD-HH:MM You can use start-date alone or with end-date.
set mac-user attr Chapter 9 Table 25. Authentication Attributes for Local Users Attribute Description Valid Value(s) time-of-day Day(s) and time(s) (network access during which the user is permitted to log into the mode only) network. After authorization, the user’s session can last until either the Time-Of-Day range or the Session-Timeout duration (if set) expires, whichever is shorter. One of the following: • never—Access is always denied. • any—Access is always allowed.
set mac-user attr Chapter 9 Table 25. Authentication Attributes for Local Users Attribute Description Valid Value(s) time-of-day (network access mode only) (cont.) To allow access only on weekdays between 9 a.m and 5 p.m., and on Saturdays from 10 p.m. until 2 a.m., specify the following: time-of-day wk0900-1700,sa2200-0200 (Also see the examples for set user attr on page 236.) Note: You can use time-of-day in conjunction with start-date, end-date, or both.
set mac-user attr Chapter 9 Table 25. Authentication Attributes for Local Users Attribute Description Valid Value(s) vlan-name Virtual LAN (VLAN) (network access assignment. mode only) Note: VLAN-Name is a UNIVERGE WL Control System vendor-specific attribute (VSA). The vendor ID is 14525, and the vendor type is 1. Name of a VLAN that you want the user to use. The VLAN must be configured on a UNIVERGE WL Controller within the Mobility Domain to which this UNIVERGE WL Controller belongs.
set mac-usergroup attr Chapter 9 The following command restricts a user at MAC address 06:05:04:03:02:01 to network access between 7 p.m. on Mondays and Wednesdays and 7 a.m. on Tuesdays and Thursdays: PROMPT# set mac-user 06:05:04:03:02:01 attr time-of-day mo1900-1159,tu0000-0700,we1900-1159,th0000-0700 success: change accepted.
set mobility-profile Chapter 9 You can assign attributes to individual MAC users and to MAC user groups. If attributes are configured for a MAC user and also for the group of the MAC user, the attributes assigned to the individual MAC user take precedence for that user. For example, if the start-date attribute configured for a MAC user is earlier than the start-date configured for the MAC user group, the MAC user network access can begin as soon as the user start-date.
set mobility-profile Chapter 9 all Allows any user to whom this profile is assigned to access all UNIVERGE WL Access Points on the UNIVERGE WL Controller. ap-num List of UNIVERGE WL Access Points connections through which any user assigned this profile is allowed access. The same UNIVERGE WL Access Points can be used in multiple Mobility Profile port lists. Defaults No default Mobility Profile exists on the UNIVERGE WL Controller.
set mobility-profile Chapter 9 Examples The following commands create the Mobility Profile magnolia, which restricts user access to ap 2; enable the Mobility Profile feature on the UNIVERGE WL Controller; and assign the magnolia Mobility Profile to user Jose. PROMPT# set mobility-profile name magnolia ap 2 success: change accepted. PROMPT# set mobility-profile mode enable success: change accepted. PROMPT# set user Jose attr mobility-profile magnolia success: change accepted.
set mobility-profile mode Chapter 9 set mobility-profile mode Enables or disables the Mobility Profile feature on the UNIVERGE WL Controller. Caution! When the Mobility Profile feature is enabled, a user is denied access if assigned a Mobility-Profile attribute in the local UNIVERGE WL Controller database or RADIUS server if no Mobility Profile of that name exists on the UNIVERGE WL Controller.
set user Chapter 9 set user Configures a user profile in the local database on the UNIVERGE WL Controller for a user with a password. (To configure a user profile in RADIUS, see the documentation for your RADIUS server.) Syntax set user username password [encrypted] string username Username of a user with a password. encrypted Indicates that the password string you entered is already in its encrypted form.
set user attr Chapter 9 Examples The following command creates a user profile for user Nin in the local database, and assigns the password goody: PROMPT# set user Nin password goody success: User Nin created The following command assigns the password chey3nne to the admin user: PROMPT# set user admin password chey3nne success: User admin created The following command changes the password for Nin from goody to 29Jan04: PROMPT# set user Nin password 29Jan04 See Also l clear user on page 196 l show aaa
set user group Chapter 9 Usage To change the value of an attribute, enter set user attr with the new value. To delete an attribute, use clear user attr. You can assign attributes to individual users and to user groups. If attributes are configured for a user and also for the group the user belongs, the attributes assigned to the individual user take precedence for that user.
set usergroup Chapter 9 Syntax set user username group group-name username Username of a user with a password. group-name Name of an existing user group for password users. Defaults Access Usage None. Enabled. UNIVERGE WL Control System does not require users to belong to user groups. To create a user group, user the command set usergroup. Examples The following command adds user Hosni to the cardiology user group: PROMPT# set user Hosni group cardiology success: change accepted.
set usergroup Chapter 9 Syntax set usergroup group-name attr attribute-name value group-name Name of a group for password users. Specify a name of up to 32 alphanumeric characters, with no spaces. The name must begin with an alphabetic character. attribute-name value Name and value of an attribute you are using to authorize all users in the group for a particular service or session characteristic. For a list of authorization attributes and values that you can assign to users, see Table 25 on page 223.
set web-portal Chapter 9 set web-portal Globally enables or disables Web Authentication on a UNIVERGE WL Controller. Syntax set web-portal {enable | disable} enable Enables Web Authentication on the UNIVERGE WL Controller. disable Disables Web Authentication on the UNIVERGE WL Controller. Defaults Access Enabled. Enabled. Usage This command disables or reenables support for Web Authentication. However, Web Authentication has additional configuration requirements.
show aaa Chapter 9 Access Enabled. Examples To display all current AAA settings, type the following command: PROMPT# show aaa Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null) Radius Servers Server Addr Ports T/o Tries Dead State -------------------------------------------------------------rs-3 198.162.1.1 1821 1813 5 3 0 UP rs-4 198.168.1.2 1821 1813 77 11 2 UP rs-5 198.162.1.
show aaa Chapter 9 Table 26. show aaa Output Field Description Default Values RADIUS default values for all parameters. authport UDP port on the UNIVERGE WL Controller for transmission of RADIUS authorization and authentication messages. The default port is 1812. acctport UDP port on the UNIVERGE WL Controller for transmission of RADIUS accounting records. The default is port 1813. timeout Number of seconds the UNIVERGE WL Controller waits for a RADIUS server to respond before retransmitting.
show accounting statistics Chapter 9 Table 26. show aaa Output Field Description Tries Number of retransmissions configured for each RADIUS server currently active. The default is 3 times. Dead Length of time until the server is considered responsive again. State Current state of each RADIUS server currently active: • UP (operating) • DOWN (unavailable) Server groups Names of RADIUS server groups and member servers configured on the UNIVERGE WL Controller.
show accounting statistics Chapter 9 (To display RADIUS accounting records, see the documentation for your RADIUS server.) Syntax show accounting statistics Defaults Access None. Enabled.
show accounting statistics Chapter 9 Table 27. show accounting statistics Output Field Description Date and time Date and time of the accounting record. Acct-Status-Type Type of accounting record: • START • STOP • UPDATE Acct-Authentic Location where the user was authenticated (if authentication took place) for the session: • 1—RADIUS server • 2—Local UNIVERGE WL Controller database User-Name Username of a user with a password.
show location policy Chapter 9 Table 27. show accounting statistics Output Field Description Nas-Port-Id Number of the port and radio on the UNIVERGE WL Access Points through which the session was conducted. Called-Station-Id MAC address of the UNIVERGE WL Access Points through which the client reached the network.
show mobility-profile Chapter 9 show mobility-profile Displays the named Mobility Profile. If you do not specify a Mobility Profile name, this command shows all Mobility Profile names and port lists on the UNIVERGE WL Controller. Syntax show mobility-profile [name] name Name of an existing Mobility Profile. Defaults Access None. Enabled.
show mobility-profile Chapter 9 248 AAA Commands
10 Mobility Domain Commands Use Mobility Domain commands to configure and manage Mobility Domain groups. A Mobility Domain is a system of UNIVERGE WL Controllers and UNIVERGE WL Access Points working together to support a roaming user (client). One UNIVERGE WL Controller acts as a seed UNIVERGE WL Controller, which maintains and distributes a list of IP addresses of the domain members. Note.
clear mobility-domain Chapter 10 clear mobility-domain Clears all Mobility Domain configuration and information from a UNIVERGE WL Controller, regardless of whether the UNIVERGE WL Controller is a seed or a member of a Mobility Domain. Syntax clear mobility-domain Defaults Access None. Enabled. Usage This command has no effect if the UNIVERGE WL Controller is not configured as part of a Mobility Domain.
set mobility-domain member Chapter 10 Access Enabled. Usage This command has no effect if the UNIVERGE WL Controller member is not configured as part of a Mobility Domain or the current UNIVERGE WL Controller is not the seed. Examples The following command clears a Mobility Domain member with the IP address 192.168.0.1: Controller# clear mobility-domain member 192.168.0.
set mobility-domain mode member seed-ip Chapter 10 success: change accepted. PROMPT# set mobility-domain member 192.168.1.9 success: change accepted. PROMPT# set mobility-domain member 192.168.1.10 success: change accepted.
set mobility-domain mode seed domain-name Chapter 10 mode is: member seed IP is: 192.168.1.8 See Also l clear mobility-domain on page 250 l show mobility-domain config on page 254 set mobility-domain mode seed domain-name Creates a Mobility Domain by setting the current UNIVERGE WL Controller as the seed device and naming the Mobility Domain. Syntax set mobility-domain mode seed domain-name mob-domain-name mob-domain-name Name of the Mobility Domain.
show mobility-domain config Chapter 10 l show mobility-domain on page 254 show mobility-domain config Displays the configuration of the Mobility Domain. Syntax show mobility-domain config Defaults Access None. Enabled. Examples The following command displays the Mobility Domain configuration: PROMPT# show mobility-domain config This switch is the seed for domain dang-modo. 10.8.107.1 is a member 10.10.10.
show mobility-domain Chapter 10 Examples To display Mobility Domain status, type the following command: PROMPT# show mobility-domain Mobility Domain name: Tokyo (security required) Member State Type (*:active) Model --------------------------------------10.8.107.1 STATE_UP SEED* WL5100 10.10.10.66 STATE_DOWN MEMBER WL5100 Version ------6.0.1.0 6.0.1.0 Table 28 describes the fields in the display. Table 28.
show mobility-domain Chapter 10 256 Mobility Domain Commands
11 Network Domain Commands Use Network Domain commands to configure and manage Network Domain groups. A Network Domain is a group of geographically dispersed Mobility Domains that share information over a WAN link. This shared information allows a user configured on a UNIVERGE WL Controller in one Mobility Domain to establish connectivity with a UNIVERGE WL Controller in another Mobility Domain in the same Network Domain.
clear network-domain Chapter 11 clear network-domain Clears all Network Domain configuration and information from a UNIVERGE WL Controller, regardless of whether the UNIVERGE WL Controller is a seed or a member of a Network Domain. Syntax clear network-domain Defaults Access None. Enabled. Usage This command has no effect if the UNIVERGE WL Controller is not configured as part of a Network Domain.
clear network-domain peer Chapter 11 Defaults Access None. Enabled. Usage This command has no effect if the UNIVERGE WL Controller is not configured as part of a Network Domain. Examples The following command clears the Network Domain member configuration from the UNIVERGE WL Controller: Controller# clear network-domain mode member success: change accepted.
clear network-domain seed-ip Chapter 11 Examples The following command clears the Network Domain peer configuration for peer 192.168.9.254 from the UNIVERGE WL Controller: Controller# clear network-domain peer 192.168.9.254 success: change accepted. The following command clears the Network Domain peer configuration for all peers from the UNIVERGE WL Controller: Controller# clear network-domain peer all success: change accepted.
set network-domain mode member seed-ip Chapter 11 set network-domain mode member seed-ip Sets the IP address of a Network Domain seed. This command is used for configuring a UNIVERGE WL Controller as a member of a Network Domain. You can specify multiple Network Domain seeds and configure one as the primary seed. Syntax set network-domain mode member seed-ip ip-addr [affinity num] ip-addr IP address of the Network Domain seed, in dotted decimal notation.
set network-domain peer Chapter 11 success: change accepted. See Also l clear network-domain on page 258 l show network-domain on page 263 set network-domain peer On a Network Domain seed, configures one or more UNIVERGE WL Controllers as redundant Network Domain seeds. The seeds in a Network Domain share information about the VLANs configured on the member devices, so that all the Network Domain seeds have the same database of VLAN information.
set network-domain mode seed domain-name Chapter 11 set network-domain mode seed domain-name Creates a Network Domain by setting the current UNIVERGE WL Controller as a seed device and naming the Network Domain. Syntax set network-domain mode seed domain-name net-domain-name net-domain-name Defaults Access Name of the Network Domain. Specify between 1 and 16 characters with no spaces. None. Enabled.
show network-domain Chapter 11 Syntax Defaults Access show network-domain None. Enabled. Examples The output of the command differs based on whether the UNIVERGE WL Controller is a member of a Network Domain or a Network Domain seed.
show network-domain Chapter 11 Table 29. show network-domain Output Field Description Output if UNIVERGE WL Controller is the Network Domain seed: Network Domain name Name of the Network Domain for which the UNIVERGE WL Controller is a seed. Peer IP addresses of the other seeds in the Network Domain.
show network-domain Chapter 11 Table 29. show network-domain Output Mode Role of the UNIVERGE WL Controller in the Network Domain: • MEMBER • SEED Mobility-Domain Name of the Mobility Domain of which the UNIVERGE WL Controller is a member.
12 AP Commands Use AP commands to configure and manage AP. Be sure to do the following before using the commands: l Define the country-specific IEEE 802.11 regulations on the UNIVERGE WL Controller. (See set system countrycode on page 33.) l Install the AP and connect it to a port on the UNIVERGE WL Controller. l Configure an AP. (See set ap on page 54.) Caution! Changing the system country code after AP configuration disables AP and deletes their configuration.
Chapter 12 set ap radio radio-profile on page 296 set ap auto radiotype on page 281 set ap upgrade-firmware on page 300 External Antenna set ap radio antennatype on page 291 UNIVERGE WL Access set ap fingerprint on page 288 Points-UNIVERGE WL Controller security set ap security on page 298 Static IP Address set ap boot-configuration ip on page 284 Assignment for set ap boot-configuration switch on page 285 UNIVERGE WL Access set ap boot-configuration vlan on page 287 Points clear ap boot-configuration on
Chapter 12 set radio-profile rts-threshold on page 323 Authentication and Encryption set service-profile attr on page 334 set service-profile auth-dot1x on page 336 set service-profile auth-fallthru on page 337 set service-profile web-portal-form on page 366 set service-profile auth-psk on page 339 set service-profile wpa-ie on page 372 set service-profile rsn-ie on page 356 set service-profile cipher-ccmp on page 343 set service-profile cipher-tkip on page 343 set service-profile cipher-wep104 on page 34
Chapter 12 set service-profile cac-mode on page 341 set service-profile cac-session on page 342 set service-profile static-cos on page 360 set service-profile cos on page 347 show voip summary on page 424 show voip max-sessions on page 423 DHCP Restrict set service-profile dhcp-restrict on page 348 Broadcast control set service-profile no-broadcast on page 351 Proxy ARP set service-profile proxy-arp on page 353 Keepalives and session timers set service-profile active-call-idle-timeout on page 333 se
clear ap radio Chapter 12 show auto-tune neighbors on page 399 show auto-tune attributes on page 397 Radio State set ap radio mode on page 295 Dual Homing set ap bias on page 282 AP Administration and set ap name on page 290 Maintenance set ap blink on page 283 set ap upgrade-firmware on page 300 set ap force-image-download on page 289 reset ap on page 277 set ap radio channel on page 293 set ap radio tx-power on page 297 clear ap radio on page 271 show ap config on page 374 show ap group on page 389 s
clear ap radio Chapter 12 Syntax clear ap ap-number radio {1 | 2 | all} ap ap-number Index value that identifies the UNIVERGE WL Access Points on the UNIVERGE WL Controller. radio 1 Radio 1 of the UNIVERGE WL Access Points. radio 2 Radio 2 of the UNIVERGE WL Access Points. (This option does not apply to single-radio models.) radio all All radios on the AP. Defaults The clear ap radio command resets the radio to the default settings listed in Table 30 and in Table 33 on page 317. Table 30.
clear ap boot-configuration Chapter 12 Table 30. Radio-Specific Parameters Parameter Default Value Description mode disable Operational state of the radio. radio-profile None. You must add the radios to a radio profile. 802.11 settings tx-power Highest setting allowed for Transmit power of a radio, in decibels the country of operation or referred to 1 milliwatt (dBm) highest setting supported on the hardware, whichever is lower.
clear ap boot-configuration Chapter 12 Defaults Access None. Enabled. Usage When the static IP configuration is cleared for a UNIVERGE WL Access Points, and on the UNIVERGE WL Access Points is rebooted, it uses the standard boot process. Examples The following command clears the static IP address configuration for UNIVERGE WL Access Points 1. PROPMT# clear ap 1 boot-configuration This will clear specified AP devices. Would you like to continue? (y/n) [n]y success: change accepted.
clear radio-profile Chapter 12 clear radio-profile Removes a radio profile or resets one of the profile’s parameters to its default value. Syntax clear radio-profile name [parameter] name Radio profile name. parameter Radio profile parameter: • beacon-interval • countermeasures • dtim-interval • frag-threshold • max-rx-lifetime • max-tx-lifetime • preamble-length • rts-threshold • service-profile (For information about these parameters, see the set radio-profile commands that use them.
clear service-profile Chapter 12 The following commands disable the radios using radio profile rptest and remove the profile: PROPMT# set radio-profile rptest mode disable PROPMT# clear radio-profile rptest success: change accepted. See Also l set ap radio radio-profile on page 296 l set radio-profile mode on page 316 l show ap config on page 374 l show radio-profile on page 408 clear service-profile Removes a service profile or resets one of the profile’s parameters to its default value.
reset ap Chapter 12 l clear radio-profile on page 275 l set radio-profile mode on page 316 l show service-profile on page 413 reset ap Restarts an AP. Syntax reset ap ap-number ap ap-number Defaults Access Usage Index value that identifies the UNIVERGE WL Access Points on the UNIVERGE WL Controller. None. Enabled. When you enter this command, the AP drops all sessions and reboots. Caution! Restarting an AP can cause data loss for users who are currently associated with the AP.
set ap auto Chapter 12 Usage Table 31 lists the configurable profile parameters and their defaults. The only parameter that requires configuration is the profile mode. The profile is disabled by default. To use the profile to configure UNIVERGE WL Access Points, you must enable the profile using the set ap auto mode enable command. The profile uses the default radio profile by default. You can change the profile using the set ap auto radio radio-profile command.
set ap auto mode Chapter 12 Examples The following command creates a profile for automatic UNIVERGE WL Access Points configuration: PROPMT# set ap auto success: change accepted.
set ap auto persistent Chapter 12 Usage You must use the set ap auto command to create the profile before you can enable it. Examples The following command enables the profile for automatic UNIVERGE WL Access Points configuration: PROPMT# set ap auto mode enable success: change accepted.
set ap auto radiotype Chapter 12 Defaults Access None. Enabled. Usage To display the UNIVERGE WL Access Points numbers assigned to Auto-APs, use the show ap status all command. Examples The following command converts the configuration of Auto-AP 5 into a permanent configuration: PROPMT# set ap auto persistent 5 success: change accepted.
