Mobility System Software™ 7.3 Command Reference Guide Trapeze Networks, Inc. 5753 W. Las Positas Blvd. Pleasanton, CA 94588 Tel: +1 925-474-2200 Fax: +1 925-251-0642 Toll-Free: 877-FLY-TRPZ (877-359-8779 For the most current version of all documentation, go to www.trapezenetworks.com Part Number: 730-9502-0314 Rev.
Trapeze Networks Trapeze Networks, Inc. 5753 W. Las Positas Blvd. Pleasanton, CA 94588 Tel: +1 925-474-2200 Fax: +1 925-251-0642 Toll-Free: 877-FLY-TRPZ (877-359-8779) www.trapezenetworks.com © 2010 Trapeze Networks, Inc. All rights reserved.
1 Customer Service For general information about Trapeze Networks Mobility System™ products and services, visit www.trapezenetworks.com. For warranty, license, and support information, visit the following sites: ● ● Warranty and software licenses. Current Trapeze Networks warranty and software licenses are available at www.trapezenetworks.com/support/warranty/. Support services. For information about Trapeze support services, visit www.trapezenetworks.com/support/.
Information to Have Available To expedite your service request, have the following information available when you call or write to TAC for technical assistance: ● Your company name and address ● Your name, telephone number, cell phone or pager number, and email address Name, model, and serial number of the product(s) requiring service Software version and release number Output of the show tech-support command Wireless client information License levels for RingMaster™ and Mobility Exchange™ (MX™) products
This Limited Warranty does not apply if hardware (a) is altered from its original specifications, (b) is installed, configured, implemented or operated in any way that is contrary to its documentation, (c) has damage resulting from negligence, accident, or environmental stress, (d) was subject to unauthorized repair or modification or (e) is provided to Customer for pre-production, evaluation or charitable purposes. 4.
PUNITIVE DAMAGES REGARDLESS OF HOW THOSE DAMAGES WERE CAUSED. NOR WILL TRAPEZE NETWORKS, ITS SUPPLIERS, OR ITS AUTHORIZED RESELLERS BE LIABLE FOR ANY MONETARY OR PUNITIVE DAMAGES ARISING OUT OF THE USE OF, OR INABILITY TO USE TRAPEZE NETWORKS HARDWARE OR SOFTWARE. TRAPEZE NETWORKS' LIABILITY SHALL NOT EXCEED THE PRICE PAID BY THE CUSTOMER FOR ANY HARDWARE OR SOFTWARE COVERED UNDER THE TERMS AND CONDITIONS OF THIS WARRANTY.
Introducing the Trapeze Networks Mobility System Trapeze Networks Mobility System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Documentation Consult the following documents to plan, install, configure, and manage a Trapeze Networks Mobility System. Planning, Configuration, and Deployment Trapeze RingMaster Quick Start Guide. Instructions for installing and configuring RingMaster services. Trapeze RingMaster Planning Guide. Instructions for planning, , deploying, and managing the entire WLAN with the RingMaster tool suite. Read this guide to learn how to plan wireless services. Trapeze RingMaster Configuration Guide.
Safety and Advisory Notices The following kinds of safety and advisory notices appear in this manual. Table 0-1. This situation or condition can lead to data loss or damage to the product or other property. Warning! Table 0-1. This information is of special interest. Note: Text and Syntax Conventions Trapeze manuals use the following text and syntax conventions: Convention Use Monospace text Sets off command syntax or sample commands and system responses.
4 Mobility System Software Command Reference Guide Version 7.
3 Access Commands Use access commands to control access to the Mobility Software System (MSS) (CLI). This chapter presents access commands alphabetically. Use the following table to locate commands in this chapter based on their use. Access Privileges enable on page 3-15 set enablepass on page 3-16 disable on page 3-15 quit on page 3-16 disable Changes the CLI session from enabled mode to restricted access. Syntax disable Defaults None. Access Enabled. History Introduced in MSS 1.0.
Access Commands ● set confirm on page 4-26 quit Exit from the CLI session. Syntax quit Defaults None. Access All. History Introduced in MSS 1.0. Examples To end your session, type the following command: MX> quit set enablepass Sets the password that provides enabled access (for configuration and monitoring) to the MX switch. The enable password is case-sensitive. Note: Syntax set enablepass Defaults None. Access Enabled. History Introduced in MSS 1.0.
Access Commands Access Commands 3 – 17
Access Commands 3 – 18 Mobility System Software Command Reference Guide Version 7.
4 System Services Commands Use system services commands to configure and monitor system information for a Mobility Exchange (MX) switch. This chapter presents system services commands alphabetically. Use the following table to located commands in this chapter based on their use.
System Services Commands Syntax clear banner motd Defaults None. Access Enabled. History Introduced in MSS Version 1.0.
System Services Commands See Also set prompt on page 4-28. (For information about default prompts, see “Command Prompts” on page 2–5.) clear run Clear the rule associated with scriptname. Syntax clear run scriptfilename Defaults None Access Enabled History Added in MSS 7.1. Examples To clear the script, runmem, use the following command: MX# clear run runmem success: change accepted. clear system Clears the system configuration of the specified information.
System Services Commands Version 7.1 Option mx-secret added. Version 7.3 Option console-timeout added. Examples To clear the location of the MX, type the following command: MX# clear system location success: change accepted.
System Services Commands quit radping reset restore rfping rmdir rollback run save set show telnet traceroute uninstall upgrade Exit from the Admin session Send requests to RADIUS server Reset, use 'reset help' for more information Restore system information from file name (or url) Rfping operations Remove a directory created by mkdir Remove changes to the edited ACL table Evaluate contents of a cli file Save the running configuration to persistent storage Set, use 'set help' for more information Show, us
System Services Commands Syntax set auto-config {enable | disable} enable Enables the switch to contact a RingMaster server to request a configuration. disable Disables the auto-config option. Defaults The auto-config option is automatically enabled on an unconfigured MXR-2 when the factory reset switch is pressed during power on. However, auto-config is disabled by default on other models. Access Enabled. History Introduced in MSS Version 4.0.
System Services Commands 3. Enable the auto-config option: MX# set auto-config enable success: change accepted. 4. Save the configuration changes: MX# save config success: configuration saved. See Also ● ● ● ● ● crypto generate key on page 16-412 crypto generate self-signed on page 16-414 save config on page 21-495 set interface dhcp-client on page 8-103 set vlan port on page 6-74 set banner acknowledge Configures a prompt that is displayed following the MOTD banner.
System Services Commands Quotation marks can be used in the message if they are enclosed by delimiting characters. For example, to set the text “Do you agree?” (including the quotation marks) as the text to be displayed following the MOTD banner, type the following command: MX# set banner acknowledge message ‘"Do you agree?"‘ success: change accepted.
System Services Commands Access Enabled. History Introduced in MSS Version 1.0. Usage This command remains in effect for the duration of the session, until you enter an exit or quit command, or until you enter another set confirm command. MSS displays a message requiring confirmation when you enter certain commands that can have a potentially large impact on the network. For example: MX# clear vlan red This may disrupt user connectivity.
System Services Commands Syntax set license activation-key activation-key Hexadecimal digits generated by the Trapeze Networks license server or otherwise provided by Trapeze Networks for your MX. The activation key is based on the serial number of the MX. You can enter the number in either of the following formats: xxxx-xxxx-xxxx-xxxx-xxxx xxxxxxxxxxxxxxxxxxxx xxxx-xxxx-xxxx-xxxx-xxxx-feature Defaults None. Access Enabled. History Version 1.0 Command introduced. Version 2.0 Command deprecated.
System Services Commands See Also ● ● ● clear prompt on page 4-20 set system name on page 4-36 show config on page 21-499 set run Sets the timing for scripts to automatically run on the MX. Syntax set run scriptname on [interval intervalspec | startup | shutdown] scriptname Name of the script in *.txt format intervalspec Specified intervals for the script to run on the MX. Day - su|mo|tu|we|th|fr|sa|any Hrnum - 00-23 Hrint - Hrnum1 - Hrnum2 where Hrnum2 is larger than Hrnum1.