set ap bias Chapter 12 l set ap auto on page 277 l set ap auto mode on page 279 l set ap auto persistent on page 280 set ap bias Changes the bias for a UNIVERGE WL Access Point. Bias is the priority of one UNIVERGE WL Controller over other UNIVERGE WL Controllers for booting and configuring the UNIVERGE WL Access Points. Syntax set ap {ap-number | auto} bias {high | low} ap ap-number Index value that identifies the UNIVERGE WL Access Points on the UNIVERGE WL Controller.
set ap blink Chapter 12 and one of the UNIVERGE WL Controllers has 3 active UNIVERGE WL Access Points while the other UNIVERGE WL Controller has 2 active UNIVERGE WL Access Points, the new UNIVERGE WL Access Points selects the UNIVERGE WL Controller that has only 2 active UNIVERGE WL Access Points. If the boot request on UNIVERGE WL Access Points port 1 fails, the UNIVERGE WL Access Points attempts to boot over its port 2, using the same process described above.
set ap boot-configuration ip Chapter 12 Defaults Access LED blink mode is disabled by default. Enabled. Usage Changing the LED blink mode does not alter operation of the AP. Only the behavior of the LEDs is affected. Examples The following command enables LED blink mode on the AP 3 and 4: PROPMT# set ap 3-4 blink enable success: change accepted. set ap boot-configuration ip Specifies static IP address information for a UNIVERGE WL Access Points.
set ap boot-configuration switch Chapter 12 If the manually assigned IP information is incorrect, the UNIVERGE WL Access Points uses DHCP to obtain its IP address. Examples The following command configures UNIVERGE WL Access Points 1 to use IP address 172.16.0.42 with a 24-bit netmask, and use 172.16.0.20 as its default gateway: PROPMT# set ap 1 boot-configuration ip 172.16.0.42 netmask 255.255.255.0 gateway 172.16.0.20 success: change accepted.
set ap boot-configuration switch Chapter 12 dns ip-addr The IP address of the DNS server used to resolve the specified name of the UNIVERGE WL Controller. mode {enable | disable} Enables or disables the UNIVERGE WL Access Points using the specified boot device.
set ap boot-configuration vlan Chapter 12 See Also l clear ap boot-configuration on page 273 l set ap boot-configuration ip on page 284 l set ap boot-configuration vlan on page 287 l show ap boot-configuration on page 401 set ap boot-configuration vlan Specifies 802.1Q VLAN tagging information for a UNIVERGE WL Access Points.
set ap fingerprint Chapter 12 See Also l clear ap boot-configuration on page 273 l set ap boot-configuration ip on page 284 l set ap boot-configuration switch on page 285 l show ap boot-configuration on page 401 set ap fingerprint Verifies a UNIVERGE WL Access Point fingerprint on a UNIVERGE WL Controller.
set ap force-image-download Chapter 12 If a UNIVERGE WL Access Point is already installed and operating, you can use the show ap status command to display the fingerprint. The show ap config command lists the UNIVERGE WL Access Point fingerprint only if the fingerprint has been verified in UNIVERGE WL Control System. If the fingerprint has not been verified, the fingerprint information in the command output is blank.
set ap name Chapter 12 Usage A change to the forced image download option takes place the next time the UNIVERGE WL Access Point is restarted. Even when forced image download is disabled (the default), the UNIVERGE WL Access Point still checks with the UNIVERGE WL Controller to verify that the UNIVERGE WL Access Point has the latest image.
set ap radio antennatype Chapter 12 Examples The following command changes the name of the AP 1 to techpubs: PROPMT# set ap 1 name techpubs success: change accepted. See Also show ap config on page 374 set ap radio antennatype Sets the model number for an external antenna.
set ap radio auto-tune max-power Chapter 12 antennatype {ANT5060 | ANT5120 | ANT5180 | WL-ANT5060 | WL-ANT5120 | WL-ANT5180 | internal} 802.11a external antenna models: • ANT5060—60° 802.11a antenna • ANT5120—120° 802.11a antenna • ANT5180—180° 802.11a antenna • WL-ANT5060—60° 802.11a antenna • WL-ANT5120—120° 802.11a antenna • WL-ANT5180—180° 802.
set ap radio channel Chapter 12 radio 2 Radio 2 of the UNIVERGE WL Access Points. (This option does not apply to single-radio models.) power-level Maximum power setting RF Auto-Tuning can assign to the radio, expressed as the number of decibels in relation to 1 milliwatt (dBm). You can specify a value from 1 up to the maximum value allowed for the country of operation. The power-level can be a value from 1 to 20.
set ap radio channel Chapter 12 radio 2 Radio 2 of the UNIVERGE WL Access Points. (This option does not apply to single-radio models.) channel channel-number Channel number. The valid channel numbers depend on the country of operation. Defaults The default channel depends on the radio type: l The default channel number for 802.11b/g is 6. l The default channel number for 802.11a is the lowest valid channel number for the country of operation. Access Enabled.
set ap radio mode Chapter 12 set ap radio mode Enables or disables a radio on an AP. Syntax set ap {ap-number | auto} radio {1 | 2} mode {enable | disable} ap ap-number Index value that identifies the UNIVERGE WL Access Points on the UNIVERGE WL Controller. ap auto Sets the radio mode for UNIVERGE WL Access Points managed by the UNIVERGE WL Access Points configuration profile. (See set ap auto on page 277.) radio 1 Radio 1 of the UNIVERGE WL Access Points.
set ap radio radio-profile Chapter 12 set ap radio radio-profile Assigns a radio profile to an AP radio and enables or disables the radio. Syntax set ap {ap-number | auto} radio {1 | 2} radio-profile name mode {enable | disable} ap ap-number Index value that identifies the UNIVERGE WL Access Points on the UNIVERGE WL Controller. ap auto Sets the radio profile for the UNIVERGE WL Access Points configuration profile. (See set ap auto on page 277.) radio 1 Radio 1 of the UNIVERGE WL Access Points.
set ap radio tx-power Chapter 12 l set radio-profile mode on page 316 l show radio-profile on page 408 set ap radio tx-power Sets the transmit power of an AP radio. Syntax set ap ap-number radio {1 | 2} tx-power power-level ap ap-number Index value that identifies the UNIVERGE WL Access Points on the UNIVERGE WL Controller. radio 1 Radio 1 of the UNIVERGE WL Access Points. radio 2 Radio 2 of the UNIVERGE WL Access Points. (This option does not apply to single-radio models.
set ap security Chapter 12 Examples The following command configures the transmit power on the 802.11a radio on the AP connected 3: PROPMT# set ap 3 radio 1 tx-power 10 success: change accepted. The following command configures the channel and transmit power on the 802.11b/g radio on the AP 1: PROPMT# set ap 1 radio 1 channel 1 tx-power 10 success: change accepted.
set ap security Chapter 12 optional Allows UNIVERGE WL Access Points to be managed by the UNIVERGE WL Controller even if they do not have encryption keys or their keys have not been verified by an administrator. Encryption is used for UNIVERGE WL Access Points that support it. none Encryption is not used, even for UNIVERGE WL Access Points that support it. Defaults Access The default setting is optional. Enabled.
set ap upgrade-firmware Chapter 12 set ap upgrade-firmware Disables or reenables automatic upgrade of an AP boot firmware. Syntax set ap auto upgrade-firmware {enable | disable} ap auto Configures firmware upgrades for the UNIVERGE WL Access Points configuration profile. (See set ap auto on page 277.) enable Enables automatic firmware upgrades. disable Disables automatic firmware upgrades. Defaults Automatic firmware upgrades of AP are enabled by default. Access Enabled.
set radio-profile auto-tune channel-config Chapter 12 Syntax set radio-profile name active-scan {enable | disable} name Radio profile name. enable Configures radios to actively scan for rogues. disable Configures radios to scan only passively for rogues by listening for beacons and probe responses. Defaults Access Active scanning is enabled by default. Enabled. Usage You can enter this command on any UNIVERGE WL Controller in the Mobility Domain.
set radio-profile auto-tune channel-config Chapter 12 Defaults Access Dynamic channel assignment is enabled by default. Enabled. Usage If you disable RF Auto-Tuning for channels, UNIVERGE WL Control System does not dynamically set the channels when radios are first enabled and also does not tune the channels during operation. If RF Auto-Tuning for channels is enabled, UNIVERGE WL Control System does not allow you to manually change channels.
set radio-profile auto-tune channel-holddown Chapter 12 set radio-profile auto-tune channel-holddown Sets the minimum number of seconds a radio in a radio profile must remain at its current channel assignment before RF Auto-Tuning can change the channel. The channel holddown provides additional stability to the network by preventing the radio from changing channels too rapidly in response to spurious RF anomalies such as short-duration channel interference.
set radio-profile auto-tune channel-interval Chapter 12 set radio-profile auto-tune channel-interval Sets the interval at which RF Auto-Tuning decides whether to change the channels on radios in a radio profile. At the end of each interval, UNIVERGE WL Control System processes the results of the RF scans performed during the previous interval, and changes radio channels if needed. Syntax set radio-profile name auto-tune channel-interval seconds name Radio profile name.
set radio-profile auto-tune power-config Chapter 12 set radio-profile auto-tune power-config Enables or disables dynamic power tuning (RF Auto-Tuning) for the UNIVERGE WL Access Points radios in a radio profile. Syntax set radio-profile name auto-tune power-config {enable | disable} name Radio profile name. enable Configures radios to dynamically set their power levels when the UNIVERGE WL Access Points are started.
set radio-profile auto-tune power-interval Chapter 12 set radio-profile auto-tune power-interval Sets the interval at which RF Auto-Tuning decides whether to change the power level on radios in a radio profile. At the end of each interval, UNIVERGE WL Control System processes the results of the RF scans performed during the previous interval, and changes radio power levels if needed. Syntax set radio-profile name auto-tune power-interval seconds name Radio profile name.
set radio-profile beacon-interval Chapter 12 set radio-profile beacon-interval Changes the rate at which each AP radio in a radio profile advertises its service set identifier (SSID). Syntax set radio-profile name beacon-interval interval name Radio profile name. interval Number of milliseconds (ms) between beacons. You can specify from 25 ms to 8191 ms. Defaults Access The beacon interval for AP radios is 100 ms by default. Enabled.
set radio-profile countermeasures Chapter 12 UNIVERGE WL Access Points radios can also issue countermeasures against interfering devices. An interfering device is not part of the UNIVERGE WL Control System but also is not a rogue. No client connected to the device has been detected communicating with any network entity listed in the forwarding database (FDD) of any UNIVERGE WL Controller in the Mobility Domain.
set radio-profile dtim-interval Chapter 12 success: change accepted. Note that when you issue this command, countermeasures are then issued only against devices in the UNIVERGE WL Controller attack list, not against other devices that were classified as rogues by other means. See Also show radio-profile on page 408 set radio-profile dtim-interval Changes the number of times after every beacon that each AP radio in a radio profile sends a delivery traffic indication map (DTIM).
set radio-profile frag-threshold Chapter 12 See Also l set radio-profile mode on page 316 l show radio-profile on page 408 set radio-profile frag-threshold Changes the fragmentation threshold for the AP radios in a radio profile. The fragmentation threshold is the threshold at which the long-retry-count is applicable instead of the short-retry-count.
set radio-profile max-rx-lifetime Chapter 12 The frag-threshold does not change the RTS threshold, which specifies the maximum length of a frame before the radio uses the RTS/CTS method to send the frame. To change the RTS threshold, use the set radio-profile rts-threshold command instead. Examples The following command changes the fragmentation threshold for radio profile rp1 to 1500 bytes: PROPMT# set radio-profile rp1 frag-threshold 1500 success: change accepted.
set radio-profile max-tx-lifetime Chapter 12 See Also l set radio-profile mode on page 316 l set radio-profile max-tx-lifetime on page 312 l show radio-profile on page 408 set radio-profile max-tx-lifetime Changes the maximum transmit threshold for the AP radios in a radio profile. The maximum transmit threshold specifies the number of milliseconds that a frame scheduled to be transmitted by a radio can remain in buffer memory.
set radio-profile max-voip-bw Chapter 12 set radio-profile max-voip-bw Specifies the amount of bandwidth to reserve for active NEC handset calls on a radio. Note. This command is equivalent to the set radio-profile max-voip-sessions command. (See “Usage”.) Syntax set radio-profile name max-voip-bw Kbps name Radio profile name. Kbps Aggregate amount of bandwidth, in Kbps, to reserve for all voice sessions on individual radios. You can specify from 0 to 6000. Defaults Access The default is 3000 Kbps.
set radio-profile max-voip-bw Chapter 12 Table 32. Output for set radio-profile max-voip-bw Field Description max-voip-bw Amount of aggregate bandwidth to reserve on each radio. min-client-rate Lowest mandatory 802.11g transmit rate configured on service profiles mapped to this radio profile. (Another term for this parameter is the nominal rate.
set radio-profile max-voip-sessions Chapter 12 set radio-profile max-voip-sessions Specifies the amount of bandwidth to reserve for active NEC handset calls on a radio. Note. This command is equivalent to the set radio-profile max-voip-bw command. (See “Usage”.) Syntax set radio-profile name max-voip-sessions max-sessions codec {g.711 | g.729} sample-period {10 | 20 | 30 | 40} name Radio profile name. max-sessions Maximum number of active sessions to allow on a radio. You can specify from 1 to 30.
set radio-profile mode Chapter 12 min-client-rate: 11.0 Mb/s effective bandwidth: 6000 Kb/s Note. For information about the output, see Table 32 on page 314. The output fields are the same as those for the set radio-profile max-voip-bw command. See Also l set radio-profile max-voip-bw on page 313 l set service-profile cac-mode on page 341 l show radio-profile on page 408 set radio-profile mode Creates a new radio profile, and disables or reenables all AP radios that are using a specific profile.
set radio-profile mode Chapter 12 Table 33. Defaults for Radio Profile Parameters Radio Behavior When Parameter Set To Default Value Parameter Default Value active-scan enable Sends probe any requests (probe requests with a null SSID name) to solicit probe responses from other access points. auto-tune enable Allows dynamic configuration of channel and power settings by UNIVERGE WL Control System. beacon-interval 100 Waits 100 ms between beacons.
set radio-profile mode Chapter 12 Table 33. Defaults for Radio Profile Parameters Parameter Default Value max-voip-bw 3000 Radio Behavior When Parameter Set To Default Value Reserves an aggregate of 3000 Kbps on each radio for NEC VoIP sessions. Note: This parameter applies only when the QoS mode is voice-extension. max-voip-sessions Not configured This parameter is equivalent to max-voip-bw and is never saved in the configuration.
set radio-profile mode Chapter 12 Table 33. Defaults for Radio Profile Parameters Radio Behavior When Parameter Set To Default Value Parameter Default Value rts-threshold 2346 Transmits frames longer than 2346 bytes by means of the Request-to-Send/Clear-to-Send (RTS/CTS) method. service-profile No service profiles defined You must configure a service profile. The service profile sets the SSID name and other parameters.
set radio-profile preamble-length Chapter 12 The following commands disable the radios that use radio profile rp1, change the beacon interval, then reenable the radios: PROPMT# set radio-profile rp1 mode disable PROPMT# set radio-profile rp1 beacon-interval 200 PROPMT# set radio-profile rp1 mode enable The following command enables the WPA IE on AP radios in radio profile rp2: PROPMT# set radio-profile rp2 wpa-ie enable success: change accepted.
set radio-profile qos-mode Chapter 12 If a client associated with an 802.11b/g radio uses long preambles for unicast traffic, the UNIVERGE WL Access Point still accepts frames with short preambles but does not transmit frames with short preambles. This change also occurs if the access point overhears a beacon from an 802.11b/g radio on another access point that indicates the radio has clients that require long preambles.
set radio-profile rate-enforcement Chapter 12 Access Enabled. Usage If you plan to use SVP, you also must configure an ACL to mark CoS in SVP traffic. (See the “Enabling Prioritization for Legacy Voice over IP” section in the “Configuring and Managing Security ACLs” chapter of the Configuration Guide.) Examples The following command changes the QoS mode for radio profile rp1 to SVP: PROPMT# set radio-profile rp1 qos-mode svp success: change accepted.
set radio-profile rts-threshold Chapter 12 l Mandatory –– Valid 802.11 transmit rates that clients must support in order to associate with the UNIVERGE WL Access Point l Disabled –– Valid 802.11 transmit rates are disabled. UNIVERGE WL Access Points do not transmit at the disabled rates l Standard –– Valid 802.
set radio-profile service-profile Chapter 12 Syntax set radio-profile name rts-threshold threshold name Radio profile name. threshold Maximum frame length, in bytes. You can enter a value from 256 through 3000. Defaults Access The default RTS threshold for an AP radio is 2346 bytes. Enabled. Usage You must disable all radios that are using a radio profile before you can change parameters in the profile. Use the set radio-profile mode command.
set radio-profile service-profile Chapter 12 Defaults A radio profile does not have a service profile associated with it by default. In this case, the radios in the radio profile use the default settings for parameters controlled by the service profile. Table 34 lists the parameters controlled by a service profile and their default values. Table 34.
set radio-profile service-profile Chapter 12 Table 34. Defaults for Service Profile Parameters 326 Radio Behavior When Parameter Set To Default Value Parameter Default Value cac-mode none Does not limit the number of active user sessions based on Call Admission Control (CAC). cac-session 12 If session-based CAC is enabled (cac-mode is set to session), limits the number of active user sessions on a radio to 14.
set radio-profile service-profile Chapter 12 Table 34. Defaults for Service Profile Parameters Radio Behavior When Parameter Set To Default Value Parameter Default Value dhcp-restrict disable Does not restrict a client’s traffic to only DHCP traffic while the client is being authenticated and authorized. idle-client-probing enable Sends a keepalive packet (a null-data frame) to each client every 10 seconds.
set radio-profile service-profile Chapter 12 Table 34. Defaults for Service Profile Parameters 328 Radio Behavior When Parameter Set To Default Value Parameter Default Value psk-phrase No passphrase defined Uses dynamically generated keys rather than statically configured keys to authenticate WPA clients. psk-raw No preshared key defined Uses dynamically generated keys rather than statically configured keys to authenticate WPA clients.
set radio-profile service-profile Chapter 12 Table 34. Defaults for Service Profile Parameters Radio Behavior When Parameter Set To Default Value Parameter Default Value tkip-mc-time 60000 Uses Michael countermeasures for 60,000 ms (60 seconds) following detection of a second MIC failure within 60 seconds. transmit-rates 802.11a: • mandatory: 6.0,12.0,24.0 • beacon-rate: 6.0 • multicast-rate: auto • disabled: none 802.11b: • mandatory: 5.5,11.0 • beacon-rate: 5.
set radio-profile service-profile Chapter 12 Table 34. Defaults for Service Profile Parameters Radio Behavior When Parameter Set To Default Value Parameter Default Value web-portal-acl portalacl web-portal-form Not configured For Web Authentication users, serves the UNIVERGE WL Control System login page. web-portal-sessiontimeout 5 Allows a Web Portal Web Authentication session to remain in the Deassociated state 5 seconds before being terminated automatically.
set radio-profile service-profile Chapter 12 Table 34. Defaults for Service Profile Parameters Radio Behavior When Parameter Set To Default Value Parameter Default Value wep active-multicast-index 1 Uses WEP key 1 for static WEP encryption of multicast traffic if WEP encryption is enabled and keys are defined. wep active-unicast-index 1 Uses WEP key 1 for static WEP encryption of unicast traffic if WEP encryption is enabled and keys are defined.
set radio-profile service-profile Chapter 12 332 l set service-profile cac-session on page 342 l set service-profile cipher-ccmp on page 343 l set service-profile cipher-tkip on page 343 l set service-profile cipher-wep104 on page 344 l set service-profile cipher-wep40 on page 346 l set service-profile cos on page 347 l set service-profile dhcp-restrict on page 348 l set service-profile idle-client-probing on page 349 l set service-profile long-retry-count on page 351 l set service-prof
set service-profile active-call-idle-timeout Chapter 12 l set service-profile wep active-unicast-index on page 370 l set service-profile wep key-index on page 371 l set service-profile wpa-ie on page 372 l show radio-profile on page 408 l show service-profile on page 413 set service-profile active-call-idle-timeout Changes the number of seconds UNIVERGE WL Control System will continue to reserve bandwidth for an active voice session (on-hook call).
set service-profile attr Chapter 12 Usage The active-call idle timeout applies only to active voice sessions (on-hook calls) on an SSID whose service profile has CAC mode voice-extension and whose radio profile has QoS mode voice-extension. For all other sessions, the user idle timeout applies instead. The user idle timeout also applies to sessions whose active-call idle timeout has expired.
set service-profile attr Chapter 12 Access Enabled. Usage To change the value of a default attribute for a service profile, use the set service-profile attr command and specify a new value. The SSID default attributes are applied in addition to any attributes supplied for the user by the RADIUS server or the local database.
set service-profile auth-dot1x Chapter 12 The following command limits the days and times when users accessing the SSID managed by service profile sp2 can access the network, to 5 p.m. to 2 a.m. every weekday, and all day Saturday and Sunday: PROPMT# set service-prof sp2 attr time-of-day Wk1700-0200,Sa,Su success: change accepted. See Also l show service-profile on page 413 l show sessions network on page 536 set service-profile auth-dot1x Disables or reenables 802.
set service-profile auth-fallthru Chapter 12 If you disable 802.1X authentication of WPA clients, the only method available for authenticating the clients is preshared key (PSK) authentication. To use this, you must enable PSK support and configure a passphrase or key. Examples The following command disables 802.1X authentication for WPA clients that use service profile wpa_clients: PROPMT# set service-profile wpa_clients auth-dot1x disable success: change accepted.
set service-profile auth-fallthru Chapter 12 last-resort Automatically authenticates the user and allows access to the SSID requested by the user, without requiring a username and password. none Denies authentication and prohibits the user from accessing the SSID. Note: The fallthru authentication type none is different from the authentication method none you can specify for administrative access. The fallthru authentication type none denies access to a network user.
set service-profile auth-psk Chapter 12 Examples The following command sets the fallthru authentication type for SSIDS managed by the service profile rnd_lab to web-portal: PROPMT# set service-profile rnd_lab auth-fallthru web-portal success: change accepted.
set service-profile beacon Chapter 12 See Also l set service-profile auth-dot1x on page 336 l set service-profile psk-raw on page 355 l set service-profile wpa-ie on page 372 l show service-profile on page 413 set service-profile beacon Disables or reenables beaconing of the SSID managed by the service profile. A UNIVERGE WL Access Point radio responds to an 802.11 probe any request with only the beaconed SSID(s). For a nonbeaconed SSID, radios respond only to directed 802.
set service-profile cac-mode Chapter 12 l set service-profile ssid-name on page 359 l set service-profile ssid-type on page 359 l show service-profile on page 413 set service-profile cac-mode Configures the Call Admission Control (CAC) mode. Syntax set service-profile name cac-mode {none | session | voice-extension} name Service profile name. none CAC is not used. session CAC is based on the number of active sessions.
set service-profile cac-session Chapter 12 l set service-profile cac-session on page 342 l show service-profile on page 413 set service-profile cac-session Specifies the maximum number of active sessions a radio can have when session-based CAC is enabled. When a UNIVERGE WL Access Point radio has reached the maximum allowed number of active sessions, the radio refuses connections from additional clients. Syntax set service-profile name cac-session max-sessions name Service profile name.
set service-profile cipher-ccmp Chapter 12 set service-profile cipher-ccmp Enables Counter with Cipher Block Chaining Message Authentication Code Protocol (CCMP) encryption with WPA clients, for a service profile. Syntax set service-profile name cipher-ccmp {enable | disable} name Service profile name. enable Enables CCMP encryption for WPA clients. disable Disables CCMP encryption for WPA clients. Defaults Access Usage CCMP encryption is disabled by default. Enabled.
set service-profile cipher-wep104 Chapter 12 Syntax set service-profile name cipher-tkip {enable | disable} name Service profile name. enable Enables TKIP encryption for WPA clients. disable Disables TKIP encryption for WPA clients. Defaults Access Usage When the WPA IE is enabled, TKIP encryption is enabled by default. Enabled. To use TKIP, you must also enable the WPA IE.
set service-profile cipher-wep104 Chapter 12 enable Enables 104-bit WEP encryption for WPA clients. disable Disables 104-bit WEP encryption for WPA clients. Defaults Access Usage 104-bit WEP encryption is disabled by default. Enabled. To use 104-bit WEP with WPA clients, you must also enable the WPA IE. When 104-bit WEP in WPA is enabled in the service profile, radios managed by a radio profile that is mapped to the service profile can also support non-WPA clients that use dynamic WEP.
set service-profile cipher-wep40 Chapter 12 set service-profile cipher-wep40 Enables dynamic Wired Equivalent Privacy (WEP) with 40-bit keys, in a service profile. Syntax set service-profile name cipher-wep40 {enable | disable} name Service profile name. enable Enables 40-bit WEP encryption for WPA clients. disable Disables 40-bit WEP encryption for WPA clients. Defaults Access Usage 40-bit WEP encryption is disabled by default. Enabled.
set service-profile cos Chapter 12 See Also l set service-profile cipher-ccmp on page 343 l set service-profile cipher-tkip on page 343 l set service-profile cipher-wep104 on page 344 l set service-profile wep key-index on page 371 l set service-profile wpa-ie on page 372 l show service-profile on page 413 set service-profile cos Sets the Class-of-Service (CoS) level for static CoS. Syntax set service-profile name cos level name Service profile name.
set service-profile dhcp-restrict Chapter 12 set service-profile dhcp-restrict Enables or disables DHCP Restrict on a service profile. DHCP Restrict filters the traffic from a newly associated client and allows DHCP traffic only, until the client has been authenticated and authorized. All other traffic is captured by the UNIVERGE WL Controller and is not forwarded. After the client is successfully authorized, the traffic restriction is removed.
set service-profile idle-client-probing Chapter 12 set service-profile idle-client-probing Disables or reenables periodic keepalives from UNIVERGE WL Access Points radios to clients on a service profile’s SSID. When idle-client probing is enabled, the UNIVERGE WL Access Points radio sends a unicast null-data frame to each client every 10 seconds. Normally, a client that is still active sends an Ack in reply to the keepalive.
set service-profile keep-initial-vlan Chapter 12 set service-profile keep-initial-vlan Configures UNIVERGE WL Access Point radios managed by the radio profile to leave a roamed user on the VLAN assigned by the UNIVERGE WL Controller where the user logged on. When this option is disabled, a users VLAN is reassigned by each UNIVERGE WL Controller when a user roams. Syntax set service-profile name keep-initial-vlan {enable | disable} name Service profile name.
set service-profile long-retry-count Chapter 12 set service-profile long-retry-count Changes the long retry threshold for a service profile. The long retry threshold specifies the number of times a radio can send a long unicast frame without receiving an acknowledgment. A long unicast frame is a frame that is equal to or longer than the frag-threshold. Syntax set service-profile name long-retry-count threshold name Service profile name.
set service-profile no-broadcast Chapter 12 l ARP requests—If the SSID has clients with IP addresses that the UNIVERGE WL Controller does not already know, the UNIVERGE WL Controllerallows the UNIVERGE WL Access Points radio to send the ARP request as a unicast to only those stations whose addresses the UNIVERGE WL Controller does not know.
set service-profile proxy-arp Chapter 12 l show service-profile on page 413 set service-profile proxy-arp Disables or reenables proxy ARP. When proxy ARP is enabled, the UNIVERGE WL Controller replies to ARP requests for client IP address on behalf of the clients. This feature reduces broadcast overhead on a service profile SSID by eliminating ARP broadcasts from UNIVERGE WL Access Points radios to the SSID’s clients.
set service-profile psk-phrase Chapter 12 l set service-profile no-broadcast on page 351 l show service-profile on page 413 set service-profile psk-phrase Configures a passphrase for preshared key (PSK) authentication to use for authenticating WPA clients, in a service profile. Radios use the PSK as a pairwise master key (PMK) to derive unique pairwise session keys for individual WPA clients. Syntax set service-profile name psk-phrase passphrase name Service profile name.
set service-profile psk-raw Chapter 12 l set service-profile auth-psk on page 339 l set service-profile psk-raw on page 355 l set service-profile wpa-ie on page 372 l show service-profile on page 413 set service-profile psk-raw Configures a raw hexadecimal preshared key (PSK) to use for authenticating WPA clients, in a service profile. Radios use the PSK as a pairwise master key (PMK) to derive unique pairwise session keys for individual WPA clients.
set service-profile rsn-ie Chapter 12 See Also l set mac-user attr on page 222 l set service-profile auth-psk on page 339 l set service-profile psk-phrase on page 354 l set service-profile wpa-ie on page 372 l show service-profile on page 413 set service-profile rsn-ie Enables the Robust Security Network (RSN) Information Element (IE).
set service-profile shared-key-auth Chapter 12 l set service-profile auth-psk on page 339 l set service-profile cipher-ccmp on page 343 l set service-profile cipher-wep104 on page 344 l set service-profile cipher-wep40 on page 346 l show service-profile on page 413 set service-profile shared-key-auth Enables shared-key authentication, in a service profile. Note. Use this command only if advised to do so by UNIVERGE WL Control System.
set service-profile short-retry-count Chapter 12 See Also l set radio-profile mode on page 316 l set service-profile cipher-tkip on page 343 l show service-profile on page 413 set service-profile short-retry-count Changes the short retry threshold for a service profile. The short retry threshold specifies the number of times a radio can send a short unicast frame without receiving an acknowledgment. A short unicast frame is a frame that is shorter than the frag-threshold.
set service-profile ssid-name Chapter 12 set service-profile ssid-name Configures the SSID name in a service profile. Syntax set service-profile name ssid-name ssid-name name Service profile name. ssid-name Name of up to 32 alphanumeric characters. You can include blank spaces in the name, if you delimit the name with single or double quotation marks. You must use the same type of quotation mark (either single or double) on both ends of the string.
set service-profile static-cos Chapter 12 Syntax set service-profile name ssid-type [clear | crypto] name Service profile name. clear Wireless traffic for the service profile’s SSID is not encrypted. crypto Wireless traffic for the service profile’s SSID is encrypted. Defaults Access The default SSID type is crypto. Enabled. Examples The following command changes the SSID type for service profile clear_wlan to clear: PROPMT# set service-profile clear_wlan ssid-type clear success: change accepted.
set service-profile tkip-mc-time Chapter 12 l For traffic from clients to the network, the UNIVERGE WL Access Points marks the DSCP value in the IP headers of the tunnel packets used to carry the user data from the UNIVERGE WL Access Points to the UNIVERGE WL Controller. Syntax set service-profile name static-cos {enable | disable} name Service profile name. enable Enables static CoS on the service profile. disable Disables static CoS on the service profile.
set service-profile transmit-rates Chapter 12 Syntax set service-profile name tkip-mc-time wait-time name Service profile name. wait-time Number of milliseconds (ms) countermeasures remain in effect. You can specify from 0 to 60,000. Defaults Access The default countermeasures wait time is 60,000 ms (60 seconds). Enabled. Usage Countermeasures apply only to TKIP and WEP clients. This includes WPA WEP clients and non-WPA WEP clients. CCMP clients are not affected.
set service-profile transmit-rates Chapter 12 mandatory rate-list Set of data transmission rates that clients are required to support in order to associate with an SSID on a UNIVERGE WL Access Point radio. A client must support at least one of the mandatory rates. These rates are advertised in the basic rate set of 802.11 beacons, probe responses, and reassociation response frames sent by UNIVERGE WL Access Points radios.
set service-profile transmit-rates Chapter 12 beacon-rate rate Data rate of beacon frames sent by UNIVERGE WL Access Points radios. The valid rates depend on the radio type and are the same as the valid rates for mandatory. However, you cannot set the beacon rate to a disabled rate. Note: UNIVERGE WL Access Points radios send probe-response frames using the transit rates at which they are received. multicast-rate {rate | auto} Defaults l This command has the following defaults: mandatory: l 11a—6.
set service-profile user-idle-timeout Chapter 12 Access Enabled. Usage If you disable a rate, you cannot use the rate as a mandatory rate or the beacon or multicast rate. All rates that are applicable to the radio type and that are not disabled are supported by the radio. Examples The following command sets 802.
set service-profile web-portal-form Chapter 12 Access Enabled. Usage The user idle timeout does not apply to active voice sessions (on-hook calls) on an SSID whose service profile has CAC mode voice-extension and whose radio profile has QoS mode voice-extension. The active-call idle timeout (set by the set service-profile active-call-idle-timeout command) applies to these sessions instead.
set service-profile web-portal-form Chapter 12 Usage It is recommended that you create a subdirectory for the custom page and place all of the files for the page in that subdirectory. Do not place the custom page in the root directory of the UNIVERGE WL Controller user file area. If the custom login page includes gif or jpg images, their path names are interpreted relative to the directory from which the page is served. Note.
set service-profile web-portal-session-timeout Chapter 12 l set web-portal on page 240 l show service-profile on page 413 set service-profile web-portal-session-timeout Changes the number of seconds UNIVERGE WL Control System allows Web Portal Web Authentication sessions to remain in the Deassociated state before being terminated automatically. Syntax set service-profile name web-portal-session-timeout seconds name Service profile name.
set service-profile wep active-multicast-index Chapter 12 Examples The following command allows Web Portal Web Authentication sessions to remain in the Deassociated state 180 seconds before being terminated automatically. PROPMT# set service-profile sp1 web-portal-session-timeout 180 success: change accepted.
set service-profile wep active-unicast-index Chapter 12 set service-profile wep active-unicast-index Specifies the static Wired-Equivalent Privacy (WEP) key (one of four) to use for encrypting unicast frames. Syntax set service-profile name wep active-unicast-index num name Service profile name. num WEP key number. You can enter a value from 1 through 4. Defaults If WEP encryption is enabled and WEP keys are defined, AP radios use WEP key 1 to encrypt unicast frames, by default. Access Enabled.
set service-profile wep key-index Chapter 12 set service-profile wep key-index Sets the value of one of four static Wired-Equivalent Privacy (WEP) keys for static WEP encryption. Syntax set service-profile name wep key-index num key value name Service profile name. key-index num WEP key index. You can enter a value from 1 through 4. key value Hexadecimal value of the key.
set service-profile wpa-ie Chapter 12 set service-profile wpa-ie Enables the WPA information element (IE) in wireless frames. The WPA IE advertises the WPA authentication methods and cipher suites supported by radios in the radio profile mapped to the service profile. Syntax set service-profile name wpa-ie {enable | disable} name Service profile name. enable Enables the WPA IE. disable Disables the WPA IE. Defaults Access The WPA IE is disabled by default. Enabled.
show ap acl hits Chapter 12 show ap acl hits Note. This command is not supported. show ap acl map Note. This command is not supported. show ap acl resource-usage Note. This command is not supported. show ap arp Note. This command is not supported.
show ap config Chapter 12 show ap config Displays global and radio-specific settings for an AP. Syntax show ap config [ap-number [radio {1 | 2}]] ap-number Index value that identifies the UNIVERGE WL Access Points on the UNIVERGE WL Controller. radio 1 Shows configuration information for radio 1. radio 2 Shows configuration information for radio 2. (This option does not apply to single-radio models.) Defaults Access Usage None. Enabled. UNIVERGE WL Control System lists information for AP.
show ap config Chapter 12 Table 35. Output for show ap config Field Description AP Index number that identifies the UNIVERGE WL Access Points on the switch. serial-id Serial ID of the AP. AP model AP model number. bias Bias of the UNIVERGE WL Controller connection to the AP: • High • Low name AP name, if configured.
show ap config Chapter 12 Table 35. Output for show ap config Field Description mode Radio state: • Enabled • Disabled channel Channel number. antennatype External antenna model, if applicable. tx pwr Transmit power, in dBm. profile Radio profile that manages the radio. Until you assign the radio to a radio profile, UNIVERGE WL Control System assigns the radio to the default radio profile. auto-tune max-power Maximum power level the RF Auto-Tuning feature can set on the radio.
show ap config Chapter 12 Table 35. Output for show ap config Field Description local-switching Whether local packet switching is enabled for the UNIVERGE WL Access Points. vlan-profile The VLAN profile the UNIVERGE WL Access Point uses for local packet switching, indicating which VLANs are locally switched.
show ap counters Chapter 12 show ap counters Displays AP and radio statistics counters. Syntax show ap counters [ap-number [radio {1 | 2}]] ap-number Index value that identifies the UNIVERGE WL Access Points on the UNIVERGE WL Controller. radio 1 Shows statistics counters for radio 1. radio 2 Shows statistics counters for radio 2. (This option does not apply to single-radio models.) Defaults Access None. Enabled.
show ap counters Chapter 12 6.0: 0 0 0 0 9.0: 0 0 0 0 11.0: 0 0 0 0 12.0: 0 0 0 0 18.0: 0 0 0 0 24.0: 0 0 0 0 36.0: 0 0 0 0 48.0: 0 0 0 0 54.0: 0 0 0 0 TOTL: 6660 55683 832715 8697520 ... 0 0 1 172 17 998 0 0 0 0 0 0 0 0 1 68 0 0 41 11513 0 0 0 0 0 0 0 0 0 0 0 51 0 53 0 35 0 26 0 38 0 47 0 1 0 29 0 5 0 12948 Table 36 describes the fields in this display. Table 36. Output for show ap counters Field Description AP UNIVERGE WL Access Points number. radio Radio number.
show ap counters Chapter 12 Table 36. Output for show ap counters Field Description TKIP Pkt Replays Number of TKIP packets that were resent to the UNIVERGE WL Access Points by a client. A low value (under about one hundred) does not necessarily indicate a problem. However, if this counter is increasing steadily or has a very high value (in the hundreds or more), a Denial of Service (DoS) attack might be occurring. Contact UNIVERGE.
show ap counters Chapter 12 Table 36. Output for show ap counters Field Description Radio Adjusted Tx Pwr Current power level set on the radio. If RF Auto-Tuning of power is enabled, this value is the power set by RF Auto-Tuning. If RF Auto-Tuning is disabled, this value is the statically configured power level. 802.3 Packet Tx Ct Number of raw 802.3 packets transmitted by the radio. These are LocalTalk (AppleTalk) frames. This counter increments only if LocalTalk traffic is present.
show ap counters Chapter 12 Table 36. Output for show ap counters 382 Field Description MultiBytDrop Number of multicast bytes dropped by the radio due to a buffer overflow on the UNIVERGE WL Access Points. (See the description for MultiPktDrop.) User Sessions Number of clients currently associated with the radio. Generally, this counter is equal to the number of sessions listed for the radio in show sessions output.