System Services Commands Access Enabled History Added in MSS 7.1. Examples To set the console timeout to 120 seconds (2 minutes), use the following command: MX# set system console-timeout 120 success: change accepted. set system contact Stores a contact name for the MX. Syntax set system contact string Alphanumeric string up to 256 characters long. string Defaults None. Access Enabled. History MSS Version 1.0 Command introduced. MSSVersion 7.3 Ability to include spaces added.
System Services Commands Table 4– 1.
System Services Commands Table 4– 1. Country Codes (continued) 4 – 32 Country Code India IN Indonesia ID Ireland IE Israel IL Italy IT Jamaica JM Japan JP Jordan JO Kazakstan KZ Kenya KE St. Kitts and Nevis KN Kuwait KW Cayman Islands KY Latvia LV Lebanon LB Liechtenstein LI Lithuania LT St.
System Services Commands Table 4– 1.
System Services Commands Access Enabled. History Version 1.0 Command introduced Version 1.1 New country codes added: AE, AU, BR, CN, CZ, ES, GR, HK, HU, KR, IL, IN, LI, MX, MY, NZ, PL, SA, SG, SI, SK, TH, TW, ZA Version 6.2 New country codes added: BH, BO, BW, CL, CO CR, CI, HR, CY, DM, DO, EC, SV, EG, EE, GD, GT, HN, ID, JM, JO, KZ, KE, KN, KW, KY, LV, LB, LI, LT, LC, MU, MS, MA, NA, NG, OM, PK, PA, PY, PE, PH, PR, RO, RU, CS, LK, TZ, TT, TN, TR, UA, UY, VE, VN, VC, ZM, and ZW.
System Services Commands See Also ● ● clear system on page 4-21 show system on page 4-40 set system ip-address Sets the system IP address so that it can be used by various services in the MX. Any currently configured Mobility Domain operations cease if you change the IP address. If you change the address, you must reset the Mobility Domain. Warning! Syntax set system ip-address ip-addr IP address, in dotted decimal notation. ip-addr Defaults None. Access Enabled. History Introduced in MSS Version 1.
System Services Commands Examples To store the location of the MX in the configuration, type the following command: MX# set system location first-floor-bldg3 success: change accepted. See Also ● ● ● ● clear system on page 4-21 set system contact on page 4-30 set system name on page 4-36 show system on page 4-40 set system name Changes the name of the MX from the default system name and also provides content for the CLI prompt, if you do not specify a prompt.
System Services Commands Examples To display the banner with the message of the day, type the following command: MX# show banner motd hello world See Also ● clear banner motd on page 4-19 show license Displays information about the license key(s) currently installed on an MX. Syntax show license keys Defaults None. Access All. History Version 1.0 Command introduced. Version 2.0 Current session count and Last sent alert time fields removed. Version 3.
System Services Commands ❍ Last three days Historical values drawn as a graph, showing peaks and averages: ❍ ❍ ❍ ● Last minute Last hour Last three days System memory load Summary data displayed: ❍ ❍ ❍ ❍ ❍ ❍ Last second (also called instant load) Last minute Last 5 minutes Last hour Last day Last three days Historical values drawn as a graph, showing peaks and averages: ❍ ❍ ❍ Syntax Last minute Last hour Last three days show load Defaults None. Access Enabled. History Introduced in MSS Version 4.
System Services Commands Usage To display the CPU load recorded from the time the MX was booted, as well as from the previous time the show load command was run, type the following command: MXR2_desk# show load cpu Period Usage -------------------Last second: 2% Last minute: 2% Last 5 minutes: 2% Last hour: 2% Last day: 1% Last 3 days: 33141% MXR2_desk# show load cpu history |100 |90 |80 |70 |60 |50 |40 |30 |20 ^ ^ ^ ^^ ^ ^ ^ ^ ^ ^|10 *************************************************
System Services Commands 0 5 0 5 0 5 0 5 0 5 0 | Memory utilization history for the past hour * = average utilization (MBytes) ^ = peak utilization (MBytes) The overall field shows the CPU load as a percentage from the time the MX was booted. The delta field shows CPU load as a percentage from the last time the show load command was entered. See Also show system on page 4-40 show system Displays system information. Syntax show system Defaults None. Access Enabled. History Version 1.
System Services Commands Table 4– 2. show system Output Field Description Product Name MX model number. System Name System name (factory default, or optionally configured with set system name). System Countrycode Country-specific 802.11 code required for MP operation (configured with set system countrycode). System Location Record of MX physical location (optionally configured with set system location).
System Services Commands ● ● set system location on page 4-35 set system name on page 4-36 show tech-support Provides an in-depth snapshot of the status of the MX, which includes details about the boot image, the version, ports, and other configuration values. This command also displays the last 100 log messages. Syntax show tech-support [file [subdirname/]filename] [subdirname/]filename Optional subdirectory name, and a string up to 32 alphanumeric characters.
5 Port Commands Use port commands to configure and manage individual ports and load-sharing port groups. This chapter presents port commands alphabetically. Use the following table to locate commands in this chapter based on their use.
Port Commands clear ap Removes a Distributed MP. When you clear a Distributed MP, MSS ends user sessions that are using the MP. Warning! clear ap {apnum | auto | fdb} apnum Number of the MP(s) to remove. auto Clear all auto operations. fdb Clear dynamic AP FDB entries. None. Enabled. History MSS Version 2.0 Command introduced. MSS Version 6.0 Command changed from dap to ap. MSS Version 7.1 Attribute all deprecated. Attributes fdb and auto added.
Port Commands clear port-group Removes a port group. Syntax clear port-group name name name name Name of the port group. Defaults None. Access Enabled. History Introduced in MSS Version 1.0. Examples The following command clears port group server1: MX# clear port-group name server1 success: change accepted.
Port Commands clear port mirror Removes a port mirroring configuration. Syntax clear port mirror Defaults None. Access Enabled. History Introduced in MSS Version 4.2. Examples The following command clears the port mirroring configuration from the switch: MX# clear port mirror See Also ● ● set port mirror on page 5-55 show port mirror on page 5-64 clear port name Removes the name assigned to a port. Syntax clear port port-list name List of physical ports.
Port Commands Syntax clear port type port-list port-list List of physical ports. MSS resets and removes the configuration from all the specified ports. Defaults The cleared port becomes a network port but is not placed in any VLANs. Access Enabled. History Introduced in MSS Version 1.0. Usage Use this command to change a port back to a network port. All configuration settings specific to the port type are removed. For example, if you clear an MP port, all MP-specific settings are removed.
Port Commands receive-errors Displays errors in received packets first. transmit-errors Displays errors in transmitted packets first. collisions Displays collision statistics first. receive-etherstats Displays Ethernet statistics for received packets first. transmit-etherstats Displays Ethernet statistics for transmitted packets first. Defaults All types of statistics are displayed for all ports. MSS refreshes the statistics every 5 seconds, and the interval cannot be configured.
Port Commands Port Status Rx Unicast Rx NonUnicast Tx Unicast Tx NonUnicast =============================================================================== 1 Up 54620 62144 68318 62556 ...
Port Commands Table 5– 5 describes the port statistics displayed by each statistics option. The Port and Status fields are displayed for each option. Table 5– 5. Output for monitor port counters Statistics Option Field Description Displayed for All Options Port Displays the port statistics. Status Port status. The status can be Up or Down. octets Rx Octets Total number of octets received by the port. This number includes octets received in frames that contained errors.
Port Commands Table 5– 5. Output for monitor port counters (continued) Statistics Option Field Description collisions Single Coll Total number of frames transmitted that experienced one collision before 64 bytes of the frame were transmitted on the network. Multiple Coll Total number of frames transmitted that experienced more than one collision before 64 bytes of the frame were transmitted on the network.