show ap counters Chapter 12 Table 36. Output for show ap counters Field Description Transmit Retries Number of times the radio retransmitted a unicast packet because it was not acknowledged. The UNIVERGE WL Access Points uses this counter to adjust the transmit data rate for a client, in order to minimize retries. The ratio of transmit retries to transmitted packets (TxUniPkt) indicates the overall transmit quality. A ratio of about 1 retry to 10 transmitted packets indicates good transmit quality.
show ap counters Chapter 12 Table 36. Output for show ap counters Field Description TxUniByte Number of unicast bytes transmitted by the radio. TxMultiByte Number of multicast bytes transmitted by the radio. RxPkt Number of packets received by the radio. RxByte Number of bytes received by the radio. UndcrptPkt Number of undecryptable packets received by the radio. It is normal for this counter to increment even in stable networks and does not necessarily indicate an attack.
show ap fdb Chapter 12 show ap fdb Note. This command is not supported. show ap qos-stats Displays statistics for UNIVERGE WL Access Points forwarding queues. Syntax show ap qos-stats [ap-number] [clear] ap-number Index value that identifies the UNIVERGE WL Access Points on the UNIVERGE WL Controller. clear Clears the counters after displaying their current values. Defaults Access None. Enabled.
show ap etherstats Chapter 12 Table 37. Output for show ap qos-stats Field Description CoS CoS value associated with the forwarding queues. Queue Forwarding queue. AP UNIVERGE WL Access Points number. radio Radio number. Tx Number of packets transmitted to the air from the queue. TxDrop Number of packets dropped from the queue instead of being transmitted. Some packet drops are normal, especially if the RF environment is noisy.
show ap etherstats Chapter 12 Examples The following command displays Ethernet statistics for the Ethernet ports on UNIVERGE WL Access Points 1: PROPMT# show ap etherstats 1 AP: 1 ether: 1 ================================= RxUnicast: 75432 TxGoodFrames: RxMulticast: 18789 TxSingleColl: RxBroadcast: 8 TxLateColl: RxGoodFrames: 94229 TxMaxColl: RxAlignErrs: 0 TxMultiColl: RxShortFrames: 0 TxUnderruns: RxCrcErrors: 0 TxCarrierLoss: RxOverruns: 0 TxDeferred: RxDiscards: 0 AP: 1 ether: 2 =======================
show ap etherstats Chapter 12 Table 38. Output for show ap etherstats 388 Field Description RxOverruns Number of frames known to be lost due to a temporary lack of hardware resources. RxDiscards Number of frames known to be lost due to a temporary lack of software resources. TxGoodFrames Number of frames transmitted properly on the link. TxSingleColl Number of transmitted frames that encountered a single collision.
show ap group Chapter 12 show ap group Displays configuration information and load-balancing status for AP groups. Syntax show ap group [name] name Name of an AP group. Defaults Access None. Enabled.
show ap status Chapter 12 Table 39. Output for show ap group Field Description Status Association status of the AP: • Accepting—The AP is accepting new associations. • Refusing—The AP is refusing new associations. Refused Number of association requests refused by the AP due to load balancing. UNIVERGE WL Control System resets this counter to 0 when the UNIVERGE WL Controller is restarted, UNIVERGE WL Control System is reloaded, or the AP is removed from the group.
show ap status Chapter 12 Defaults Access None. Enabled. Examples The following command displays the status of an AP: PROPMT# show ap status 7 AP: 7, AP model: WL1500-AP, manufacturer NEC Infrontia, name: AP07 ==================================================== State: operational (not encrypt) CPU info: Atheros:MIPS32 speed=220000000 Hz version=AR5312, ram=16777216 s/n=G8TZUB0028 hw_rev=B Uptime: 503 hours, 51 minutes, 5 seconds Radio 1 type: 802.
show ap status Chapter 12 Table 40. Output for show ap status Field Description AP Identifier for the UNIVERGE WL Access Points on the UNIVERGE WL Controller. IP-addr IP address of the UNIVERGE WL Access Points. The address is assigned to the UNIVERGE WL Access Points by a DHCP server. Note: This field is applicable only if the UNIVERGE WL Access Points is not directly attached to the UNIVERGE WL Controller. AP model AP model number. manufacturer Company that made the AP.
show ap status Chapter 12 Table 40. Output for show ap status Field Description State State of the AP: • init—The AP has been recognized by the UNIVERGE WL Controller but has not yet begun booting. • booting—The AP has asked the UNIVERGE WL Controller for a boot image. • image downloading—The AP is receiving a boot image from the UNIVERGE WL Controller. • image downloaded—The AP has received a boot image from the UNIVERGE WL Controller and is booting.
show ap status Chapter 12 Table 40. Output for show ap status 394 Field Description CPU info Specifications and identification of the CPU. Uptime Amount of time since the AP booted using this link. Radio 1 type Radio 2 type 802.11 type and configuration state of the radio. • The configure succeed state indicates that the AP has received configuration parameters for the radio and the radio is ready to accept client connections. • 802.11b protect indicates that the 802.
show ap status Chapter 12 Table 40. Output for show ap status Field Description Radio 1 type Radio 2 type (cont.) • Radar Detected indicates that DFS has detected radar on the channel. When this occurs, the UNIVERGE WL Access Points stops transmitting on the channel for 30 minutes. If RF Auto-Tuning is enabled for channel assignment, the radio selects another channel and performs the initial channel availability check on the new channel, during which time the flag changes back to Radar Scan.
show ap status Chapter 12 Table 40. Output for show ap status Field Description bssid, ssid SSIDs configured on the radio and their BSSIDs. load balance Whether RF load balancing is enabled for the radio current load The load on this radio relative to the load balancing group average or target load. RFID Reports Status of AeroScout asset tag support. • Active––The AeroScout Engine has enabled the tag report mode on the UNIVERGE WL Access Points.
show ap vlan Chapter 12 Table 41. Output for show ap status terse Field Description MAC Address MAC address of the UNIVERGE WL Access Points. Radio1 State, channel, and power information for radio 1: • The state can be D (disabled) or E (enabled). • The channel and power settings are shown as channel/power. Radio2 State, channel, and power information for radio 2. Uptime Amount of time since the AP booted using this link. show ap vlan Note. This command is not supported.
show auto-tune attributes Chapter 12 Access Enabled. Examples The following command displays RF attribute information for radio 1 on the connected UNIVERGE WL Access Points 2: PROPMT# show auto-tune attributes ap 2 radio 1 Auto-tune attributes for ap 2 radio 1: Noise: -92 Packet Retransmission Count: Utilization: 0 Phy Errors Count: CRC Errors count: 122 0 0 Table 42 describes the fields in this display. Table 42.
show auto-tune neighbors Chapter 12 l set radio-profile auto-tune channel-config on page 301 l set radio-profile auto-tune channel-holddown on page 303 l set radio-profile auto-tune channel-interval on page 304 l set radio-profile auto-tune power-config on page 305 l set radio-profile auto-tune power-interval on page 306 l show auto-tune neighbors on page 399 l show radio-profile on page 408 show auto-tune neighbors Displays the other AP radios and third-party 802.
show auto-tune neighbors Chapter 12 Information is displayed for a radio if the radio sends beacon frames or responds to probe requests. Even if the radio SSIDs are unadvertised, AP radios detect the empty beacon frames (beacon frames without SSIDs) sent by the radio, and include the radio in the neighbor list.
show ap boot-configuration Chapter 12 l show auto-tune attributes on page 397 l show radio-profile on page 408 show ap boot-configuration Displays information about the static IP address configuration (if any) on a UNIVERGE WL Access Points. Syntax show ap boot-configuration ap-number ap-number Defaults Access Index value that identifies the UNIVERGE WL Access Points on the UNIVERGE WL Controller. None. Enabled.
show ap boot-configuration Chapter 12 Table 44. Output for show ap boot-configuration 402 Field Description AP UNIVERGE WL Access Points number. IP Address Whether static IP address assignment is enabled for this UNIVERGE WL Access Points. VLAN Tag Whether the UNIVERGE WL Access Points is configured to use a VLAN tag. Switch Whether the UNIVERGE WL Access Points is configured to use a manually specified UNIVERGE WL Controller as its boot device.
show ap connection Chapter 12 Table 44. Output for show ap boot-configuration Field Description Mesh SSID The WLAN mesh services SSID this UNIVERGE WL Access Points is configured to use (if any) Mesh PSK The preshared key (PSK) the UNIVERGE WL Access Points uses for authentication with a Mesh Portal AP (if any). show ap connection Displays the system IP address of the UNIVERGE WL Controller that booted a UNIVERGE WL Access Points.
show ap connection Chapter 12 If a UNIVERGE WL Access Points is configured on this UNIVERGE WL Controller (or another UNIVERGE WL Controller in the same Mobility Domain) but does not have an active connection, the command does not display information for the UNIVERGE WL Access Points. To show connection information for UNIVERGE WL Access Points, use the show ap global command on one of the UNIVERGE WL Controllers where the UNIVERGE WL Access Points are configured.
show ap global Chapter 12 Table 45. Output for show ap connection Field Description AP IP Address IP address assigned by DHCP to the UNIVERGE WL Access Point. Switch IP Address System IP address of the UNIVERGE WL Controller on which the UNIVERGE WL Access Point has an active connection. This is the UNIVERGE WL Controller that the UNIVERGE WL Access Point used for booting and configuration and is using for data transfer.
show ap global Chapter 12 To show information only for UNIVERGE WL Access Points that have active connections, use the show ap connection command. Examples The following command displays connection information for all the UNIVERGE WL Access Points configured on a UNIVERGE WL Controller: PROPMT# show ap AP Serial Id --- ----------3 G8TZUB0053 4 G8TZUB0253 global Switch IP Address -------------------192.168.10.10 HIGH 192.168.10.20 LOW Table 46 describes the fields in this display. Table 46.
show ap unconfigured Chapter 12 See Also l set ap on page 54 l set ap bias on page 282 l show ap config on page 374 l show ap connection on page 403 l show ap unconfigured on page 407 show ap unconfigured Displays UNIVERGE WL Access Points that are physically connected to the network but that are not configured on any UNIVERGE WL Controllers. Syntax Defaults Access show ap unconfigured None. Enabled.
show radio-profile Chapter 12 Table 47. Output for show ap unconfigured Field Description Serial Id Serial ID of the UNIVERGE WL Access Points. Model UNIVERGE WL Access Points model number. IP Address IP address of the UNIVERGE WL Access Points. This is the address that the UNIVERGE WL Access Points receives from a DHCP server. The UNIVERGE WL Access Points uses this address to send a Find UNIVERGE WL Controller message to request configuration information from UNIVERGE WL Controllers.
show radio-profile Chapter 12 Syntax show radio-profile {name | ?} name Displays information about the named radio profile. ? Displays a list of radio profiles. Defaults Access None. Enabled. Usage UNIVERGE WL Control System contains a default radio profile. UNIVERGE WL Control System recommends that you do not change this profile but instead keep the profile for reference.
show radio-profile Chapter 12 Table 48. Output for show radio-profile 410 Field Description Max Rx Lifetime Number of milliseconds that a frame scheduled to be transmitted by a radio in the radio profile can remain in buffer memory. RTS Threshold Minimum length (in bytes) a frame can be for a radio in the radio profile to use the RTS/CTS method to send the frame. The RTS/CTS method clears the air of other traffic to avoid corruption of the frame due to a collision with another frame.
show radio-profile Chapter 12 Table 48. Output for show radio-profile Field Description Tune Power Interval Interval, in seconds, at which RF Auto-Tuning decides whether to change the power level on radios in a radio profile. At the end of each interval, UNIVERGE WL Control System processes the results of the RF scans performed during the previous interval, and changes radio power levels if needed.
show radio-profile Chapter 12 Table 48. Output for show radio-profile Field Description QoS Mode Indicates the Quality-of-Service setting for UNIVERGE WL Access Points radio forwarding queues: • voice-ext—Priority treatment is provided to voice traffic for NEC handsets. • svp—UNIVERGE WL Access Points forwarding queues are optimized for SpectraLink Voice Priority (SVP). • wmm—UNIVERGE WL Access Points forwarding queues provide standard priority handling for WMM devices.
show service-profile Chapter 12 l set radio-profile auto-tune power-interval on page 306 l set radio-profile beacon-interval on page 307 l set radio-profile countermeasures on page 307 l set radio-profile dtim-interval on page 309 l set radio-profile frag-threshold on page 310 l set radio-profile max-rx-lifetime on page 311 l set radio-profile max-tx-lifetime on page 312 l set radio-profile mode on page 316 l set radio-profile preamble-length on page 320 l set radio-profile qos-mode on p
show service-profile Chapter 12 Enforce SODA checks: yes SODA remediation ACL: Custom success web-page: Custom failure web-page: Custom logout web-page: Custom agent-directory: Static COS: no COS: 0 Client DSCP: no CAC mode: voice-ext CAC sessions: 12 User idle timeout: 180 Idle client probing: yes Keep initial vlan: no Web Portal Session Timeout: 5 Mesh enabled: no Web Portal ACL: Bridging enabled: no Load Balance Exempt: no Web Portal Logout: no Custom Web Portal Logout URL: WEP Key 1 value: WEP K
show service-profile Chapter 12 Table 49. Output for show service-profile Field Description DHCP restrict Indicates whether DHCP Restrict is enabled. When this feature is enabled, UNIVERGE WL Control System allows only DHCP traffic for a new client until the client has successfully completed authentication and authorization. No broadcast Indicates whether broadcast restriction is enabled.
show service-profile Chapter 12 Table 49. Output for show service-profile Field Description Enforce SODA checks Whether a client is allowed access to the network after it has downloaded and run the SODA agent security checks. When SODA functionality is enabled, and the UNIVERGE WL Controller is configured to enforce SODA checks, then a connecting client must download the SODA agent files and pass the checks in order to gain access to the network.
show service-profile Chapter 12 Table 49. Output for show service-profile Field Description COS CoS value assigned by the UNIVERGE WL Access Points to all user traffic, if static CoS is enabled. (If static CoS is disabled, WMM or ACLs are used to assign CoS.) Client DSCP Whether packets are classified based on client DSCP level instead of 802.11 priority. CAC mode Call Admission Control mode: • none—CAC is disabled. • session—CAC is based on the number of active user sessions.
show service-profile Chapter 12 Table 49. Output for show service-profile Field Description Web Portal ACL Name of the ACL used to filter traffic for Web Portal users associated with this service profile’s SSID while the users are being authenticated. Bridging enabled Whether wireless bridging is enabled for this service profile. Load Balance Exempt Whether the UNIVERGE WL Access Points radios managed by this service profile are exempted (do not participate in) RF load balancing.
show service-profile Chapter 12 Table 49. Output for show service-profile Field Description WEP Multicast Index Index of the static WEP key used to encrypt multicast traffic on an encrypted SSID. Shared Key Auth Indicates whether shared-key authentication is enabled. WPA enabled or RSN enabled Indicates that the Wi-Fi Protected Access (WPA) or Robust Security Network (RSN) information element (IE) is enabled.
show service-profile Chapter 12 Table 49. Output for show service-profile Field Description 11a / 11b / 11g transmit rate fields Data transmission rate settings for each radio type: • beacon rate—Data rate of beacon frames sent by UNIVERGE WL Access Points radios. • multicast rate—Data rate of multicast frames sent by UNIVERGE WL Access Points radios. If the rate is auto, the UNIVERGE WL Access Points sets the multicast rate to the highest rate that can reach all clients connected to the radio.
show service-profile Chapter 12 l set service-profile cipher-wep104 on page 344 l set service-profile cipher-wep40 on page 346 l set service-profile cos on page 347 l set service-profile dhcp-restrict on page 348 l set service-profile idle-client-probing on page 349 l set service-profile long-retry-count on page 351 l set service-profile no-broadcast on page 351 l set service-profile proxy-arp on page 353 l set service-profile psk-phrase on page 354 l set service-profile psk-raw on page
show service-profile cac session Chapter 12 show service-profile cac session Displays current session counts on all UNIVERGE WL Access Points using the specified service profile, when session-based CAC is enabled. Syntax show service-profile name cac session name Displays information about the named service profile. Defaults Access None. Enabled.
show voip max-sessions Chapter 12 show voip max-sessions Displays the number of sessions and per-session bandwidth that can be supported by a single radio, for a specific aggregate bandwidth. Syntax show voip max-sessions bw bw Defaults Access Aggregate bandwidth, in Kbps. The output shows the number of sessions and bandwidth per session that can be supported on a radio based on the bw you specify. None. Enabled.
show voip summary Chapter 12 Table 51. Output for show voip max-sessions Field Description Codec Compression and decompression scheme used for voice sessions. 10ms 20ms 30ms 40ms Sample rate. sessions@ Kbps For each codec and sample rate, the maximum number of sessions that can be supported on the radio and the bandwidth at which they can be supported.
show voip summary Chapter 12 Table 52 describes the fields in this display. Table 52. Output for show voip summary Field Description Port UNIVERGE WL Access Points number. Radio Radio number. Radio Profile Radio that is managing the radio. QoS Mode QoS mode configured on the radio profile: • EXT—Voice Extension • SVP—SpectraLink Voice Priority • WMM—Wi-Fi Multimedia Note: If the mode is SVP or WMM, the remaining fields are blank.
show voip summary Chapter 12 See Also 426 l set radio-profile max-voip-bw on page 313 l set radio-profile max-voip-sessions on page 315 AP Commands
13 IGMP Snooping Commands Use Internet Group Management Protocol (IGMP) snooping commands to configure and manage multicast traffic reduction on a UNIVERGE WL Controller. This chapter presents IGMP snooping commands alphabetically. Use the following table to locate commands in this chapter based on their use.
clear igmp statistics Chapter 13 clear igmp statistics Clears IGMP statistics counters on one VLAN or all VLANs on a UNIVERGE WL Controller and resets them to 0. Syntax clear igmp statistics [vlan vlan-id] vlan vlan-id Defaults Access VLAN name or number. If you do not specify a VLAN, IGMP statistics are cleared for all VLANs. None. Enabled.
set igmp lmqi Chapter 13 success: change accepted. See Also show igmp on page 438 set igmp lmqi Changes the IGMP last member query interval timer on one VLAN or all VLANs on a UNIVERGE WL Controller.
set igmp mrouter Chapter 13 set igmp mrouter Adds or removes a port in a UNIVERGE WL Controller list of ports on which it forwards traffic to multicast routers. Static multicast ports are immediately added to or removed from the list of router ports and do not age out. Syntax set igmp mrouter port port-list {enable | disable} port port-list Port list. UNIVERGE WL Control System adds or removes the specified ports in the list of static multicast router ports.
set igmp mrsol mrsi Chapter 13 disable Disables multicast router solicitation. vlan vlan-id VLAN name or number. If you do not specify a VLAN, multicast router solicitation is disabled or enabled on all VLANs. Defaults Access Multicast router solicitation is disabled on all VLANs by default. Enabled. Examples The following command enables multicast router solicitation on VLAN orange: PROMT# set igmp mrsol enable vlan orange success: change accepted.
set igmp oqi Chapter 13 See Also set igmp mrsol on page 430 set igmp oqi Changes the IGMP other-querier-present interval timer on one VLAN or all VLANs on a UNIVERGE WL Controller. Syntax set igmp oqi seconds [vlan vlan-id] oqi seconds Number of seconds that the UNIVERGE WL Controller waits for a general query to arrive before electing itself the querier. You can specify a value from 1 through 65,535. vlan vlan-id VLAN name or number.