Port Commands History Introduced in MSS Version 1.0. Usage The reset command disables the port link and PoE (if applicable) for at least 1 second, then reenables them. This behavior is useful for forcing an MP that is connected to two MX switches to reboot over the link to the other MX.
Port Commands Defaults The default vales are the same as the defaults for the set port type ap command. Access Enabled. History Version 2.0 Version 2.1 Command introduced New values for model option added: ❑ ❑ Version 3.0 New values for model option added: ❑ ❑ ❑ Version 3.2 Version 4.
Port Commands set port Administratively disables or reenables a port. Syntax set port {enable | disable} port-list enable Enables the specified ports. disable Disables the specified ports. port-list List of physical ports. MSS disables or reenables all the specified ports. Defaults All ports are enabled. Access Enabled. History Introduced in MSS Version 1.0. Usage A port that is administratively disabled cannot send or receive packets. This command does not affect the link state of the port.
Port Commands To add or remove ports in a group that is already configured, change the mode to off, add or remove the ports, then change the mode to on. Examples The following command configures a port group named server1 containing ports 1 through 5, and enables the link: MX# set port-group name server1 1-5 mode on success: change accepted.
Port Commands can attach a protocol analyzer to the observer port to examine the source port’s traffic. Both traffic directions (send and receive) are mirrored. Syntax set port mirror source-port observer observer-port source-port Number of the port whose traffic you want to analyze. You can specify only one port. observer-port Number of the port to copy the traffic from the source port. Defaults None. Access Enabled. History Introduced in MSS Version 4.2.
Port Commands set port negotiation Disables or reenables autonegotiation on gigabit Ethernet or 10/100 Ethernet ports. Syntax set port negotiation port-list {enable | disable} port-list List of physical ports. MSS disables or reenables autonegotiation on all the specified ports. enable Enables autonegotiation on the specified ports. disable Disables autonegotiation on the specified ports. Defaults Autonegotiation is enabled on all Ethernet ports by default. Access Enabled.
Port Commands History Introduced in MSS Version 1.0. Usage This command does not apply to any gigabit Ethernet ports or to ports 7 and 8 on the MX-8 switch, port 19 on the MX-216, or port 3 on the MX-200. Examples The following command disables PoE on ports 7 and 9, which are connected to an MP: MX# set port poe 7,9 disable If you are enabling power on these ports, they must be connected only to approved PoE devices with the correct wiring.
Port Commands Usage It is recommended that you do not configure the mode of an MX port so that one side of the link is set to autonegotiation while the other side is set to full-duplex. Although MSS allows this configuration, it can result in slow throughput on the link. The slow throughput occurs because the side that is configured for autonegotiation falls back to half-duplex. A stream of large packets sent to an MX port in such a configuration can cause forwarding on the link to stop.
Port Commands set port type wired-auth Configures an MX port for a wired authentication user. Note: Before changing the port type from ap to wired-auth or from wired-auth to ap, you must reset the port with the clear port type command. set port type wired-auth port-list [auth-fall-thru {last-resort | none | web-portal-form}][ idle-timeout timeout][tag tag-list] [max-sessions num] Syntax port-list List of physical ports. timeout Sets the idle-timeout for a client. Default value is 300 seconds.
Port Commands Table 5– 6. Wired Authentication Port Defaults Port Parameter Setting VLAN membership Removed from all VLANs. You cannot assign an MP access port to a VLAN. MSS automatically assigns MP access ports to VLANs based on user traffic. Spanning Tree Protocol (STP) Not applicable 802.1X Uses authentication parameters configured for users. Port groups Not applicable IGMP snooping Enabled as users are authenticated and join VLANs. Maximum user sessions 1 (one).
Port Commands receive-etherstats Displays Ethernet statistics for received packets. transmit-etherstats Displays Ethernet statistics for transmitted packets. port port-list List of physical ports. If you do not specify a port list, MSS displays statistics for all ports. Defaults None. Access All. History Introduced in MSS Version 1.0. Usage You can specify one statistic type with the command.
Port Commands Table 5– 7. Output for show port-group Field Description Port group Name and state (enabled or disabled) of the port group. Ports Ports contained in the port group. See Also ● ● clear port-group on page 5-45 set port-group on page 5-54 show port media-type(deprecated) Displays the enabled interface types on an MX-400 gigabit Ethernet ports. Syntax show port media-type [port-list] port-list List of physical ports. MSS displays the enabled interface types for all specified ports.
Port Commands ● set port media-type(deprecated) on page 5-55 show port mirror Displays the port mirroring configuration. Syntax show port mirror Defaults None. Access Enabled. History Introduced in MSS Version 4.2.
Port Commands 13 14 15 16 17 18 19 20 21 22 13 14 15 16 17 18 19 20 21 22 down down down down down down down down down down - disabled disabled disabled disabled disabled disabled disabled disabled disabled disabled off off off off off off off off invalid invalid Table 5– 9 describes the fields in this display. Table 5– 9. Output for show port poe Field Description Port Port number. Name Port name. If the port does not have a name, the port number is listed.
Port Commands History Introduced in MSS Version 1.0.
Port Commands Table 5– 10. Output for show port status (continued) Field Description Type Port type: ❑ ❑ ❑ Media ap—MP port network—Network port wa—Wired authentication port Link type: ❑ ❑ ❑ ❑ 10/100BaseTX—10/100BASE-T. GBIC—1000BASE-SX or 1000BASE-LX GBIC. 1000BaseT—1000BASE-T. No connector—GBIC slot is empty.
6 VLAN Commands Use virtual LAN (VLAN) commands to configure and manage parameters for individual port VLANs on network ports, and to display information about clients roaming within a mobility domain. This chapter presents VLAN commands alphabetically. Use the following table to locate commands in this chapter based on use.
VLAN Commands system Clears system entries from the FDB. You must specify a VLAN name or number with this option. dynamic Clears dynamic entries. A dynamic entry is automatically removed through aging or after a reboot, reset, or power cycle. You are not required to specify a VLAN name or number with this option. mac-addr Clears MAC addresses from the FDB. You must specify a MAC address in the format a:b:c:d:e:f or a-b-c-d-e-f.
VLAN Commands permit-mac mac-addr List of MAC addresses. MSS no longer allows clients in the VLAN to send traffic to [mac-addr] the MAC addresses at Layer 2. Removes all MAC addresses from the list. all Defaults If you do not specify a list of MAC addresses or all, all addresses are removed. Access Enabled. History Introduced in MSS Version 4.1. Usage If you clear all MAC addresses, Layer 2 forwarding is no longer restricted in the VLAN. Clients within the VLAN can communicate directly.
VLAN Commands clear vlan Removes physical or virtual ports from a VLAN or removes a VLAN entirely. When you remove a VLAN, MSS completely removes the VLAN from the configuration and also removes all configuration information for that VLAN. If you want to remove only a specific port from the VLAN, make sure you specify the port number in the command. Warning! Syntax clear vlan vlan-id [port port-list [tag tag-value]] vlan-id VLAN name or number. port port-list List of physical ports.
VLAN Commands clear vlan-profile Removes a VLAN profile or individual entries from a VLAN profile. Syntax clear vlan-profile profile-name [vlan vlan-name] profile-name VLAN profile name vlan-name Name of a VLAN to remove from the VLAN profile. Defaults None. Access Enabled. History Introduced in MSS Version 6.0. Usage A VLAN profile lists the VLANs that locally switch traffic by MPs where the VLAN profile is applied.
VLAN Commands vlan vlan-id Name or number of a VLAN of which the port is a member. The entry is added only for the specified VLAN. tag tag-value VLAN tag value that identifies a virtual port. You can specify a number from 1 through 4093. If you do not specify a tag value, an entry is created for an untagged interface only. If you specify a tag value, an entry is created only for the specified tagged interface. Defaults None. Access Enabled. History Introduced in MSS Version 1.0.
VLAN Commands communicate directly to each other. To communicate with another client, the client must use one of the specified default routers. set security l2-restrict vlan vlan-id [mode {enable | disable}] [permit-mac mac-addr [mac-addr]] Syntax vlan-id VLAN name or number. mode {enable | disable} Enables or disables restriction of Layer 2 forwarding. permit-mac mac-addr [mac-addr] MAC addresses to which clients are allowed to forward data at Layer 2. You can specify up to four addresses.
VLAN Commands You cannot use a number as the first character in the VLAN name. It is recommended that you do not use the same name with different capitalizations for VLANs. For example, do not configure two separate VLANs with the names red and RED. VLAN names are case-sensitive for RADIUS authorization when a client roams to an MX.
VLAN Commands set vlan tunnel-affinity Changes an MX preferences within a mobility domain for tunneling user traffic for a VLAN. When a user roams to an MX that is not a member of the user’s VLAN, the MX can forward the user traffic by tunneling to another MX that is a member of the VLAN. Syntax set vlan vlan-id tunnel-affinity affinity vlan-id VLAN name or number. affinity Preference of this MX for forwarding user traffic for the VLAN. You can specify a value from 1 through 10.
VLAN Commands Usage A VLAN profile consists of a list of VLANs and tags. When a VLAN profile is applied to an MP, traffic for the VLANs specified in the VLAN profile is locally switched by the MP instead of being tunneled back to an MX. You enter a separate set vlan-profile command for each VLAN you want to add to the VLAN profile. A VLAN profile can contain up to 128 entries.
VLAN Commands 1 00:0b:0e:02:76:f5 Total Matching FDB Entries Displayed = 3 1 [ALL] The top line of the display identifies the characters to distinguish among the entry types. The following command displays all entries that begin with the MAC address glob 00: MX# show fdb 00:* * = Static Entry. + = Permanent Entry. # = System Entry.
VLAN Commands Because the forwarding database aging timeout period can be configured on an individual VLAN basis, the command lists the aging timeout period for each VLAN separately. See Also set fdb agingtime on page 6-72 show fdb count Lists the number of entries in the forwarding database. Syntax show fdb count {perm | static | dynamic} [vlan vlan-id] perm Lists the number of permanent entries. A permanent entry does not age out and remains in the database even after a reboot, reset, or power cycle.
VLAN Commands User Name Station Address VLAN State ---------------------- ----------------- --------------- ----redsqa 10.10.10.5 violet Up Table 6– 13 describes the fields in the display. Table 6– 13. Output for show roaming station Field Description User Name Name of the user. This is the name used for authentication. The name resides in a RADIUS server database or the local user database on an MX. Station Address IP address of the user device.
VLAN Commands Table 6– 14. Output for show roaming vlan Field Description VLAN VLAN name. MX System IP address of the MX on which the VLAN is configured. Affinity Preference of this MX for forwarding user traffic for the VLAN. A higher number indicates a greater preference. See Also ● ● show roaming station on page 6-78 show vlan config on page 6-81 show security l2-restrict Displays configuration information and statistics for Layer 2 forwarding restriction.
VLAN Commands See Also ● ● ● clear security l2-restrict on page 6-68 clear security l2-restrict counters on page 6-69 set security l2-restrict on page 6-72 show tunnel Displays the tunnels from the MX where you type the command. Syntax show tunnel Defaults None. Access Enabled History Introduced in MSS Version 1.0. Examples To display all tunnels from an MX to other switches in the Mobility Domain, type the following command.
VLAN Commands Access All. History Introduced in MSS Version 1.0. Examples The following command displays information for VLAN burgundy: MX# show vlan config burgundy Admin VLAN Tunl VLAN Name Status State Affin Port Tag ---- ---------------- ------ ----- ----- ---------------- ----2 burgundy Up Up 5 2 none 3 none 4 none 6 none 11 none t:10.10.40.4 none Port State ----Up Up Up Up Up Up Table 6– 17 describes the fields in this display. Table 6– 17.
VLAN Commands show vlan-profile Displays the contents of the VLAN profiles configured on the MX. A VLAN profile lists the VLANs that traffic is locally switched by MPs with the VLAN profile. Syntax show vlan-profile [profile-name] profile-name VLAN profile name Defaults If a profile-name is not specified, the contents of all VLAN profiles configured on the MX switch are displayed. Access All. History Introduced in MSS Version 6.0.
VLAN Commands 6 – 84 Mobility System Software Command Reference Guide Version 7.
7 Quality of Service Commands Use Quality of Service (QoS) commands to configure packet prioritization in MSS. Packet prioritization ensures that MX switches and MPs give preferential treatment to high-priority traffic such as voice and video. (To override the prioritization for specific traffic, use access controls lists [ACLs] to set the Class of Service [CoS] for the packets. See Chapter , “Security ACL Commands,” on page 391.) This chapter presents QoS commands alphabetically.
Quality of Service Commands History Introduced in MSS Version 4.1. MSS Version 4.1 Introduced MSS Version 7.1 sip-data and traffic-class added. Usage To reset all mappings to the default values, use the clear qos command without the optional parameters. Examples The following command resets all QoS mappings: MX# clear qos success: change accepted. The following command resets the mapping used to classify packets with DSCP value 44: MX# clear qos dscp-to-qos-map 44 success: change accepted.
Quality of Service Commands See Also ● ● set qos dscp-to-cos-map on page 7-87 show qos on page 7-88 set qos dscp-to-cos-map Changes the internal QoS value that MSS maps to a packet DSCP value when classifying inbound packets. Syntax set qos dscp-to-cos-map dscp-range cos level dscp-range DSCP range. You can specify the values as decimal numbers. Valid decimal values are 0 to 63. To specify a range, use the following format: 40-56. Specify the lower number first. cos level Internal QoS value.
Quality of Service Commands Usage Used in VoIP configurations. set qos-profile Configures QoS parameters to apply to multiple clients. set qos-profile profile-name [access-category background | best effort | video | voice]|[cos static-cos-value][max-bandwidth max-bw-kb][use-client-dscp enable | disable] trust-client-dscp [enable | disable] Syntax profile-name Name of the QoS profile access-category background best-effort video voice Four types of forwarding queues to configure QoS.
Quality of Service Commands Ingress DSCP CoS Level =============================================================================== 00-09 0 0 0 0 0 0 0 0 1 1 10-19 1 1 1 1 1 1 2 2 2 2 20-29 2 2 2 2 3 3 3 3 3 3 30-39 3 3 4 4 4 4 4 4 4 4 40-49 5 5 5 5 5 5 5 5 6 6 50-59 6 6 6 6 6 6 7 7 7 7 60-63 7 7 7 7 Egress QoS Marking Map (cos-to-dscp) CoS Level 0 1 2 3 4 5 6 7 =============================================================================== Egress DSCP 0 8 16 24 32 40 48 56 Egress ToS byte 0x00 0x20 0x40 0x
Quality of Service Commands 7 – 90 Mobility System Software Command Reference Guide Version 7.
8 IP Services Commands Use IP services commands to configure and manage IP interfaces, management services, the Domain Name Service (DNS), Network Time Protocol (NTP), aliases, and to ping a host or trace a route. This chapter presents IP services commands alphabetically. Use the following table to locate commands in this chapter based on their use.
IP Services Commands show timedate on page 8-144 show timezone on page 8-144 show summertime on page 8-143 clear timezone on page 8-100 clear summertime on page 8-99 NTP set ntp on page 8-114 set ntp server on page 8-114 set ntp update-interval on page 8-115 show ntp on page 8-140 clear ntp server on page 8-96 clear ntp update-interval on page 8-96 ARP set arp on page 8-101 set arp agingtime on page 8-102 show arp on page 8-131 SNMP set snmp protocol on page 8-124 set snmp security on page 8-125 Upda
IP Services Commands Syntax clear interface vlan-id ip vlan-id VLAN name or number. Defaults None. Access Enabled. History Introduced in MSS Version 1.0.