set igmp proxy-report Chapter 13 l set igmp querier on page 436 l set igmp mrouter on page 430 l set igmp rv on page 437 set igmp proxy-report Disables or reenables proxy reporting by a UNIVERGE WL Controller on one VLAN or all VLANs. Syntax set igmp proxy-report {enable | disable} [vlan vlan-id] enable Enables proxy reporting. disable Disables proxy reporting. vlan vlan-id VLAN name or number. If you do not specify a VLAN, proxy reporting is disabled or reenabled on all VLANs.
set igmp qi Chapter 13 Syntax set igmp qi seconds [vlan vlan-id] qi seconds Number of seconds that elapse between general queries sent by the UNIVERGE WL Controller when the UNIVERGE WL Controller is the querier for the subnet. You can specify a value from 1 through 65,535. vlan vlan-id VLAN name or number. If you do not specify a VLAN, the timer change applies to all VLANs. Defaults Access The default query interval is 125 seconds. Enabled.
set igmp qri Chapter 13 set igmp qri Changes the IGMP query response interval timer on one VLAN or all VLANs on a UNIVERGE WL Controller. Syntax set igmp qri tenth-seconds [vlan vlan-id] qri tenth-seconds Amount of time (in tenths of a second) that the UNIVERGE WL Controller waits for a receiver to respond to a group-specific query message before removing the receiver from the receiver list for the group. You can specify a value from 1 through 65,535. vlan vlan-id VLAN name or number.
set igmp querier Chapter 13 set igmp querier Enables or disables the IGMP pseudo-querier on a UNIVERGE WL Controller , on one VLAN or all VLANs. Syntax set igmp querier {enable | disable} [vlan vlan-id] enable Enables the pseudo-querier. disable Disables the pseudo-querier. vlan vlan-id VLAN name or number. If you do not specify a VLAN, the pseudo-querier is enabled or disabled on all VLANs. Defaults Access The pseudo-querier is disabled on all VLANs by default. Enabled.
set igmp rv Chapter 13 Syntax set igmp receiver port port-list {enable | disable} port port-list Network port list. UNIVERGE WL Control System adds the specified ports to the list of static multicast receiver ports. enable Adds the port to the list of static multicast receiver ports. disable Removes the port from the list of static multicast receiver ports. Defaults Access By default, no ports are static multicast receiver ports. Enabled.
show igmp Chapter 13 Defaults Access The default robustness value for all VLANs is 2. Enabled. Examples The following example changes the robustness value on VLAN orange to 4: PROMT# set igmp rv 4 vlan orange success: change accepted. See Also l set igmp oqi on page 432 l set igmp qi on page 433 l set igmp qri on page 435 show igmp Displays IGMP configuration information and statistics for one VLAN or all VLANs. Syntax show igmp [vlan vlan-id] vlan vlan-id Defaults Access VLAN name or number.
show igmp Chapter 13 Port Mrouter-IPaddr Mrouter-MAC Type TTL ---- --------------- ----------------- ----- ----10 192.28.7.5 00:01:02:03:04:05 dvmrp 17 Group Port Receiver-IP Receiver-MAC TTL --------------- ---- --------------- ----------------- ----224.0.0.2 none none none undef 237.255.255.255 5 10.10.10.11 00:02:04:06:08:0b 258 237.255.255.255 5 10.10.10.13 00:02:04:06:08:0d 258 237.255.255.255 5 10.10.10.14 00:02:04:06:08:0e 258 237.255.255.255 5 10.10.10.12 00:02:04:06:08:0c 258 237.255.255.255 5 10.
show igmp Chapter 13 Table 53. Output for show igmp Field Description VLAN VLAN name. UNIVERGE WL Control System displays information separately for each VLAN. IGMP is enabled (disabled) IGMP state. Proxy reporting Proxy reporting state. Mrouter solicitation Multicast router solicitation state. Querier functionality Pseudo-querier state. Configuration values (qi) Query interval. 440 Configuration values (oqi) Other-querier-present interval.
show igmp Chapter 13 Table 53. Output for show igmp Field Description Type How the UNIVERGE WL Controller learned that the port is a multicast router port: • conf — Static multicast port configured by an administrator • madv—Multicast advertisement • quer—IGMP query • dvmrp—Distance Vector Multicast Routing Protocol (DVMRP) • pimv1—Protocol Independent Multicast (PIM) version 1 • pimv2—PIM version 2 TTL Number of seconds before this entry ages out if not refreshed.
show igmp Chapter 13 Table 53. Output for show igmp Field Description Querier information Information about the subnet’s multicast querier. If the querier is another device, the fields described below are applicable. If the querier is the UNIVERGE WL Controller itself, the output indicates how many seconds remain until the next general query message. If IGMP snooping does not detect a querier, the output indicates this. The show igmp querier command shows the same information.
show igmp mrouter Chapter 13 show igmp mrouter Displays the multicast routers in a UNIVERGE WL Controller subnet, on one VLAN or all VLANs. Routers are listed separately for each VLAN, according to the port number through which the UNIVERGE WL Controller can reach the router. Syntax show igmp mrouter [vlan vlan-id] vlan vlan-id Defaults Access VLAN name or number. If you do not specify a VLAN, UNIVERGE WL Control System displays the multicast routers in all VLANs. None. All.
show igmp querier Chapter 13 Table 54. Output for show igmp mrouter Field Description Type How the UNIVERGE WL Controller learned that the port is a multicast router port: • conf — Static multicast port configured by an administrator • madv—Multicast advertisement • quer—IGMP query • dvmrp—Distance Vector Multicast Routing Protocol (DVMRP) • pimv1—Protocol Independent Multicast (PIM) version 1 • pimv2—PIM version 2 TTL Number of seconds before this entry ages out if unused.
show igmp querier Chapter 13 Defaults Access None. Enabled. Examples The following command displays querier information for VLAN orange: PROMT# show igmp querier vlan orange Querier for vlan orange Port Querier-IP Querier-MAC TTL ---- --------------- ----------------- ----1 193.122.135.
show igmp receiver-table Chapter 13 Table 55. Output for show igmp querier Field Description Querier for vlan VLAN containing the querier. Information is listed separately for each VLAN. Querier-IP IP address of the querier interface. Querier-MAC MAC address of the querier interface. TTL Number of seconds before this entry ages out if the UNIVERGE WL Controller does not receive a query message from the querier.
show igmp receiver-table Chapter 13 Examples The following command displays all multicast receivers in VLAN orange: PROMT# show igmp receiver-table vlan VLAN: orange Session Port Receiver-IP --------------- ---- --------------224.0.0.2 none none 237.255.255.255 5 10.10.10.11 237.255.255.255 5 10.10.10.13 237.255.255.255 5 10.10.10.14 237.255.255.255 5 10.10.10.12 237.255.255.255 5 10.10.10.
show igmp statistics Chapter 13 Table 56. Output for show igmp receiver-table Field Description Receiver-MAC MAC address of the receiver. TTL Number of seconds before this entry ages out if the UNIVERGE WL Controller does not receive a group membership message from the receiver. For static multicast receiver entries, the TTL value is undef. Static multicast receiver entries do not age out. See Also set igmp receiver on page 436 show igmp statistics Displays IGMP statistics.
show igmp statistics Chapter 13 Mrouter-Sol 50 101 DVMRP 4 4 PIM V1 0 0 PIM V2 0 0 Topology notifications: 0 Packets with unknown IGMP type: 0 Packets with bad length: 0 Packets with bad checksum: 0 Packets dropped: 4 0 0 0 0 Table 57 describes the fields in this display. Table 57. Output for show igmp statistics Field Description IGMP statistics for vlan VLAN name. Statistics are listed separately for each VLAN.
show igmp statistics Chapter 13 Table 57. Output for show igmp statistics Field Description IGMP message type Type of IGMP message, continued: • Mrouter-Term—Multicast router termination messages. A multicast router sends this type of message when multicast forwarding is disabled on the router interface, the router interface is administratively disabled, or the router itself is gracefully shutdown. • Mrouter-Sol—Multicast router solicitation messages.
show igmp statistics Chapter 13 Table 57. Output for show igmp statistics Field Description Packets with unknown IGMP type Number of multicast packets received with an unrecognized multicast type. Packets with bad length Number of packets with an invalid length. Packets with bad IGMP checksum Number of packets with an invalid IGMP checksum value. Packets dropped Number of multicast packets dropped by the UNIVERGE WL Controller.
show igmp statistics Chapter 13 452 IGMP Snooping Commands
14 Security ACL Commands Use security ACL commands to configure and monitor security access control lists (ACLs). Security ACLs filter packets to restrict or permit network usage by certain users or traffic types, and can assign to packets a class of service (CoS) to define the priority of treatment for packet filtering. (Security ACLs are different from the location policy on a UNIVERGE WL Controller, which helps you locally control user access.
clear security acl Chapter 14 clear security acl Clears a specified security ACL, an access control entry (ACE), or all security ACLs, from the edit buffer. When used with the command commit security acl, clears the ACE from the running configuration. Syntax clear security acl {acl-name | all} [editbuffer-index] acl-name Name of an existing security ACL to clear. ACL names start with a letter and are case-insensitive. all Clears all security ACLs.
clear security acl Chapter 14 set security acl ip acl_135 (hits #2 0) --------------------------------------------------------1. deny IP source IP 192.168.1.1 0.0.0.0 destination IP any enable-hits PROMPT# clear security acl acl_133 PROMPT# commit security acl acl_133 configuration accepted PROMPT# show security acl info all ACL information for all set security acl ip acl_134 (hits #3 0) --------------------------------------------------------1. permit IP source IP 192.168.0.1 0.0.0.
clear security acl map Chapter 14 clear security acl map Deletes the mapping between a security ACL and a virtual LAN (VLAN), one or more physical ports, or a virtual port. Or deletes all ACL maps to VLANs, ports, and virtual ports on a UNIVERGE WL Controller. Note. Security ACLs are applied to users or groups dynamically via the Filter-Id attribute.
clear security acl map Chapter 14 ap ap-num One or more UNIVERGE WL Access Points, based on their connection IDs. Specify a single connection ID, or specify a comma-separated list of connection IDs, a hyphen-separated range, or any combination, with no spaces. UNIVERGE WL Control System removes the security ACL from the specified UNIVERGE WL Access Points. in Removes the security ACL from traffic coming into the UNIVERGE WL Controller.
commit security acl Chapter 14 commit security acl Saves a security ACL, or all security ACLs, in the edit buffer to the running configuration and nonvolatile storage on the UNIVERGE WL Controller. Or, when used with the clear security acl command, commit security acl deletes a security ACL, or all security ACLs, from the running configuration and nonvolatile storage. Syntax commit security acl {acl-name | all} acl-name Name of an existing security ACL to commit.
rollback security acl Chapter 14 See Also l clear security acl on page 454 l rollback security acl on page 459 l set security acl on page 460 l show security acl on page 470 l show security acl info on page 473 rollback security acl Clears changes made to the security ACL edit buffer since it was last saved. The ACL is rolled back to its state after the last commit security acl command was entered. All uncommitted ACLs in the edit buffer are cleared.
set security acl Chapter 14 3. deny SRC source IP 192.168.1.234 255.255.255.255 enable-hits PROMPT# rollback security acl acl_122 PROMPT# show security acl info all editbuffer ACL edit-buffer information for all See Also show security acl on page 470 set security acl In the edit buffer, creates a security access control list (ACL), adds one access control entry (ACE) to a security ACL, and/or reorders ACEs in the ACL.
set security acl Chapter 14 By ICMP packets set security acl ip acl-name {permit [cos cos] | deny} icmp {source-ip-addr mask | any} {destination-ip-addr mask | any} [type icmp-type] [code icmp-code] [[precedence precedence] [tos tos] | [dscp codepoint]] [before editbuffer-index | modify editbuffer-index] [hits] By TCP packets set security acl ip acl-name {permit [cos cos] | deny} tcp {source-ip-addr mask | any [operator port [port2]]} {destination-ip-addr mask | any [operator port [port2]]} [[precedence p
set security acl Chapter 14 462 cos cos For permitted packets, a class-of-service (CoS) level for packet handling. Specify a value from 0 through 7: • 1 or 2—Background. Packets are queued in UNIVERGE WL Access Points forwarding queue 4. • 0 or 3—Best effort. Packets are queued in UNIVERGE WL Access Points forwarding queue 3. • 4 or 5—Video. Packets are queued in UNIVERGE WL Access Points forwarding queue 2.
set security acl Chapter 14 operator port [port2] Operand and port number(s) for matching TCP or UDP packets to the number of the source or destination port on source-ip-addr or destination-ip-addr. Specify one of the following operands and the associated port: • eq—Packets are filtered for only port number. • gt—Packets are filtered for all ports that are greater than port number. • lt—Packets are filtered for all ports that are less than port number.
set security acl Chapter 14 precedence precedence Filters packets by precedence level. Specify a value from 0 through 7: • 0—routine precedence • 1—priority precedence • 2—immediate precedence • 3—flash precedence • 4—flash override precedence • 5—critical precedence • 6—internetwork control precedence • 7—network control precedence tos tos Filters packets by type of service (TOS) level. Specify one of the following values, or any sum of these values up to 15.
set security acl Chapter 14 modify editbuffer-index Replaces an ACE in the security ACL with the new ACE. Specify the number of the existing ACE in the edit buffer. Index numbers start at 1. (To display the edit buffer, use show security acl editbuffer.) hits Tracks the number of packets that are filtered based on a security ACL, for all mappings.
set security acl Chapter 14 The following command creates acl_125 by defining an ACE that denies TCP packets from source IP address 192.168.0.1 to destination IP address 192.168.0.2 for established sessions only, and counts the hits: PROMPT# set security acl ip acl_125 deny tcp 192.168.0.1 0.0.0.0 192.168.0.2 0.0.0.0 established hits The following command adds an ACE to acl_125 that denies TCP packets from source IP address 192.168.1.1 to destination IP address 192.168.1.
set security acl map Chapter 14 set security acl map Assigns a committed security ACL to a VLAN, physical port or ports, virtual port, or UNIVERGE WL Access Points on the UNIVERGE WL Controller. Note. To assign a security ACL to a user or group in the local UNIVERGE WL Controller database, use the command set user attr, set mac-user attr, set usergroup attr, or set mac-usergroup attr with the Filter-Id attribute.
set security acl map Chapter 14 in Assigns the security ACL to traffic coming into the UNIVERGE WL Controller. out Assigns the security ACL to traffic coming from the UNIVERGE WL Controller. Defaults Access None. Enabled. Usage Before you can map a security ACL, you must use the commit security acl command to save the ACL in the running configuration and nonvolatile storage.
set security acl hit-sample-rate Chapter 14 set security acl hit-sample-rate Specifies the time interval, in seconds, at which the packet counter for each security ACL is sampled for display. The counter counts the number of packets filtered by the security ACL—or “hits.” Syntax set security acl hit-sample-rate seconds seconds Defaults Access Number of seconds between samples. A sample rate of 0 (zero) disables the sample process. By default, the hits are not sampled. Enabled.
show security acl Chapter 14 show security acl Displays a summary of the security ACLs that are mapped. Syntax Defaults Access show security acl None. Enabled. Usage This command lists only the ACLs that have been mapped to something (a user, or VLAN, or port, and so on). To list all committed ACLs, use the show security acl info command. To list ACLs that have not yet been committed, use the show security acl editbuffer command.
show security acl editbuffer Chapter 14 show security acl editbuffer Displays a summary of the security ACLs that have not yet been committed to the configuration. Syntax show security acl [info all] editbuffer info all Defaults Access Displays the ACEs in each uncommitted ACL. Without this option, only the ACE names are listed. None. Enabled.
show security acl hits Chapter 14 l show security acl info on page 473 show security acl hits Displays the number of packets filtered by security ACLs (“hits”) on the UNIVERGE WL Controller. Each time a packet is filtered by a security ACL, the hit counter increments. Syntax Defaults Access show security acl hits None. Enabled. Usage For UNIVERGE WL Control System to count hits for a security ACL, you must specify hits in the set security acl commands that define ACE rules for the ACL.
show security acl info Chapter 14 show security acl info Displays the contents of a specified security ACL or all security ACLs that are committed—saved in the running configuration and nonvolatile storage—or the contents of security ACLs in the edit buffer before they are committed. Syntax show security acl info [acl-name | all] [editbuffer] acl-name Name of an existing security ACL to display. ACL names must start with a letter and are case-insensitive.
show security acl map Chapter 14 set security acl ip acl_123 (ACEs 3, add 3, del 0, modified 0) --------------------------------------------------------1. permit IP source IP 192.168.1.11 0.0.0.255 destination IP any enable-hits 2. deny IP source IP 192.168.2.11 0.0.0.0 destination IP any 3. deny SRC source IP 192.168.1.234 255.255.255.
show security acl resource-usage Chapter 14 show security acl resource-usage Displays statistics about the resources used by security ACL filtering on the UNIVERGE WL Controller. Syntax show security acl resource-usage Defaults Access None. Enabled. Usage Use this command with the help of the UNIVERGE WL Control System to diagnose an ACL resource problem.
show security acl resource-usage Chapter 14 Static default action No per-user (MAC) mapping Out mapping In mapping No VLAN or PORT mapping No VPORT mapping : : : : : : False True False True False True Table 58 explains the fields in the show security acl resource-usage output. Table 58. show security acl resource-usage Output Field Description Number of rules Number of security ACEs currently mapped to ports or VLANs. Number of leaf nodes Number of security ACL data entries stored in the rule tree.
show security acl resource-usage Chapter 14 Table 58. show security acl resource-usage Output Field Description Leaves in secondary Number of ACL data entries stored in secondary leaf memory. Sum node depth Total number of security ACL data entries. Fragmentation control Control value for handling fragmented IP packets. Note: The UNIVERGE WL Control System filters only the first packet of a fragmented IP packet and passes the remaining fragments.
show security acl resource-usage Chapter 14 Table 58. show security acl resource-usage Output Field Description Non-IP rules Non-IP security ACE mapping on the UNIVERGE WL Controller: • True—Non-IP security ACEs are mapped. • False—Only IP security ACEs are mapped. Note: UNIVERGE WL Control System supports security ACEs for IP only. 478 Root in first Leaf buffer allocation: • True—Enough primary leaf buffers are allocated in nonvolatile memory to accommodate all leaves.
show security acl resource-usage Chapter 14 Table 58. show security acl resource-usage Output Field Description No VLAN or PORT mapping Application of security ACLs to UNIVERGE WL Controller VLANs or ports on the UNIVERGE WL Controller: • True—No security ACLs are mapped to VLANs or ports. • False—Security ACLs are mapped to VLANs or ports.
show security acl resource-usage Chapter 14 480 Security ACL Commands
15 Cryptography Commands A digital certificate is a form of electronic identification for computers. The UNIVERGE WL Controller requires digital certificates to authenticate its communications to UNIVERGE WLMS and WebView, to Web Authentication clients, and to Extensible Authentication Protocol (EAP) clients for which the UNIVERGE WL performs all EAP processing. Certificates can be generated on the UNIVERGE WL or obtained from a certificate authority (CA).