IP Services Commands Defaults None. Access Enabled. History Introduced in MSS Version 1.0. Examples The following command removes the alias server1: MX# clear ip alias server1 success: change accepted. See Also ● ● set ip alias on page 8-106 show ip alias on page 8-136 clear ip dns domain Removes the default DNS domain name. Syntax clear ip dns domain Defaults None. Access Enabled. History Introduced in MSS Version 1.0.
IP Services Commands ● ● ● ● set ip dns on page 8-107 set ip dns domain on page 8-107 set ip dns server on page 8-108 show ip dns on page 8-136 clear ip route Removes a route from the IP route table. Syntax clear ip route {default | ip-addr mask | ip-addr/mask-length} default-router Default route. default Note: default is an alias for IP address 0.0.0.0/0. ip-addr mask IP address and subnet mask for the route destination, in dotted decimal notation (for example, 10.10.10.10 255.255.255.0).
IP Services Commands Examples The following command resets the TCP port number for Telnet management traffic to its default: MX# clear ip telnet success: change accepted. See Also ● ● ● ● ● set ip https server on page 8-109 set ip telnet on page 8-112 set ip telnet server on page 8-113 show ip https on page 8-137 show ip telnet on page 8-139 clear ntp server Removes an NTP server from an MX configuration.
IP Services Commands See Also ● ● ● ● ● clear ntp server on page 8-96 set ntp on page 8-114 set ntp server on page 8-114 set ntp update-interval on page 8-115 show ntp on page 8-140 clear snmp community Clears an SNMP community string. Syntax clear snmp community name community-name community-name Name of the SNMP community you want to clear. Defaults None. Access Enabled. History Introduced in MSS Version 4.0.
IP Services Commands See Also ● ● set snmp notify profile on page 8-118 show snmp notify profile on page 8-142 clear snmp notify target Clears an SNMP notification target. Syntax clear snmp notify target notify-target-id ID of the target. notify-target-id Defaults None. Access Enabled. History Introduced in MSS Version 4.0. MSS Version 4.0 Command introduced. MSS Version 7.
IP Services Commands See Also ● ● set snmp usm on page 8-126 show snmp usm on page 8-143 clear summertime Clears the summertime setting from an MX. Syntax clear summertime Defaults None. Access Enabled. History Introduced in MSS Version 1.0. Examples To clear the summertime setting from an MX, type the following command: MX# clear summertime success: change accepted.
IP Services Commands MX# clear system ip-address success: change accepted. See Also set system ip-address on page 8-129 show system on page 4-40 ● ● clear timezone Clears the time offset for the MX real-time clock from Coordinated Universal Time (UTC). UTC is also know as Greenwich Mean Time (GMT). Syntax clear timezone Defaults None. Access Enabled. History Introduced in MSS Version 1.0.
IP Services Commands interval time Time interval between ping packets, in milliseconds. You can specify from 100 through 10,000. size size Packet size, in bytes. You can specify from 56 through 65,507. Note: Because the MX adds header information, the ICMP packet size is 8 bytes larger than the specified size. tos tos Set the tos byte in the IP header. You can specify an integer from 0 to 255. user Interpret 'host' argument as a user name. Defaults ● ● ● ● count—5. dnf—Disabled.
IP Services Commands ip-addr IP address of the entry, in dotted decimal notation. mac-addr MAC address to map to the IP address. Use colons to separate the octets (for example, 00:11:22:aa:bb:cc). Defaults None. Access Enabled. History Introduced in MSS Version 1.0. Examples The following command adds a static ARP entry that maps IP address 10.10.10.1 to MAC address 00:bb:cc:dd:ee:ff: MX# set arp static 10.10.10.1 00:bb:cc:dd:ee:ff success: added arp 10.10.10.
IP Services Commands Syntax set interface vlan-id ip {ip-addr mask | ip-addr/mask-length} vlan-id VLAN name or number. ip-addr mask IP address and subnet mask in dotted decimal notation (for example, 10.10.10.10 255.255.255.0). ip-addr/mask-length IP address and subnet mask length in CIDR format (for example, 10.10.10.10/ 24). Defaults None. Access Enabled. History Introduced in MSS Version 1.0. Usage You can assign one IP interface to each VLAN.
IP Services Commands History Introduced in MSS Version 4.0. Usage You can enable the DHCP client on one VLAN only. You can configure the DHCP client on more than one VLAN, but the client can be active on only one VLAN. MSS also has a configurable DHCP server. (See set interface dhcp-server on page 8-104.) You can configure a DHCP client and DHCP server on the same VLAN, but only the client or the server can be enabled.
IP Services Commands Version 5.0 New options added: dns-domain ❑ primary-dns and secondary-dns ❑ default-router ❑ Usage By default, all addresses except the host address of the VLAN, the network broadcast address, and the subnet broadcast address are included in the range. If you specify the range, the start address must be lower than the stop address, and all addresses must be in the same subnet. The IP interface of the VLAN must be within the same subnet but is not required to be within the range.
IP Services Commands To enable the IPSec parameters, use the following command: MX# set interface ip security destination set interface status Administratively disables or reenables an IP interface. Syntax set interface vlan-id status {up | down} vlan-id VLAN name or number. up Enables the interface. down Disables the interface. Defaults IP interfaces are enabled by default. Access Enabled. History Introduced in MSS Version 1.0.
IP Services Commands set ip dns Enables or disables DNS on an MX. Syntax set ip dns {enable | disable} enable Enables DNS. disable Disables DNS. Defaults DNS is disabled by default. Access Enabled. History Introduced in MSS Version 1.0.
IP Services Commands set ip dns server on page 8-108 show ip dns on page 8-136 ● ● set ip dns server Specifies a DNS server to use for resolving hostnames you enter in CLI commands. Syntax set ip dns server ip-addr {primary | secondary} ip-addr IP address of a DNS server, in dotted decimal or CIDR notation. primary Defines the server as the primary server that MSS always consults first for resolving DNS queries. secondary Defines the server as a secondary server.
IP Services Commands set ip https server Enables the HTTPS server on an MX. The HTTPS server is required for Web View access to the switch. If you disable the HTTPS server, Web View access to the MX is disabled. Warning! Syntax set ip https server {enable | disable} enable Enables the HTTPS server. disable Disables the HTTPS server. Defaults The HTTPS server is disabled by default. Access Enabled. History Version 1.0 Command introduced Version 3.
IP Services Commands default-router IP address, DNS hostname, or alias of the next-hop router. metric Cost for using the route. You can specify a value from 0 through 2,147,483,647. Lower-cost routes are preferred over higher-cost routes. Defaults None. Access Enabled. History Version 1.0 Command introduced Version 1.
IP Services Commands ● show ip route on page 8-138 set ip snmp server Enables or disables the SNMP service on the MX. Syntax set ip snmp server {enable | disable} enable Enables the SNMP service. disable Disables the SNMP service. Defaults The SNMP service is disabled by default. Access Enabled. History Introduced in MSS Version 1.0. Examples The following command enables the SNMP server on an MX: MX# set ip snmp server enable success: change accepted.
IP Services Commands See Also ● ● ● set ip ssh server on page 8-112 set ip ssh server on page 8-112 set ip ssh server on page 8-112 set ip ssh server Disables or reenables the SSH server on an MX. If you disable the SSH server, SSH access to the MX is also disabled. Warning! Syntax set ip ssh server {enable | disable} enable Enables the SSH server. disable Disables the SSH server. Defaults The SSH server is enabled by default. Access Enabled. History Version 2.0 Command introduced Version 2.
IP Services Commands Syntax set ip telnet port-num port-num TCP port number. Defaults The default Telnet port number is 23. Access Enabled. History Introduced in MSS Version 1.0. Examples The following command changes the Telnet port number on an MX to 5000: MX# set ip telnet 5000 success: change accepted.
IP Services Commands See Also ● ● ● ● ● clear ip telnet on page 8-95 set ip https server on page 8-109 set ip telnet on page 8-112 show ip https on page 8-137 show ip telnet on page 8-139 set ntp Enables or disables the NTP client on an MX. Syntax set ntp {enable | disable} enable Enables the NTP client. disable Disables the NTP client. Defaults The NTP client is disabled by default. Access Enabled. History Introduced in MSS Version 1.0.
IP Services Commands Usage You can configure up to three NTP servers. MSS queries all the servers and selects the best response based on the method described in RFC 1305, Network Time Protocol (Version 3) Specification, Implementation and Analysis. To use NTP, you also must enable the NTP client with the set ntp command. Examples The following command configures an MX to use NTP server 192.168.1.5: MX# set ntp server 192.168.1.
IP Services Commands set snmp community Configures a community string for SNMPv1 or SNMPv2c. For SNMPv3, use the set snmp usm command to configure an SNMPv3 user. SNMPv3 Note: does not use community strings. set snmp community name comm-string access {read-only | read-notify | notify-only | read-write | notify-read-write} Syntax comm-string Name of the SNMP community. Specify between 1 and 32 alphanumeric characters, with no spaces.
IP Services Commands See Also ● ● ● ● ● ● ● clear snmp community on page 8-97 set ip snmp server on page 8-111 set snmp notify target on page 8-121 set snmp notify profile on page 8-118 set snmp protocol on page 8-124 set snmp usm on page 8-126 show snmp community on page 8-141 set snmp community group Sets the security group for the SNMP community. You can select from administrator or monitor.
IP Services Commands set snmp notify profile Configures an SNMP notification profile. A notification profile is a named list of all the notification types that can be generated by a MX, and for each notification type, the action to take (drop or send) when an event occurs. You can configure up to ten notification profiles.
IP Services Commands notification-type Name of the notification type: ApManagerChangeTraps—Generated when a change occurs on an MX managing MPs. ❑ ApNonOperStatusTraps—Generated to indicate an MP radio is nonoperational. ❑ ApOperRadioStatusTraps—Generated when the status of an MP radio changes. ❑ ApRejectLicenseExceededTraps–Generated when the number of MPs exceeds the licenses. ❑ AuthenTraps—Generated when the MX switch’s SNMP engine receives a bad community string.
IP Services Commands notification-type (cont.) ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ) ❑ ❑ all CounterMeasureStopTraps—Generated when MSS stops countermeasures against a rogue access point. DeviceFailTraps—Generated when an event with an Alert severity occurs. DeviceOkayTraps—Generated when a device returns to its normal state. LinkDownTraps—Generated when the link is lost on a port. LinkUpTraps—Generated when the link is detected on a port.
IP Services Commands The following commands create notification profile snmpprof_rfdetect, and change the action to send for all RF detection notification types: MX# set snmp notify profile snmpprof_rfdetect send RFDetectAdhocUserTraps success: change accepted. MX# set snmp notify profile snmp_rfdetect send RFDetectAdhocUserDisappearTraps success: change accepted MX# set snmp notify profile snmpprof_rfdetect send RFDetectClientViaRogueWiredAPTraps success: change accepted.
IP Services Commands username USM username. This option is applicable only when the SNMP version is usm. If the user sends informs rather than traps, you also must specify the snmp-engine-id of the target. snmp-engine-id {ip | hex hex-string} SNMP engine ID of the target. Specify ip if the target SNMP engine ID is based on the IP address. If the target SNMP engine ID is a hexadecimal value, use hex hex-string to specify the value.
IP Services Commands SNMPv2c with Informs To configure a notification target for informs from SNMPv2c, use the following command: set snmp notify target target-num ip-addr[:udp-port-number] v2c community-string inform [profile profile-name] [retries num][timeout num] Syntax target-num ID for the target. This ID is local to the MX and does not need to correspond to a value on the target. You can specify a number from 1 to 10. ip-addr[:udp-port-number] IP address of the server.
IP Services Commands Defaults The default UDP port number on the target is 162. The default minimum required security level is unsecured. The default number of retries is 0 and the default timeout is 2 seconds. Access Enabled. History Introduced in MSS Version 4.0. Usage The inform or trap option specifies whether the MSS SNMP engine expects the target to acknowledge notifications sent to the target by the MX . Use inform if you want acknowledgements. Use trap if you do not want acknowledgements.
IP Services Commands Examples The following command enables all SNMP versions: MX# set snmp protocol all enable success: change accepted. See Also ● ● ● ● ● ● set ip snmp server on page 8-111 set snmp community on page 8-116 set snmp notify target on page 8-121 set snmp notify profile on page 8-118 set snmp usm on page 8-126 show snmp status on page 8-142 set snmp security This command is deprecated in MSS Version 7.0. set snmp trap This command is deprecated in MSS Version 4.0.
IP Services Commands set snmp usm Creates a USM user for SNMPv3. Note: This command does not apply to SNMPv1 or SNMPv2c. For these SNMP versions, use the set snmp community command to configure community strings.
IP Services Commands auth-type {none | md5 | sha} {auth-pass-phrase string | auth-key hex-string} Specifies the authentication type used to authenticate communications with the remote SNMP engine. You can specify one of the following: ❑ none—No authentication is used. ❑ md5—Message-digest algorithm 5 is used. ❑ sha—Secure Hashing Algorithm (SHA) is used. If the authentication type is md5 or sha, you can specify a passphrase or a hexadecimal key.
IP Services Commands set snmp view Controls SNMP view operations to allow difference levels of access to management information. set snmp view view-name description description [root included | excluded] treefamily oid-subtree [included| excluded] Syntax view view-name The name configured for a view. description description A text description of the view root [included | excluded] Include or exclude the root of the OID tree. treefamily [included | excluded] Include or exclude the OID treefamily.
IP Services Commands min Minute to start or end the time change—a value between 0 and 59. end End of the time change period. Defaults If you do not specify a start and end time, the system implements the time change starting at 2:00 a.m. on the first Sunday in April and ending at 2:00 a.m. on the last Sunday in October, according to the North American standard. Access Enabled. History Introduced in MSS Version 1.0.
IP Services Commands success: set ip address 10.10.20.20 netmask 255.255.255.0 on vlan taupe MX# set system ip-address 10.10.20.20 success: change accepted. See Also ● ● ● clear system ip-address on page 8-99 set interface on page 8-102 show system on page 4-40 set timedate Sets the time of day and date on the MX. Syntax set timedate {date mmm dd yyyy [time hh:mm:ss]} date mmm dd yyyy System date: mmm—month. ❑ dd—day. ❑ yyyy—year. ❑ time hh:mm:ss System time, in hours, minutes, and seconds.
IP Services Commands Syntax set timezone zonename {-hours [minutes]} zonename Time zone name of up to 32 alphabetic characters. You can use a standard name or any name you like. - Minus time to indicate hours (and minutes) to be subtracted from UTC. Otherwise, hours and minutes are added by default. hours Number of hours to add or subtract from UTC. minutes Number of minutes to add or subtract from UTC. Defaults If this command is not used, then the default time zone is UTC. Access Enabled.
IP Services Commands Table 8– 19. Output for show arp Field Description ARP aging time Number of seconds a dynamic entry can remain unused before MSS removes the entry from the ARP table. Host IP address, hostname, or alias. HW Address MAC address mapped to the IP address, hostname, or alias. VLAN VLAN the entry is for. Type Entry type: ❑ DYNAMIC—Entry was learned from network traffic and ages out if unused for longer than the ARP aging timeout. ❑ LOCAL—Entry for the MX MAC address.
IP Services Commands Table 9.Output for show dhcp-client Field Description Interface VLAN name and number. Configuration Status Status of the DHCP client on this VLAN: Enabled ❑ Disabled ❑ DHCP State State of the IP interface: ❑ IF_UP ❑ IF_DOWN Lease Allocation Duration of the address lease. Lease Remaining Number of seconds remaining before the address lease expires. IP Address IP address received from the DHCP server.