crypto ca-certificate Chapter 15 crypto ca-certificate on page 482 show crypto ca-certificate on page 494 crypto certificate on page 483 show crypto certificate on page 495 PKCS #12 Certificate crypto otp on page 491 crypto pkcs12 on page 492 Self-Signed Certificate crypto generate self-signed on page 489 crypto ca-certificate Installs a certificate authority’s own PKCS #7 certificate into the UNIVERGE WL Controller certificate and key storage area.
crypto certificate Chapter 15 Defaults Access None. Enabled. Usage The Privacy-Enhanced Mail protocol (PEM) format is used for representing a PKCS #7 certificate in ASCII text. PEM uses base64 encoding to convert the certificate to ASCII text, then puts the encoded text between the following delimiters: -----BEGIN CERTIFICATE---------END CERTIFICATE----- To use this command, you must already have obtained a copy of the certificate authority’s certificate as a PKCS #7 object file.
crypto certificate Chapter 15 Syntax crypto certificate {admin | eap | web} PEM-formatted certificate admin Stores the certificate authority’s administrative certificate, which authenticates the UNIVERGE WL Controller to UNIVERGE WLMS or WebView. eap Stores the certificate authority’s Extensible Authentication Protocol (EAP) certificate, which authenticates the UNIVERGE WL Controller to 802.1X supplicants (clients).
crypto generate key Chapter 15 -----BEGIN CERTIFICATE----MIIBdTCP3wIBADA2MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQOExGjAYBgNVBAMU EXR1Y2hwdWJzQHRycHouY29tMIGfMAOGCSqGSIb3DQEBAQAA4GNADCBiQKBgQC4 .....
crypto generate request Chapter 15 web Generates an administrative key pair for authenticating the UNIVERGE WL Controller to Web Authentication clients. 128 | 512 | 1024 | 2048 Length of the key pair in bits. Note: The minimum key length for SSH is 1024. The length 128 applies only to domain and is the only valid option for it. Defaults Access Usage None. Enabled. You can overwrite a key by generating another key of the same type.
crypto generate request Chapter 15 Syntax crypto generate request {admin | eap | web} admin Generates a request for an administrative certificate to authenticate the UNIVERGE WL Controller to UNIVERGE WLMS or WebView. eap Generates a request for an EAP certificate to authenticate the UNIVERGE WL Controller to 802.1X supplicants (clients). web Generates a request for a Web Authentication certificate to authenticate the UNIVERGE WL Controller to Web Authentication clients.
crypto generate request Chapter 15 Access Enabled. Usage To use this command, you must already have generated a public-private encryption key pair with the crypto generate key command. Enter crypto generate request admin, crypto generate request eap, or crypto generate request web and press Enter. When you are prompted, type the identifying values in the fields, or press Enter if the field is optional. You must enter a common name for the UNIVERGE WL Controller.
crypto generate self-signed Chapter 15 crypto generate self-signed Generates a self-signed certificate for either an administrative certificate for use with UNIVERGE WLMS or an EAP certificate for use with 802.1X wireless users. Syntax crypto generate self-signed {admin | eap | web} admin Generates an administrative certificate to authenticate the UNIVERGE WL Controller to UNIVERGE WLMS or WebView. eap Generates an EAP certificate to authenticate the UNIVERGE WL Controller to 802.
crypto generate self-signed Chapter 15 Common Name string Specify a unique name for the UNIVERGE WL Controller, in up to 80 alphanumeric characters with no spaces. Use a fully qualified name if such names are supported on your network. This field is required. Note: If you are generating a Web Authentication (web) certificate, use a common name that looks like a domain name (two or more strings connected by dots, with no spaces). For example, use common.name instead of common name.
crypto otp Chapter 15 crypto otp Sets a one-time password (OTP) for use with the crypto pkcs12 command. Syntax crypto otp {admin | eap | web} one-time-password admin Creates a one-time password for installing a PKCS #12 object file for an administrative certificate and key pair—and optionally the certificate authority’s own certificate—to authenticate the UNIVERGE WL Controller to UNIVERGE WLMS or WebView.
crypto pkcs12 Chapter 15 Defaults Access None. Enabled. Usage The password allows the public-private key pair and certificate to be installed together from the same PKCS #12 object file. UNIVERGE WL Control System erases the one-time password after processing the crypto pkcs12 command or when you reboot the UNIVERGE WL Controller. UNIVERGE WL Control System recommends that you create a password that is memorable to you but is not subject to easy guesses or a dictionary attack.
crypto pkcs12 Chapter 15 web Unpacks a PKCS #12 object file for a Web Authentication certificate and key pair—and optionally the certificate authority’s own certificate—for authenticating the UNIVERGE WL Controller to Web Authentication clients. file-location-url Location of the PKCS #12 object file to be installed. Specify a location of between 1 and 128 alphanumeric characters, with no spaces.
show crypto ca-certificate Chapter 15 show crypto ca-certificate Displays information about the certificate authority’s PEM-encoded PKCS #7 certificate. Syntax show crypto ca-certificate {admin | eap | web} admin Displays information about the certificate authority’s certificate that signed the administrative certificate for the UNIVERGE WL Controller. The administrative certificate authenticates the UNIVERGE WL Controller to UNIVERGE WLMS or WebView.
show crypto certificate Chapter 15 Table 59. show crypto ca-certificate Output Fields Description Version Version of the X.509 certificate. Serial Number A unique identifier for the certificate or signature. Subject Name of the certificate owner. Signature Algorithm Algorithm that created the signature, such as RSA MD5 or RSA SHA. Issuer Certificate authority that issued the certificate or signature. Validity Time period for which the certificate is valid.
show crypto certificate Chapter 15 Access Enabled. Usage You must have generated a self-signed certificate or obtained a certificate from a certificate authority before displaying information about the certificate. Examples To display information about a cryptographic certificate, type the following command: PROMPT# show crypto certificate eap Table 60 describes the fields of the display. Table 60. crypto certificate Output Fields Description Version Version of the X.509 certificate.
show crypto key ssh Chapter 15 show crypto key ssh Displays SSH authentication key information. This command displays the checksum (also called a fingerprint) of the public key. When you connect to the UNIVERGE WL Controller with an SSH client, you can compare the SSH key checksum displayed by the UNIVERGE WL Controller with the one displayed by the client to verify that you really are connected to the UNIVERGE WL Controller and not another device.
show crypto key ssh Chapter 15 498 Cryptography Commands
16 RADIUS and Server Groups Commands Use RADIUS commands to set up communication between a UNIVERGE WL Controller and groups of up to four RADIUS servers for remote authentication, authorization, and accounting (AAA) of administrators and network users. This chapter presents RADIUS commands alphabetically. Use the following table to locate commands in this chapter based on their uses.
clear radius Chapter 16 clear radius Resets parameters that were globally configured for RADIUS servers to their default values. Syntax clear radius {deadtime | key | retransmit | timeout} deadtime Number of minutes to wait after declaring an unresponsive RADIUS server unavailable before retrying the RADIUS server. key Password (shared secret key) used to authenticate to the RADIUS server. retransmit Number of transmission attempts made before declaring an unresponsive RADIUS server unavailable.
clear radius client system-ip Chapter 16 success: change accepted. PROMPT# clear radius timeout success: change accepted. See Also l set radius on page 503 l set radius server on page 506 l show aaa on page 240 clear radius client system-ip Removes the UNIVERGE WL Controllers system IP address from use as the permanent source address in RADIUS client requests from the UNIVERGE WL Controller to its RADIUS server(s). Syntax Defaults Access clear radius client system-ip None. Enabled.
clear radius server Chapter 16 clear radius server Removes the named RADIUS server from the UNIVERGE WL Controller configuration. Syntax clear radius server server-name server-name Defaults Access Name of a RADIUS server configured to perform remote AAA services for the UNIVERGE WL Controller. None. Enabled. Examples The following command removes the RADIUS server rs42 from a list of remote AAA servers: PROMPT# clear radius server rs42 success: change accepted.
set radius Chapter 16 Access Enabled. Usage Deleting a server group removes the server group from the configuration. However, the members of the server group remain. Examples To remove the server group sg-77 type the following command: PROMPT# clear server group sg-77 success: change accepted. To disable load balancing in a server group shorebirds, type the following command: PROMPT# set server group shorebirds load-balance disable success: change accepted.
set radius Chapter 16 Syntax set radius {deadtime minutes | encrypted-key string | key string | retransmit number | timeout seconds} deadtime minutes Number of minutes the UNIVERGE WL Controller waits after declaring an unresponsive RADIUS server unavailable before retrying the RADIUS server. You can specify from 0 to 1440 minutes. encrypted-key string Password (shared secret key) used to authenticate to the RADIUS server, entered in its encrypted form.
set radius Chapter 16 retransmit number Number of transmission attempts the UNIVERGE WL Controller makes before declaring an unresponsive RADIUS server unavailable. You can specify from 1 to 100 retries. timeout seconds Number of seconds the UNIVERGE WL Controller waits for the RADIUS server to respond before retransmitting. You can specify from 1 to 65,535.
set radius client system-ip Chapter 16 set radius client system-ip Causes all RADIUS requests to be sourced from the IP address specified by the set system ip-address command, providing a permanent source IP address for RADIUS packets sent from the UNIVERGE WL Controller. Syntax set radius client system-ip Defaults None. If you do not use this command, RADIUS packets leaving the UNIVERGE WL Controller have the source IP address of the outbound interface, which can change as routing conditions change.
set radius server Chapter 16 address ip-address IP address of the RADIUS server. Enter the address in dotted decimal notation. auth-port port-number UDP port that the UNIVERGE WL Controller uses for authentication and authorization. acct-port port-number UDP port that the UNIVERGE WL Controller uses for accounting. timeout seconds Number of seconds the UNIVERGE WL Controller waits for the RADIUS server to respond before retransmitting. You can specify from 1 to 65,535 seconds.
set radius server Chapter 16 l auth-port—UDP port 1812 l acct-port—UDP port 1813 l timeout—5 seconds l retransmit—3 (the total number of attempts, including the first attempt) l deadtime—0 (zero) minutes (The UNIVERGE WL Controller does not designate unresponsive RADIUS servers as unavailable.) l key—No key l encrypted-key—No key l author-password—No Password Access Enabled.
set server group Chapter 16 l set radius on page 503 l set server group on page 509 l show aaa on page 240 set server group Configures a group of one to four RADIUS servers. Syntax set server group group-name members server-name1 [server-name2] [server-name3] [server-name4] group-name Server group name of up to 32 characters, with no spaces or tabs. members server-name1 server-name2 server-name3 server-name4 The names of one or more configured RADIUS servers.
set server group load-balance Chapter 16 l show aaa on page 240 set server group load-balance Enables or disables load balancing among the RADIUS servers in a server group. Syntax set server group group-name load-balance {enable | disable} group-name Server group name of up to 32 characters. load-balance enable | disable Enables or disables load balancing of authentication requests among the servers in the group. Defaults Access Load balancing is disabled by default. Enabled.
set server group load-balance Chapter 16 See Also l clear server group on page 502 l clear radius server on page 502 l set server group on page 509 l show aaa on page 240 RADIUS and Server Groups Commands 511
set server group load-balance Chapter 16 512 RADIUS and Server Groups Commands
17 802.1X Management Commands Use 802. IEEE X management commands to modify the default settings for IEEE 802.1X sessions on a UNIVERGE WL Controller. For best results, change the settings only if you are aware of a problem with 802.1X performance on the UNIVERGE WL Controllers. This chapter presents 802.1X commands alphabetically. Use the following table to locate commands in this chapter based on their use. For information about configuring 802.
clear dot1x bonded-period Chapter 17 set dot1x reauth-period on page 522 clear dot1x reauth-period on page 516 Retransmission set dot1x max-req on page 520 clear dot1x max-req on page 515 Quiet Period and Timeouts set dot1x quiet-period on page 520 clear dot1x quiet-period on page 515 set dot1x timeout auth-server on page 523 clear dot1x timeout auth-server on page 517 set dot1x timeout supplicant on page 524 clear dot1x timeout supplicant on page 517 Settings, Active Clients, show dot1x on page 526 an
clear dot1x max-req Chapter 17 clear dot1x max-req Resets to the default setting the number of Extensible Authentication Protocol (EAP) requests that the UNIVERGE WL Controller retransmits to a supplicant (client). Syntax clear dot1x max-req Defaults Access The default number is 20. Enabled. Examples To reset the number of 802.1X requests the UNIVERGE WL Controller can send to the default setting, type the following command: PROMPT# clear dot1x max-req success: change accepted.
clear dot1x reauth-max Chapter 17 clear dot1x reauth-max Resets the maximum number of reauthorization attempts to the default setting. Syntax clear dot1x reauth-max Defaults Access The default is 2 attempts. Enabled. Examples Type the following command to reset the maximum number of reauthorization attempts to the default: PROMPT# clear dot1x reauth-max success: change accepted.
clear dot1x timeout auth-server Chapter 17 clear dot1x timeout auth-server Resets to the default setting the number of seconds that must elapse before the UNIVERGE WL Controller times out a request to a RADIUS server. Syntax Defaults Access clear dot1x timeout auth-server The default is 30 seconds. Enabled. Examples To reset the default timeout for requests to an authentication server, type the following command: PROMPT# clear dot1x timeout auth-server success: change accepted.
clear dot1x tx-period Chapter 17 clear dot1x tx-period Resets to the default setting the number of seconds that must elapse before the UNIVERGE WL Controller retransmits an EAP over LAN (EAPoL) packet. Syntax clear dot1x tx-period Defaults Access The default is 5 seconds. Enabled. Examples Type the following command to reset the EAPoL retransmission time: PROMPT# clear dot1x tx-period success: change accepted.
set dot1x key-tx Chapter 17 Usage Normally, the Bonded Auth period needs to be set only if the network has Bonded Auth clients that use dynamic WEP, or use WEP-40 or WEP-104 encryption with WPA or RSN. These clients can be affected by the 802.1X reauthentication parameter or the RADIUS Session-Timeout parameter. UNIVERGE WL Control System recommends that you try 60 seconds, and change the period to a longer value only if clients are unable to authenticate within 60 seconds.
set dot1x max-req Chapter 17 Examples Type the following command to enable key transmission: PROMPT# set dot1x key-tx enable success: dot1x key transmission enabled. See Also show dot1x on page 526 set dot1x max-req Sets the maximum number of times the UNIVERGE WL Controller retransmits an EAP request to a supplicant (client) before ending the authentication session. Syntax set dot1x max-req number-of-retransmissions number-of-retransmissions Defaults Access Specify a value between 0 and 10.
set dot1x reauth Chapter 17 Syntax set dot1x quiet-period seconds seconds Specify a value between 0 and 65,535. Defaults Access The default is 60 seconds. Enabled. Examples Type the following command to set the quiet period to 90 seconds: PROMPT# set dot1x quiet-period 90 success: dot1x quiet period set to 90.
set dot1x reauth-max Chapter 17 l show dot1x on page 526 set dot1x reauth-max Sets the number of reauthentication attempts that the UNIVERGE WL Controller makes before the supplicant (client) becomes unauthorized. Syntax set dot1x reauth-max number-of-attempts number-of-attempts Defaults Access Specify a value between 1 and 10. The default number of reauthentication attempts is 2. Enabled.
set dot1x timeout auth-server Chapter 17 Access Enabled. Usage You also can use the RADIUS session-timeout attribute to set the reauthentication timeout for a specific client. In this case, UNIVERGE WL Control System uses the timeout that has the lower value. If the session-timeout is set to fewer seconds than the global reauthentication timeout, UNIVERGE WL Control System uses the session-timeout for the client.
set dot1x timeout supplicant Chapter 17 set dot1x timeout supplicant Sets the number of seconds that must elapse before the UNIVERGE WL Controller times out an authentication session with a supplicant (client). Syntax set dot1x timeout supplicant seconds seconds Defaults Access Specify a value between 1 and 65,535. The default is 30 seconds. Enabled.
set dot1x wep-rekey Chapter 17 success: dot1x tx-period set to 300. See Also l clear dot1x tx-period on page 518 l show dot1x on page 526 set dot1x wep-rekey Enables or disables Wired Equivalency Privacy (WEP) rekeying for broadcast and multicast encryption keys. Syntax set dot1X wep-rekey {enable | disable} enable Causes the broadcast and multicast keys for WEP to be rotated at an interval set by the set dot1x wep-rekey-period for each radio, associated VLAN, and encryption type.
set dot1x wep-rekey-period Chapter 17 set dot1x wep-rekey-period Sets the interval for rotating the WEP broadcast and multicast keys. Syntax set dot1x wep-rekey-period seconds seconds Defaults Access Specify a value between 30 and 1,641,600 (19 days). The default is 1800 seconds (30 minutes). Enabled.
show dot1x Chapter 17 Examples Type the following command to display the 802.
show dot1x Chapter 17 Enters Connecting: Logoffs While Connecting: Enters Authenticating: Success While Authenticating: Timeouts While Authenticating: Failures While Authenticating: Reauths While Authenticating: Starts While Authenticating: Logoffs While Authenticating: Starts While Authenticated: Logoffs While Authenticated: Bad Packets Received: 709 112 467 0 52 0 0 31 0 85 1 0 Table 61 explains the counters in the show dot1x stats output. Table 61.
show dot1x Chapter 17 Table 61. show dot1x stats Output Field Description Reauths While Authenticating Number of times that the UNIVERGE WL Controller state wildcard transitions from AUTHENTICATING to ABORTING, as a result of a reauthentication request (reAuthenticate = TRUE). Starts While Authenticating Number of times that the UNIVERGE WL Controller state wildcard transitions from AUTHENTICATING to ABORTING, as a result of an EAPoL-Start message being received from the Supplicant (client).
show dot1x Chapter 17 530 802.