IP Services Commands Interface: Status: Address Range: Hardware Address: State: Lease Allocation: Lease Remaining: IP Address: Subnet Mask: Default Router: DNS Servers: DNS Domain Name: default(1) UP 10.10.20.2-10.10.20.254 00:01:02:03:04:05 BOUND 43200 seconds 12345 seconds 10.10.20.2 255.255.255.0 10.10.20.1 10.10.20.4 10.10.20.5 mycorp.com Table 10 and Table 11 describe the fields in these displays. Table 10.Output for show dhcp-server Field Description VLAN VLAN number. Name VLAN name.
IP Services Commands See Also set interface dhcp-server on page 8-104 show interface Displays the IP interfaces configured on the MX. Syntax show interface [vlan-id] vlan-id VLAN name or number. Defaults If you do not specify a VLAN ID, interfaces for all VLANs are displayed. Access All. History Version 1.0 Command introduced. Version 4.0 RIB field added. Usage The IP interface table flags an address assigned by a DHCP server with an asterisk ( * ).
IP Services Commands show ip alias Displays the IP aliases configured on the MX. Syntax show ip alias [name] Alias string. name Defaults If you do not specify an alias name, all aliases are displayed. Access Enabled. History Introduced in MSS Version 1.0. Examples The following command displays all the aliases configured on an MX: MX# show ip alias Name -------------------HR1 payroll radius1 IP Address -------------------192.168.1.2 192.168.1.3 192.168.7.
IP Services Commands Table 8– 3.
IP Services Commands Table 8– 4. Output for show ip https (continued) Field Description IP Address IP address of the device that established the connection. Note: If a browser connects to an MX from behind a proxy, then only the proxy IP address is shown. If multiple browsers connect using the same proxy, the proxy address appears only once in the output. Last Connected Time when the device established the HTTPS connection to the MX.
IP Services Commands Table 8– 5. Output for show ip route Field Description Destination/Mask IP address and subnet mask of the route destination. The 244.0.0.0 route is automatically added by MSS and supports the IGMP snooping feature. Proto Protocol that added the route to the IP route table. The protocol can be one of the following: ❑ IP—MSS added the route. ❑ Static—An administrator added the route. Metric Cost for using the route. NH-Type Next-hop type: ❑ Local—Route is for a local interface.
IP Services Commands Table 8– 6. Output for show ip telnet Field Description Server Status State of the HTTPS server: Enabled ❑ Disabled ❑ Port TCP port number that the MX listens for Telnet management traffic. See Also ● ● ● ● ● clear ip telnet on page 8-95 set ip https server on page 8-109 set ip telnet on page 8-112 set ip telnet server on page 8-113 show ip https on page 8-137 show ntp Displays NTP client information. Syntax show ntp Defaults None. Access All. History Version 1.
IP Services Commands Table 8– 7. Output for show ntp (continued) Field Description Current time System time that was current on the MX when you pressed Enter after typing the show ntp command. Timezone Time zone configured on the switch. MSS offsets the time reported by the NTP server based on the time zone. Note: This field is displayed only if you change the time zone. Summertime Summertime period configured on the switch.
IP Services Commands See Also ● ● clear snmp community on page 8-97 set snmp community on page 8-116 show snmp counters Displays SNMP statistics counters. Syntax show snmp counters Defaults None. Access Enabled. History Introduced in MSS Version 4.0. show snmp notify profile Displays SNMP notification profiles. Syntax show snmp notify profile Defaults None. Access Enabled. History Introduced in MSS Version 4.0.
IP Services Commands See Also ● ● ● ● ● ● ● ● ● ● ● set snmp community on page 8-116 set snmp notify target on page 8-121 set snmp notify profile on page 8-118 set snmp protocol on page 8-124 set snmp security on page 8-125 set snmp usm on page 8-126 show snmp community on page 8-141 show snmp counters on page 8-142 show snmp notify profile on page 8-142 show snmp notify target on page 8-142 show snmp usm on page 8-143 show snmp usm Displays information about SNMPv3 users. Defaults None. Access Enabled.
IP Services Commands ● ● ● set timezone on page 8-130 show timedate on page 8-144 show timezone on page 8-144 show timedate Shows the date and time of day currently set on an MX real-time clock. Syntax show timedate Defaults None. Access All. History Introduced in MSS Version 1.0.
IP Services Commands telnet Opens a Telnet client session with a remote device. Syntax telnet {ip-addr | hostname} [port port-num] ip-addr IP address of the remote device. hostname Hostname of the remote device. port port-num TCP port number that the TCP server on the remote device listens for Telnet connections. Defaults MSS attempts to establish Telnet connections with TCP port 23 by default. Access Enabled. History Introduced in MSS Version 1.1.
IP Services Commands traceroute Traces the route from the MX to an IP host. traceroute host [dnf] [no-dns] [port port-num] [queries num] [size size] [ttl hops] [wait ms] Syntax host IP address, hostname, or alias of the destination host. Specify the IP address in dotted decimal notation. dnf Sets the Do Not Fragment bit in the ping packet to prevent the packet from being fragmented. no-dns Prevents MSS from performing a DNS lookup for each hop to the destination host.
IP Services Commands If Traceroute receives an ICMP error message other than a Time Exceeded or Port Unreachable message, MSS displays one of the error codes described in Table 8– 8 instead of displaying the round-trip time or an asterisk (*). Table 8– 8 describes the traceroute error messages. Table 8– 8. Error Messages for traceroute Field Description !N No route to host. The network is unreachable. !H No route to host. The host is unreachable. !P Connection refused. The protocol is unreachable.
9 AAA Commands Use authentication, authorization, and accounting (AAA) commands to provide a secure network connection and a record of user activity. Location policy commands override any virtual LAN (VLAN) or security ACL assignment by AAA or the local MX database to help you control access locally. (Security ACLs are packet filters. For command descriptions, see “Security ACL Commands,” on page 15-391.) This chapter presents AAA commands alphabetically.
AAA Commands clear mac-usergroup on page 9-155 Web authorization Accounting New set web-portal on page 9-189 set accounting {admin | console} on page 9-160 set accounting cdr on page 9-161 set accounting {dot1x | mac | web | last-resort} on page 9-161 Updated set accounting command on page 9-163 Updated set accounting system on page 9-163 show accounting statistics on page 9-199 clear accounting on page 9-148 clear accounting command on page 9-149 AAA information show aaa on page 9-190 show mac-user
AAA Commands system Disables sending of Accounting-On and Accounting-Off messages to a RADIUS server, if previously enabled. When this command is entered, an Accounting-Off message is generated and sent to the server or server group specified with the set accounting system command. user-glob Single user or set of users with administrative access or network access.
AAA Commands History Introduced in MSS 1.0. Note: The syntax descriptions for the clear authentication commands are separate for clarity. However, the options and behavior for the clear authentication admin command are the same as in previous releases. Examples The following command clears authentication for administrator Jose: MX# clear authentication admin Jose success: change accepted.
AAA Commands ● show aaa on page 9-190 clear authentication dot1x Removes an 802.1X authentication rule. Syntax clear authentication dot1x {ssid ssid-name | wired} user-glob ssid ssid-name SSID name to which this authentication rule applies. wired Clears a rule used for access over an MX wired-authentication port. user-glob User-glob associated with the rule you are removing. Defaults None. Access Enabled. History Version 1.0 Command introduced Version 3.
AAA Commands Defaults None. Access Enabled. History Version 1.0 Command introduced Version 3.
AAA Commands wired Clears a rule used for access over an MX wired-authentication port. user-glob User-glob associated with the rule you are removing. Defaults None. Access Enabled. History Introduced in MSS 3.0. Examples The following command removes WebAAA for SSID research and userglob temp*@thiscorp.com: MX# clear authentication web ssid research temp*@thiscorp.
AAA Commands clear mac-user Removes a user profile from the local database on the MX for a user authenticated by a MAC address. (To remove a user profile in RADIUS, see the documentation for your RADIUS server.) Syntax clear mac-user mac-address-glob mac-address-glob MAC address of the user, in hexadecimal numbers separated by colons (:). You can omit leading zeros. Defaults None. Access Enabled. History Introduced in MSS 1.0. Version 1.0 Command introduced. Version 7.