18 Session Management Commands Use session management commands to display and clear administrative and network user sessions. This chapter presents session management commands alphabetically. Use the following table to locate commands in this chapter based on their use.
clear sessions network Chapter 18 telnet Clears sessions for all users with administrative access to the UNIVERGE WL Controller through a Telnet connection. telnet client [session-id] Clears all Telnet client sessions from the CLI to remote devices, or clears an individual session identified by session ID. mesh-ap [session-id] Note: This parameter is not supported. Defaults Access None. Enabled.
clear sessions network Chapter 18 Syntax clear sessions network {user user-glob | mac-addr mac-addr-glob | vlan vlan-glob | session-id local-session-id} user user-glob Clears all network sessions for a single user or set of users. Specify a username, use the double-asterisk wildcard character (**) to specify all usernames, or use the single-asterisk wildcard character (*) to specify a set of usernames up to or following the first delimiter character—either an at sign (@) or a period (.).
show sessions Chapter 18 To clear session 9, type the following command: Controller# clear sessions network session-id 9 SM Apr 11 19:53:38 DEBUG SM-STATE: localid 9, mac 00:60:25:09:39:5d, flags 0000012fh, to change state to KILLING Localid 9, globalid SESSION-9-893249336 moved from ACTIVE to KILLING (client=00:60:25:09:39:5d) To clear the session of user Natasha, type the following command: Controller# clear sessions network user Natasha To clear the sessions of users whose name begins with the charact
show sessions Chapter 18 telnet Displays sessions for all users with administrative access to the UNIVERGE WL Controller through a Telnet connection. telnet client Displays Telnet sessions from the CLI to remote devices. Defaults Access None. All, except for show sessions telnet client, which has enabled access.
show sessions network Chapter 18 Table 62. show sessions admin, show sessions console, and show sessions telnet Output Field Description Tty The Telnet terminal number, or console for administrative users connected through the console port. Username Up to 30 characters of the name of an authenticated user. Time (s) Number of seconds the session has been active. Type Type of administrative session: • Console • SSH • Telnet Table 63.
show sessions network Chapter 18 Syntax show sessions network [user user-glob | mac-addr mac-addr-glob | ssid ssid-name | vlan vlan-glob | session-id session-id] [verbose] user user-glob Displays all network sessions for a single user or set of users.
show sessions network Chapter 18 Usage UNIVERGE WL Control System displays information about network sessions in three types of displays. See the following tables for field descriptions. Summary display See Table 64 on page 540. Verbose display See Table 65 on page 541. show sessions network session-id display See Table 66 on page 543. Authorization attribute values can be changed during authorization.
show sessions network Chapter 18 EXAMPLE\Havel 13* 10.10.10.40 2 sessions match criteria (of 3 total) vlan-eng ap 1/2 (Table 64 on page 540 describes the summary displays of show sessions network commands.) The following command displays verbose output about the sessions of all current network users: PROMPT> show sessions network verbose User Sess IP or MAC VLAN Port/ Name ID Address Name Radio ---------------------------- ---- ----------------- --------------- --------SHUTTLE2\exmpl 3* 10.8.255.
show sessions network Chapter 18 EAP Method: NONE, using server 172.16.0.
show sessions network Chapter 18 Table 65. Additional show sessions network verbose Output Field Description Client MAC MAC address of the session user. GID Global session ID, a unique session number within a Mobility Domain. State Status of the session: • AUTH, ASSOC REQ—Client is being associated by the 802.1X protocol. • AUTH AND ASSOC—Client is being associated by the 802.1X protocol, and the user is being authenticated. • AUTHORIZING—User has been authenticated (for example, by the 802.
show sessions network Chapter 18 Table 65.
show sessions network Chapter 18 Table 65. Additional show sessions network verbose Output Field Description Vlan-Name (and other attributes if set) Authorization attributes for the user and how they were assigned (the sources of the attribute values). For Vlan-Name, the source of the attribute value can be one of the following: • AAA––VLAN is from RADIUS or the local database.
show sessions network Chapter 18 Table 66. show sessions network session-id Output Field Description State Status of the session: • AUTH, ASSOC REQ—Client is being associated by the 802.1X protocol. • AUTH AND ASSOC—Client is being associated by the 802.1X protocol, and the user is being authenticated. • AUTHORIZING—User has been authenticated (for example, by the 802.1X protocol and an AAA method), and is entering AAA authorization. • AUTHORIZED—User has been authorized by an AAA method.
show sessions network Chapter 18 Table 66. show sessions network session-id Output Field Description Tag System-wide supported VLAN tag type. Session Start Indicates when the session started. Last Auth Time Indicates when the most recent authentication of the session occurred. Last Activity Indicates when the last activity (transmission) occurred on the session. Session Timeout Assigned session timeout in seconds.
show sessions network Chapter 18 Table 66. show sessions network session-id Output Field Description Number of packets Total number of decryption failures. with encryption errors Number of bytes with Total number of bytes with decryption errors. encryption errors Last packet data rate Data transmit rate, in megabits per second (Mbps), of the last packet received by the AP. Last packet signal strength Signal strength, in decibels referred to 1 milliwatt (dBm), of the last packet received by the AP.
19 RF Detection Commands UNIVERGE WL Control System automatically performs RF detection scans on enabled and disabled radios to detect rogue access points. A rogue access point is a BSSID (MAC address associated with an SSID) that does not belong to a UNIVERGE WL Control System device and is not a member of the ignore list configured on the seed UNIVERGE WL Controller of the Mobility Domain.
clear rfdetect attack-list Chapter 19 Client Black List set rfdetect black-list on page 553 show rfdetect black-list on page 559 clear rfdetect black-list on page 549 Attack List set rfdetect attack-list on page 552 show rfdetect attack-list on page 559 clear rfdetect attack-list on page 548 Ignore List set rfdetect ignore on page 554 show rfdetect ignore on page 568 clear rfdetect ignore on page 549 UNIVERGE WL Access set rfdetect signature on page 556 Points Signatures Log Messages set rfdetect lo
clear rfdetect black-list Chapter 19 See Also l set rfdetect attack-list on page 552 l show rfdetect attack-list on page 559 clear rfdetect black-list Removes a MAC address from the client black list. Syntax clear rfdetect black-list mac-addr mac-addr Defaults Access MAC address you want to remove from the black list. None. Enabled.
clear rfdetect ssid-list Chapter 19 Access Enabled. Examples The following command removes BSSID aa:bb:cc:11:22:33 from the ignore list for RF scans: AP clear rfdetect ignore aa:bb:cc:11:22:33 success: aa:bb:cc:11:22:33 is no longer ignored. See Also l set rfdetect ignore on page 554 l show rfdetect ignore on page 568 clear rfdetect ssid-list Removes an SSID from the permitted SSID list.
rfping Chapter 19 Syntax clear rfdetect vendor-list {client mac-addr | all} client | ap Specifies whether the entry is for an AP brand or a client brand. mac-addr | all Organizationally Unique Identifier (OUI) to remove. Defaults Access None. Enabled. Examples The following command removes client OUI aa:bb:cc:00:00:00 from the permitted vendor list: PROPMT# clear rfdetect vendor-list client aa:bb:cc:00:00:00 success: aa:bb:cc:00:00:00 is no longer in client vendor-list.
set rfdetect attack-list Chapter 19 Examples The following command tests the RF link between the UNIVERGE WL Controller and the client with MAC address 00:60:b9:11:ad:13: PROPMT# rfping mac 00:60:b9:11:ad:13 RF-Link Test to 00:60:b9:11:ad:13 : Session-Id: 2 Packets Sent Packets Rcvd RSSI SNR RTT (micro-secs) ------------ ------------ ------- ----- ---------------20 20 -68 26 976 Table 67 describes the fields in this display. Table 67.
set rfdetect black-list Chapter 19 Syntax set rfdetect attack-list mac-addr mac-addr Defaults Access MAC address you want to attack. The attack list is empty by default. Enabled. Usage The attack list applies only to the UNIVERGE WL Controller on which the list is configured. UNIVERGE WL Controllers do not share attack lists.
set rfdetect ignore Chapter 19 Defaults Access The client black list is empty by default. Enabled. Usage In addition to manually configured entries, the list can contain entries added by UNIVERGE WL Control System. UNIVERGE WL Control System can place a client in the black list due to an association, reassociation or disassociation flood from the client. The client black list applies only to the UNIVERGE WL Controller on which the list is configured.
set rfdetect log Chapter 19 Usage Use this command to identify third-party APs and other devices you are already aware of and do not want UNIVERGE WL Control System to report following RF scans. If you try to initiate countermeasures against a device on the ignore list, the ignore list takes precedence and UNIVERGE WL Control System does not issue the countermeasures. Countermeasures apply only to rogue devices.
set rfdetect signature Chapter 19 Usage The log messages for rogues are generated only on the seed and appear only in the seed’s log message buffer. Use the show log buffer command to display the messages in the seed UNIVERGE WL Controllers log message buffer. Examples The following command enables RF detection logging for the Mobility Domain managed by this seed UNIVERGE WL Controller: Controller# set rfdetect log enable success: rfdetect logging is enabled.
set rfdetect ssid-list Chapter 19 Examples The following command enables UNIVERGE WL Access Points signatures on a UNIVERGE WL Controller: Controller# set rfdetect signature enable success: signature is now enabled. set rfdetect ssid-list Adds an SSID to the permitted SSID list.The permitted SSID list specifies the SSIDs that are allowed on the network. If UNIVERGE WL Control System detects packets for an SSID that is not on the list, the AP that sent the packets is classified as a rogue.
set rfdetect vendor-list Chapter 19 See Also l clear rfdetect ssid-list on page 550 l show rfdetect ssid-list on page 573 set rfdetect vendor-list Adds an entry to the permitted vendor list. The permitted vendor list specifies the third-party AP or client vendors that are allowed on the network. UNIVERGE WL Control System does not list a device as a rogue or interfering device if the device’s OUI is in the permitted vendor list.
show rfdetect attack-list Chapter 19 The trailing 00:00:00 value is required. See Also l clear rfdetect vendor-list on page 550 l show rfdetect vendor-list on page 573 show rfdetect attack-list Displays information about the MAC addresses in the attack list. Syntax show rfdetect attack-list Defaults Access None. Enabled.
show rfdetect clients Chapter 19 Examples The following example shows the client black list on UNIVERGE WL Controller: PROPMT# show rfdetect black-list Total number of entries: 1 Blacklist MAC Type ----------------- ----------------11:22:33:44:55:66 configured 11:23:34:45:56:67 assoc req flood Port TTL ------- --3 25 See Also l clear rfdetect black-list on page 549 l set rfdetect black-list on page 553 show rfdetect clients Displays the wireless clients detected by a UNIVERGE WL Controller.
show rfdetect clients Chapter 19 The following command displays more details about a specific client: PROPMT# show rfdetect clients mac 00:0c:41:63:fd:6d Client Mac Address: 00:0c:41:63:fd:6d, Vendor: Linksys Port: ap 1, Radio: 1, Channel: 11, RSSI: -82, Rate: 2, Last Seen (secs ago): 84 Bssid: 00:0b:0e:01:02:00, Vendor: NEC, Type: intfr, Dst: ff:ff:ff:ff:ff:ff Last Rogue Status Check (secs ago): 3 The first line lists information for the client. The other lines list information about the most recent 802.
show rfdetect clients Chapter 19 Table 68. show rfdetect clients Output Field Description Type Classification of the rogue device: • rogue—Wireless device that is on the network but is not supposed to be on the network. • intfr—Wireless device that is not part of your network and is not a rogue, but might be causing RF interference with UNIVERGE WL Access Points radios. • known—Device that is a legitimate member of the network.
show rfdetect countermeasures Chapter 19 Table 69. show rfdetect clients mac Output Field Description Typ Classification of the rogue device: • rogue—Wireless device that is on the network but is not supposed to be on the network. • intfr—Wireless device that is not part of your network and is not a rogue, but might be causing RF interference with UNIVERGE WL Access Points radios. • known—Device that is a legitimate member of the network. Dst MAC addressed to which the last 802.
show rfdetect counters Chapter 19 PROPMT# show rfdetect countermeasures Total number of entries: 190 Rogue MAC Type Countermeasures Radio Mac ----------------- ----- -----------------00:0b:0e:00:71:c0 intfr 00:0b:0e:44:55:66 00:0b:0e:03:00:80 rogue 00:0b:0e:11:22:33 Switch-IPaddr Port/Radio /Channel --------------- ------------10.1.1.23 ap 4/1/6 10.1.1.23 ap 2/1/11 Table 70 describes the fields in this display. Table 70.
show rfdetect counters Chapter 19 Syntax show rfdetect counters Defaults Access None. Enabled. Examples The following command shows counters for rogue activity detected by a UNIVERGE WL Controller: PROPMT# show rfdetect counters Type Current Total -------------------------------------------------- ------------ -----------Rogue access points Interfering access points Rogue 802.11 clients Interfering 802.11 clients 802.11 adhoc clients Unknown 802.11 clients Interfering 802.
show rfdetect data Chapter 19 show rfdetect data Displays information about the APs detected by a UNIVERGE WL Controller. Syntax Defaults Access show rfdetect data None. Enabled. Usage You can enter this command on any UNIVERGE WL Controller in the Mobility Domain. The output applies only to the UNIVERGE WL Controller on which you enter the command.
show rfdetect data Chapter 19 Table 71. show rfdetect data Output Field Description Field Description BSSID MAC address of the SSID used by the detected device. Vendor Company that manufactures or sells the rogue device. Type Classification of the rogue device: • rogue—Wireless device that is not supposed to be on the network. The device has an entry in a UNIVERGE WL Controller FDB and is therefore on the network. • intfr—Wireless device that is not part of your network but is not a rogue.
show rfdetect ignore Chapter 19 show rfdetect ignore Displays the BSSIDs of third-party devices that UNIVERGE WL Control System ignores during RF scans. UNIVERGE WL Control System does not generate log messages or traps for the devices in the ignore list. Syntax show rfdetect ignore Defaults Access None. Enabled.
show rfdetect mobility-domain Chapter 19 Usage This command is valid only on the seed UNIVERGE WL Controller of the Mobility Domain. To display rogue information for an individual UNIVERGE WL Controller, use the show rfdetect data command on that UNIVERGE WL Controller.
show rfdetect mobility-domain Chapter 19 Switch-IPaddress: 10.3.8.103 Port/Radio/Ch: ap 1/1/1 Mac: 00:0b:0e:76:56:82 Device-type: interfering Adhoc: no Crypto-types: clear RSSI: -76 SSID: webaaa Two types of information are shown. The lines that are not indented show the BSSID, vendor, and information about the SSID. The indented lines that follow this information indicate the listeners (UNIVERGE WL Access Points radios) that detected the SSID.
show rfdetect mobility-domain Chapter 19 Table 72 and Table 73 describe the fields in these displays. Table 72. show rfdetect mobility-domain Output Field Description BSSID MAC address of the SSID used by the detected device. Vendor Company that manufactures or sells the rogue device. Type Classification of the rogue device: • rogue—Wireless device that is not supposed to be on the network. The device has an entry in a UNIVERGE WL Controller FDB and is therefore on the network.
show rfdetect mobility-domain Chapter 19 Table 73. show rfdetect mobility-domain ssid or bssid Output 572 Field Description Type Classification of the rogue device: • rogue—Wireless device that is on the network but is not supposed to be on the network. • intfr—Wireless device that is not part of your network and is not a rogue, but might be causing RF interference with UNIVERGE WL Access Points radios. • known—Device that is a legitimate member of the network.
show rfdetect ssid-list Chapter 19 Table 73. show rfdetect mobility-domain ssid or bssid Output Field Description SSID SSID mapped to the BSSID. See Also l show rfdetect data on page 566 l show rfdetect visible on page 574 show rfdetect ssid-list Displays the entries in the permitted SSID list. Syntax Defaults Access show rfdetect ssid-list None. Enabled.
show rfdetect visible Chapter 19 Syntax show rfdetect vendor-list Defaults Access None. Enabled.
show rfdetect visible Chapter 19 Defaults Access None. Enabled. Usage If a UNIVERGE WL Access Points radio is supporting more than one SSID, each of the corresponding BSSIDs is listed separately. To display rogue information for the entire Mobility Domain, use the show rfdetect mobility-domain command on the seed UNIVERGE WL Controller.
show rfdetect visible Chapter 19 Table 74 describes the fields in this display. Table 74. show rfdetect visible Output Field Description Transmit MAC MAC address the rogue device that sent the 802.11 packet detected by the UNIVERGE WL Access Points radio. Vendor Company that manufactures or sells the rogue device. Type Classification of the rogue device: • rogue—Wireless device that is on the network but is not supposed to be on the network.
20 File Management Commands Use file management commands to manage system files and to display software and boot information. This chapter presents file management commands alphabetically. Use the following table to locate commands in this chapter based on their use.
backup Chapter 20 System Backup and Restore backup on page 578 restore on page 592 backup Creates an archive of UNIVERGE WL Control system files and optionally, user file, in Unix tape archive (tar) format. Syntax backup system [tftp:/ip-addr/]filename [all | critical] [tftp:/ip-addr/]filename Name of the archive file to create. You can store the file locally in the UNIVERGE WL Controllers nonvolatile storage or on a TFTP server. all Backs up system files and all the files in the user files area.
clear boot backup-configuration Chapter 20 The maximum supported file size is 32 MB. If the file size of the tarball is too large, delete unnecessary files (such as unneeded copies of system image files) and try again, or use the critical option instead of the all option. Neither option archives image files or any other files listed in the Boot section of dir command output. The all option archives image files only if they are present in the user files area.
clear boot config Chapter 20 Syntax Defaults Access clear boot backup-configuration None. Enabled. Examples The following command clears the name specified as the backup configuration file from the configuration of the UNIVERGE WL Controller: PROMPT# clear boot backup-configuration success: Backup boot config filename was cleared.
copy Chapter 20 copy Performs the following copy operations: l Copies a file from a TFTP server to nonvolatile storage. l Copies a file from nonvolatile storage or temporary storage to a TFTP server. l Copies a file from one area in nonvolatile storage to another. l Copies a file to a new filename in nonvolatile storage. Syntax copy source-url destination-url source-url Name and location of the file to copy.
copy Chapter 20 Usage The filename and file:filename URLs are equivalent. You can use either URL to refer to a file in a UNIVERGE WL Controller nonvolatile memory. The tftp://ip-addr/filename URL refers to a file on a TFTP server. If DNS is configured on the UNIVERGE WL Controller, you can specify a TFTP server’s hostname as an alternative to specifying the IP address. The tmp:filename URL specifies a file in temporary storage.
delete Chapter 20 The following commands rename test-config to new-config by copying it from one name to the other in the same location, then deleting test-config: PROMPT# copy test-config new-config PROMPT# delete test-config success: file deleted. The following command copies file corpa-login.html from a TFTP server into subdirectory corpa in a UNIVERGE WL Controller nonvolatile storage: PROMPT# copy tftp://10.1.1.1/corpa-login.html corpa/corpa-login.html success: received 637 bytes in 0.
dir Chapter 20 Syntax delete url url Filename. Specify between 1 and 128 alphanumeric characters, with no spaces. If the file is in a subdirectory, specify the subdirectory name, followed by a forward slash, in front of the filename. For example: subdir_a/file_a. Defaults Access None. Enabled. Usage You might want to copy the file to a TFTP server as a backup before deleting the file.
dir Chapter 20 Syntax dir [subdirname] | [file:] | [core:] | [boot0:] | [boot1:] subdirname Subdirectory name. If you specify a subdirectory name, the command lists the files in that subdirectory. Otherwise, the command lists the files in the root directory and also lists the subdirectories.
dir Chapter 20 PROMPT# dir old ================================================================================ file: Filename Size Created file:configuration.txt 3541 bytes Sep 22 2003, 22:55:44 file:configuration.
load config Chapter 20 Table 75 describes the fields in the dir output. Table 75. Output for dir Field Description Filename Filename or subdirectory name. For files, the directory name is shown in front of the filename (for example, file:configuration). The file: directory is the root directory. For subdirectories, a forward slash is shown at the end of the subdirectory name (for example, old/ ).
load config Chapter 20 Syntax load config [url] url Defaults Filename. Specify between 1 and 128 alphanumeric characters, with no spaces. If the file is in a subdirectory, specify the subdirectory name, followed by a forward slash, in front of the filename. For example: backup_configs/config_c. The default file location is nonvolatile storage. Note. UNIVERGE WL Control System supports loading a configuration file only from the UNIVERGE WL Controllers nonvolatile storage.
md5 Chapter 20 See Also l save config on page 594 l show boot on page 597 l show config on page 600 md5 Calculates the MD5 checksum for a file in the UNIVERGE WL Controllers nonvolatile storage. Syntax md5 [boot0: | boot1:]filename boot0: | boot1: Boot partition into which you copied the file. filename Name of the file. Defaults Access None. Enabled. Usage You must include the boot partition name in front of the filename.
mkdir Chapter 20 Syntax mkdir [subdirname] subdirname Defaults Access Subdirectory name. Specify between 1 and 32 alphanumeric characters, with no spaces. None. Enabled. Examples The following commands create a subdirectory called corp2 and display the root directory to verify the result: PROMPT# mkdir corp2 success: change accepted.
reset system Chapter 20 reset system Restarts a UNIVERGE WL Controller and reboots the software. Syntax reset system [force] force Immediately restarts the system and reboots, without comparing the running configuration to the configuration file. Defaults Access None. Enabled. Usage If you do not use the force option, the command first compares the running configuration to the configuration file.
restore Chapter 20 restore Unzips a system archive created by the backup command and copies the files from the archive onto the UNIVERGE WL Controller. Syntax [tftp:/ip-addr/]filename Name of the archive file to load. The archive can be located in the UNIVERGE WL Controllers nonvolatile storage or on a TFTP server. all Restores system files and the user files from the archive. critical Restores system files only, including the configuration file used when booting, and certificate files.
restore Chapter 20 Usage If a file in the archive has a counterpart on the UNIVERGE WL Controller, the archive version of the file replaces the file on the UNIVERGE WL Controller. The restore command does not delete files that do not have counterparts in the archive. For example, the command does not completely replace the user files area. Instead, files in the archive are added to the user files area. A file in the user area is replaced only if the archive contains a file with the same name. Note.
rmdir Chapter 20 rmdir Removes a subdirectory from nonvolatile storage. Syntax rmdir [subdirname] subdirname Defaults Access Subdirectory name. Specify between 1 and 32 alphanumeric characters, with no spaces. None. Enabled. Usage UNIVERGE WL Control System does not allow the subdirectory to be removed unless it is empty. Delete all files from the subdirectory before attempting to remove it. Examples The following example removes subdirectory corp2: PROMPT# rmdir corp2 success: change accepted.
set boot backup-configuration Chapter 20 Defaults By default, UNIVERGE WL Control System saves the running configuration as the configuration filename used during the last reboot. Access Enabled. Usage If you do not specify a filename, UNIVERGE WL Control System replaces the configuration file loaded during the most recent reboot. To display the filename of the configuration file UNIVERGE WL Control System loaded during the most recent reboot, use the show boot command.
set boot configuration-file Chapter 20 Syntax set boot backup-configuration filename filename Defaults Access Name of the file to use as a backup configuration file if UNIVERGE WL Control System cannot read the UNIVERGE WL Controllers configuration file. By default, there is no backup configuration file. Enabled. Examples The following command specifies a file called backup.cfg as the backup configuration file on the UNIVERGE WL Controller: PROMPT# set boot backup-configuration backup.
set boot partition Chapter 20 Examples The following command sets the boot configuration file to testconfig1: PROMPT# set boot configuration-file testconfig1 success: boot config set. set boot partition Specifies the boot partition in which to look for the system image file following the next system reset, software reload, or power cycle. Syntax set boot partition {boot0 | boot1} boot0 Boot partition 0. boot1 Boot partition 1.
show boot Chapter 20 Syntax Defaults Access show boot None. Access. Examples The following command shows the boot information for a UNIVERGE WL Controller: PROMPT# show boot Configured boot version: Configured boot image: Configured boot configuration: Backup boot configuration: Booted version: Booted image: Booted configuration: Product model: 6.0.2.0.003 boot0:SC060200.003 file:configuration file:backup.cfg 6.0.2.0.003 boot0:SC060200.
show boot Chapter 20 Table 76. Output for show boot Field Description Booted image Boot partition and image filename UNIVERGE WL Control System used the last time the software was rebooted. UNIVERGE WL Control System is running this software image. Booted configuration Configuration filename UNIVERGE WL Control System used to load the configuration the last time the software was rebooted.
show config Chapter 20 show config Displays the configuration running on the UNIVERGE WL Controller.
show config Chapter 20 area area Configuration area. You can specify one of the following: • aaa • acls • ap • arp • eapol • httpd • ip • ip-config • l2acl • load-balancing • log • mobility-domain • network-domain • ntp • port-group • port config • qos • radio-profile • rfdetect • service-profile • sm • snmp • snoop • spantree • system • trace • vlan • vlan-fdb • vlan-profile If you do not specify a configuration area, nondefault information for all areas is displayed.
show version Chapter 20 Defaults Access None. Enabled. Usage If you do not use one of the optional parameters, configuration commands that set nondefault values are displayed for all configuration areas. If you specify an area, commands are displayed for that area only. If you use the all option, the display also includes commands for configuration items that are set to their default values.
show version Chapter 20 Examples The following command displays version information for a UNIVERGE WL Controller: PROMPT# show version UNIVERGE WL System Software V1, Version: 6.0.3.0 REL Copyright (c) 2006 - 2007 NEC Infrontia Corporation. All rights reserved. Build Information: Model: Hardware Mainboard: Serial number Flash: Kernel: BootLoader: 0.1 011 2007-04-16 16:32:00 WL1700-MS version 1 ; revision 1 0909090909 1.0.0.0 - FROM0 2.6.10_mvl401-SV011 6.0.13 / 6.0.
show version Chapter 20 Table 77 describes the fields in the show version output. Table 77. Output for show version Field Description Build Information Factory timestamp of the image file. Label Software version and build date. Build Suffix Build suffix. Model Build model. Hardware Version information for the UNIVERGE WL Controllers motherboard and Power over Ethernet (PoE) board. Serial number Serial number of the UNIVERGE WL Controller. Flash Flash memory version. Kernel Kernel version.
21 Trace Commands Use trace commands to perform diagnostic routines. While UNIVERGE WL Control System allows you to run many types of traces, this chapter describes commands for those traces you are most likely to use. For a complete listing of the types of traces UNIVERGE WL Control System allows, type the set trace ? command. Caution! Using the set trace command can have adverse effects on system performance.
clear log trace Chapter 21 clear log trace Deletes the log messages stored in the trace buffer. Syntax clear log trace Defaults Access None. Enabled. Examples To delete the trace log, type the following command: PROMPT# clear log trace See Also l set log on page 626 l show log buffer on page 630 clear trace Deletes running trace commands and ends trace processes. Syntax clear trace {trace-area | all} trace-area Ends a particular trace process.
save trace Chapter 21 To clear the session manager trace, type the following command: PROMPT# clear trace sm success: clear trace sm See Also l set trace authentication on page 607 l set trace authorization on page 608 l set trace dot1x on page 610 l set trace sm on page 611 l show trace on page 611 save trace Saves the accumulated trace data for enabled traces to a file in the UNIVERGE WL Controller’s nonvolatile storage. Syntax save trace filename filename Name for the trace file.
set trace authorization Chapter 21 Syntax set trace authentication [mac-addr mac-address] [port port-num] [user username] [level level] mac-addr mac-address Traces a MAC address. Specify a MAC address, using colons to separate the octets (for example, 00:11:22:aa:bb:cc). port port-num Traces a port number. user username Traces a user. Specify a username of up to 32 alphanumeric characters with no spaces. level level Determines the quantity of information included in the output.
set trace authorization Chapter 21 Syntax set trace authorization [mac-addr mac-address] [port port-num] [user username] [level level] mac-addr mac-address Traces a MAC address. Specify a MAC address, using colons to separate the octets (for example, 00:11:22:aa:bb:cc). port port-num Traces a port number. user username Traces a user. Specify a username of up to 80 alphanumeric characters with no spaces. level level Determines the quantity of information included in the output.
set trace dot1x Chapter 21 set trace dot1x Traces 802.1X sessions. Syntax set trace dot1x [mac-addr mac-address] [port port-num] [user username] [level level] mac-addr mac-address Traces a MAC address. Specify a MAC address, using colons to separate the octets (for example, 00:11:22:aa:bb:cc). port port-num Traces a port number. user username Traces a user. Specify a username of up to 80 alphanumeric characters with no spaces.
set trace sm Chapter 21 set trace sm Traces session manager activity. Syntax set trace sm [mac-addr mac-address] [port port-num] [user username] [level level] mac-addr mac-address Traces a MAC address. Specify a MAC address, using colons to separate the octets (for example, 00:11:22:aa:bb:cc). port port-num Traces a port number. user username Traces a user. Specify a username of up to 80 alphanumeric characters, with no spaces.
show trace Chapter 21 Syntax show trace [all] all Displays all possible trace options and their configuration. Defaults Access None. Enabled.
22 Snoop Commands Use snoop commands to monitor wireless traffic, by using a UNIVERGE WL Access Point as a sniffing device. The UNIVERGE WL Access Points copies the sniffed 802.11 packets and sends the copies to an observer, typically a protocol analyzer such as Ethereal or Tethereal. (For more information, including setup instructions for the monitoring station, see the “Remotely Monitoring Traffic” section in the “Troubleshooting a UNIVERGE WL Controller chapter of the Configuration Guide.
clear snoop Chapter 22 clear snoop Deletes a snoop filter. Syntax clear snoop filter-name filter-name Defaults Access Name of the snoop filter. None. Enabled. Examples The following command deletes snoop filter snoop1: PROPMT# clear snoop snoop1 See Also l set snoop on page 616 l show snoop info on page 621 clear snoop map Removes a snoop filter from a UNIVERGE WL Access Point radio. Examples filter-name Name of the snoop filter.
clear snoop map Chapter 22 Examples The following command removes snoop filter snoop2 from radio 2 on UNIVERGE WL Access Points 3: PROPMT# clear snoop map snoop2 ap 3 radio 2 success: change accepted. The following command removes all snoop filter mappings from all radios: PROPMT# clear snoop map all success: change accepted.
set snoop Chapter 22 set snoop Configures a snoop filter. Syntax set snoop filter-name [condition-list] [observer ip-addr] [snap-length num] 616 filter-name Name for the filter. The name can be up to 15 alphanumeric characters, with no spaces. condition-list Match criteria for packets. Conditions in the list are ANDed. Therefore, to be copied and sent to an observer, a packet must match all criteria in the condition-list.
set snoop Chapter 22 observer ip-addr Specifies the IP address of the station where the protocol analyzer is located. If you do not specify an observer, the UNIVERGE WL Access Points radio still counts the packets that match the filter. snap-length num Specifies the maximum number of bytes to capture. If you do not specify a length, the entire packet is copied and sent to the observer. UNIVERGE WL Control System recommends specifying a snap length of 100 bytes or less.
set snoop map Chapter 22 The following command configures a snoop filter named snoop2 that matches on all data traffic between the device with MAC address aa:bb:cc:dd:ee:ff and the device with MAC address 11:22:33:44:55:66, and copies the traffic to the device that has IP address 10.10.30.3: PROPMT# set snoop snoop2 frame-type eq data mac-pair aa:bb:cc:dd:ee:ff 11:22:33:44:55:66 observer 10.10.30.
set snoop mode Chapter 22 Usage You can map the same filter to more than one radio. You can map up to eight filters to the same radio. If more than one filter has the same observer, the UNIVERGE WL Access Points sends only one copy of a packet that matches a filter to the observer. After the first match, the UNIVERGE WL Access Points sends the packet and stops comparing the packet against other filters for the same observer.
show snoop Chapter 22 Access Enabled. Usage The filter mode is retained even if you disable and reenable the radio, or restart the UNIVERGE WL Access Points or the UNIVERGE WL Controller. Once the filter is enabled, you must use the disable option to disable it.
show snoop info Chapter 22 l set snoop map on page 618 l show snoop map on page 621 show snoop info Shows the configured snoop filters. Syntax show snoop filter-name filter-name Defaults Access Name of the snoop filter. None. Enabled. Examples The following command shows the snoop filters configured in the examples above: PROPMT# show snoop info snoop1: observer 10.10.30.2 snap-length 100 all packets snoop2: observer 10.10.30.
show snoop stats Chapter 22 Defaults Access None. Enabled. Usage To display the mappings for all snoop filters, use the show snoop command. Examples The following command shows the mapping for snoop filter snoop1: PROPMT# show snoop map snoop1 filter 'snoop1' mapping AP: 3 Radio: 2 See Also l clear snoop map on page 614 l set snoop map on page 618 l show snoop on page 620 show snoop stats Displays statistics for enabled snoop filters.
show snoop stats Chapter 22 Examples The following command shows statistics for snoop filter snoop1: PROPMT# show snoop stats snoop1 Filter AP Radio Rx Match Tx Match Dropped ================================================================ snoop1 3 1 96 4 0 Table 78 describes the fields in this display. Table 78. show snoop stats Output Field Description Filter Name of the snoop filter. AP UNIVERGE WL Access Points containing the radio to which the filter is mapped.
show snoop stats Chapter 22 624 Snoop Commands
23 System Log Commands Use the system log commands to record information for monitoring and troubleshooting. UNIVERGE WL Control System system logs are based on RFC 3164, which defines the log protocol. This chapter presents system log commands alphabetically. Use the following table to locate commands in this chapter based on their use.
set log Chapter 23 Examples To stop sending system logging messages to a server at 192.168.253.11, type the following command: PROPMT# clear log server 192.168.253.11 success: change accepted. Type the following command to clear all messages from the log buffer: PROPMT# clear log buffer success: change accepted.
set log Chapter 23 sessions Sets the default log values for Telnet sessions. You can set defaults for the following log parameters: • Severity • Logging state (enabled or disabled) To override the session defaults for an individual session, type the set log command from within the session and use the current option. trace Sets log parameters for trace files. port port-number Sets the TCP port for sending messages to the syslog server. You can specify a number from 1 to 65535.
set log Chapter 23 local-facility facility-level For messages sent to a syslog server, maps all messages of the severity you specify to one of the standard local log facilities defined in RFC 3164. You can specify one of the following values: • 0—maps all messages to local0. • 1—maps all messages to local1. • 2—maps all messages to local2. • 3—maps all messages to local3. • 4—maps all messages to local4. • 5—maps all messages to local5. • 6—maps all messages to local6. • 7—maps all messages to local7.
set log mark Chapter 23 Examples To log only emergency, alert, and critical system events to the console, type the following command: PROPMT# set log console severity critical enable success: change accepted. See Also l show log config on page 632 l clear log on page 625 set log mark Configures UNIVERGE WL Control System to generate mark messages at regular intervals. The mark messages indicate the current system time and date.
show log buffer Chapter 23 Defaults Mark messages are disabled by default. When they are enabled, UNIVERGE WL Control System generates a message at the notice level once every 300 seconds by default. Access Enabled. Examples The following command enables mark messages: PROPMT# set log mark enable success: change accepted. See Also show log config on page 632 show log buffer Displays system information stored in the nonvolatile log buffer or the trace buffer.
show log buffer Chapter 23 severity severity-level Defaults Access Displays messages at a severity level greater than or equal to the level specified. Specify one of the following: • emergency—The UNIVERGE WL Controller is unusable. • alert—Action must be taken immediately. • critical—You must resolve the critical conditions. If the conditions are not resolved, the UNIVERGE WL Controller can reboot or shut down. • error—The UNIVERGE WL Controller is missing data or is unable to form a connection.
show log config Chapter 23 See Also l clear log on page 625 l show log config on page 632 show log config Displays log configuration information. Syntax show log config Defaults Access None. Enabled.
show log trace Chapter 23 show log trace Displays system information stored in the nonvolatile log buffer or the trace buffer. Syntax show log trace [{+|-|/}number-of-messages] [facility facility-name] [matching string] [severity severity-level] trace Displays the log messages in the trace buffer. +|-|/ number-of-messages Displays the number of messages specified as follows: • A positive number (for example, +100), displays that number of log entries starting from the oldest in the log.
show log trace Chapter 23 matching string Displays messages that match a string—for example, a username or IP address. severity severity-level Displays messages at a severity level greater than or equal to the level specified. Specify one of the following: • emergency—The UNIVERGE WL Controller is unusable. • alert—Action must be taken immediately. • critical—You must resolve the critical conditions. If the conditions are not resolved, the UNIVERGE WL Controller can reboot or shut down.
show log trace Chapter 23 T: Xmtr Mac 00:60:b9:11:58:co Ap 7 Radio 1 Chan 36 RSSI 36 Tech DOT_11A SSID wlan-7 ROGUE Oct 28 16:30:19.717954 ERROR ROGUE_AP_ALERT: Xmtr Mac 00:0b:0e:00:0 6:8f Ap 7 Radio 1 Chan 36 RSSI 13 Tech DOT_11A SSID univerge ROGUE Oct 28 16:30: 19.
show log trace Chapter 23 636 System Log Commands
Index B backup 578 C clear accounting 185 clear ap 45 clear ap boot-configuration 273 clear ap radio 271 clear authentication admin 186 clear authentication console 187 clear authentication dot1x 188 clear authentication last-resort 189 clear authentication mac 189 clear authentication web 190 clear banner motd 22 clear boot backup-configuration 579 clear boot config 580 clear dot1x max-req 515 clear dot1x quiet-period 515 clear dot1x reauth-max 516 clear dot1x reauth-period 516 clear dot1x timeout auth-se
clear trace 606 clear user 196 clear user attr 196 clear user group 197 clear usergroup 198 clear usergroup attr 199 clear vlan 69 commit security acl 458 copy 581 crypto ca-certificate 482 crypto ca-certificate admin 482 crypto ca-certificate eap 482 crypto certificate 483 crypto certificate admin 483 crypto certificate eap 483 crypto generate key 485 crypto generate request 486 crypto generate request admin 486 crypto generate request eap 486 crypto generate self-signed 489 crypto generate self-signed adm
set ap upgrade-firmware 300 set arp 109 set arp agingtime 110 set authentication admin 203 set authentication console 206 set authentication dot1x 209 set authentication last-resort 212 set authentication mac 213 set authentication web 215 set auto-config 26 set banner motd 29 set boot backup-configuration 595 set boot configuration-file 596 set boot partition 597 set confirm 29 set dot1x key-tx 519 set dot1x max-req 520 set dot1x quiet-period 520 set dot1x reauth 521 set dot1x reauth-max 522 set dot1x reau
set radio-profile auto-tune channel-config 301 set radio-profile auto-tune channel-holddown 303 set radio-profile auto-tune channel-interval 304 set radio-profile auto-tune power-config 305 set radio-profile auto-tune power-interval 306 set radio-profile beacon-interval 307 set radio-profile countermeasures 307 set radio-profile dtim-interval 309 set radio-profile frag-threshold 310 set radio-profile max-rx-lifetime 311 set radio-profile max-tx-lifetime 312 set radio-profile max-voip-bw 313 set radio-profil
set system ip-address 36, 153 set system location 37 set system name 38 set timedate 154 set timezone 155 set trace authentication 607 set trace authentication mac-addr 607 set trace authentication port 607 set trace authentication user 607 set trace authorization 608 set trace authorization mac-addr 608 set trace authorization port 608 set trace authorization user 608 set trace dot1x 610 set trace dot1x mac-addr 610 set trace dot1x port 610 set trace dot1x user 610 set trace sm 611 set trace sm mac-addr 61
show port counters 62 show port status 63 show qos 92 show qos default 93 show qos dscp-table 93 show radio-profile 408 show rfdetect attack-list 559 show rfdetect black-list 559 show rfdetect clients 560 show rfdetect countermeasures 563 show rfdetect counters 564 show rfdetect data 566 show rfdetect ignore 568 show rfdetect mobility-domain 568 show rfdetect ssid-list 573 show rfdetect vendor-list 573 show rfdetect visible 574 show roaming station 81 show roaming vlan 83 show security acl 470 show security
UNIVERGE WL Command Reference (V1) NWA-027517-001 May, 2007ޓISSUE 1.0 Publishing Office NEC Infrontia Corporation Data Wireless Networks Division C 2007 NEC Infrontia Corporation ٤ Notice 㧔1㧕All right reserved. 㧔2㧕The contents of this manual is subject to change without notice.