AAA Commands Examples The following command removes an access control list (ACL) from the profile of a user at MAC address 01:02:03:04:05:06: MX# clear mac-user 01:02:03:04:05:06 attr filter-id success: change accepted. See Also ● ● set mac-user attr on page 9-178 show aaa on page 9-190 clear mac-user group Removes a user profile from a MAC user group in the local database on the MX for a user authenticating with a MAC address.
AAA Commands Access Enabled. History Introduced in MSS 1.0. Usage To remove a user from a MAC user group, use the clear mac-user group command. Examples The following command deletes the MAC user group eastcoasters from the local database: MX# clear mac-usergroup eastcoasters success: change accepted.
AAA Commands Defaults None. Access Enabled. History Introduced in MSS 1.0. Examples The following command removes the Mobility Profile for user Nin: MX# clear mobility-profile Nin success: change accepted. See Also ● ● ● set mobility-profile on page 9-183 set mobility-profile mode on page 9-184 show mobility-profile on page 9-201 clear user Removes a user profile from the local database on the MX. (To remove a user profile in RADIUS, see the documentation for your RADIUS server.
AAA Commands Access Enabled. History Introduced in MSS 1.0. Examples The following command removes the Session-Timeout attribute from jsmith user profile: MX# clear user jsmith attr session-timeout success: change accepted. See Also ● ● set user attr on page 9-186 show aaa on page 9-190 clear user group Removes a user with a password from membership in a user group in the local database on the MX. (To remove a user from a user group in RADIUS, see the documentation for your RADIUS server.
AAA Commands Usage If a user’s password has expired, or the user is unable to log in within the configured limit for login attempts, then the user is locked out of the system, and cannot gain access without the intervention of an adminstrator. Use this command to restore access to the user. Examples The following command restores access to user Nin, who was previously locked out of the system: MX# clear user Nin lockout success: change accepted.
AAA Commands Syntax clear usergroup group-name attr attribute-name group-name Name of an existing user group. attribute-name Name of an attribute used to authorize all the users in the group for a particular service or session characteristic. (For a list of authorization attributes, see Table 9– 9 on page 179.) Defaults None. Access Enabled. History Introduced in MSS 1.0.
AAA Commands method1 method2 method3 method4 At least one of up to four methods that MSS uses to process accounting records. Specify one or more of the following methods in priority order. If the first method does not succeed, MSS tries the second method, and so on. A method can be one of the following: ❑ local—Stores accounting records in the local database on the MX switch. When the local accounting storage space is full, MSS overwrites older records with new ones.
AAA Commands Syntax set accounting {dot1x | mac | web | last-resort} {ssid ssid-name | wired} {user-glob | mac-addr-glob} {start-stop | stop-only} method1 [method2] [method3] [method4] dot1x Users with network access through the MX switch who are authenticated by 802.1X.
AAA Commands success: change accepted. See Also ❑ ❑ clear accounting on page 9-148 show accounting statistics on page 9-199 set accounting command Provides the ability to log all CLI commands to an external server for auditing purposes. The following capabilities are available: ❑ ❑ ❑ ❑ All successfully completed commands are logged. Commands are logged to an external RADIUS server or servers. Password/key data is obscured.
AAA Commands Usage Use this command to configure MSS to send an Accounting-On message (Acct-Status-Type = 7) to a RADIUS server when the MX switch starts, and an Accounting-Off message (Acct-Status-Type = 8) to the RADIUS server when the MX switch is adminstratively shut down. When you enable this command, an Accounting-On message is generated and sent to the specified server or server group. Subsequent Accounting-On messages are generated each time the MX starts.
AAA Commands Defaults By default, authentication is deactivated for all admin users. The default authentication method in an admin authentication rule is local. MSS checks the local MX database for authentication. Access Enabled. History MSS 1.0 Command introduced. MSS 7.1 LDAP added as an authentication method. Note: The syntax descriptions for the set authentication commands are separated for clarity.
AAA Commands Syntax set authentication console user-glob method1 [method2] [method3] [method4] user-glob Single user or set of users with administrative access through the switch’s console. Specify a username, use the double-asterisk wildcard character (**) to specify all usernames, or use the single-asterisk wildcard character (*) to specify a set of usernames up to or following the first delimiter character—either an at sign (@) or a period (.). (For details, see “User Globs” on page 2–7.
AAA Commands If you specify multiple authentication methods in the set authentication console command, MSS applies them in the order in which they appear in the command, with these results: If the first method responds with pass or fail, the evaluation is final. ● If the first method does not respond, MSS tries the second method, and so on.
AAA Commands protocol Protocol used for authentication. Specify one of the following: ❑ eap-md5—Extensible Authentication Protocol (EAP) with message-digest algorithm 5. For wired authentication clients: • Uses challenge-response to compare hashes • Provides no encryption or integrity checking for the connection Note: The eap-md5 option does not work with Microsoft wired authentication clients.
AAA Commands specify any to match on all SSID names. If the rule is for wired access, specify wired instead of an SSID name. You cannot configure client authentication that uses both EAP-TLS protocol and one or more RADIUS servers. EAP-TLS authentication is supported only on the local MX database.
AAA Commands set authentication mac Configures authentication and defines where it is performed for specified non-802.1X users with network access through a media access control (MAC) address. Syntax set authentication mac {ssid ssid-name | wired} mac-address-glob method1 [method2] [method3] [method4] ssid ssid-name SSID name to which this authentication rule applies. To apply the rule to all SSIDs, type any.
AAA Commands If the username does not match an authentication rule for the SSID the user is attempting to access, MSS uses the fallthru authentication type configured for the SSID, which can be last-resort, web-portal (for WebAAA), or none. Examples To use the local MX database to authenticate all users who access the mycorp2 SSID by their MAC address, type the following command: MX# set authentication ssid mycorp2 mac ** local success: change accepted.
AAA Commands Examples To allow users a maximum of 3 attempts to log into the system, type the following command: MX# set authentication max-attempts 3 success: change accepted. See Also ● ● ● clear user lockout on page 9-158 set authentication minimum-password-length on page 9-172 set authentication password-restrict on page 9-172 set authentication minimum-password-length Specifies the minimum allowable length for user passwords.
AAA Commands Defaults By default the password restrictions are disabled. Access Enabled. History Introduced in MSS 6.0. Usage When this command is enabled, the following password restrictions take effect: ● Passwords must be a minimum of 10 characters in length, and a mix of uppercase letters, lowercase letters, numbers, and special characters, including at least two of each (for example, Tre%Pag32!). A user cannot reuse any of his or her 10 previous passwords (not applicable to network users).
AAA Commands Examples The following command configures a proxy authentication rule that matches on all usernames associated with SSID mycorp. MSS uses RADIUS server group srvrgrp1 to proxy RADIUS requests and hence to authenticate and authorize the users.
AAA Commands If you specify multiple authentication methods in the set authentication web command, MSS applies them in the order in which they appear in the command, with these results: If the first method responds with pass or fail, the evaluation is final. ● If the first method does not respond, MSS tries the second method, and so on.
AAA Commands outacl outacl-name Name of an existing security ACL to apply to packets sent from the MX switch with characteristics that match the location policy rule. Optionally, you can add the suffix .out to the name. Condition options—MSS takes the action specified by the rule if all conditions in the rule are met. You can specify one or more of the following conditions: ssid operator ssid-name SSID with which the user is associated.
AAA Commands Usage Only a single location policy is allowed per MX switch. The location policy can contain up to 150 rules. Once configured, the location policy becomes effective immediately. To disable location policy operation, use the clear location policy command. Conditions within a rule are AND’ed. All conditions in the rule must match in order for MSS to take the specified action.
AAA Commands Syntax set mac-user mac-address-glob[group group-name] mac-addr-glob . Allows a group of MAC devices to authenticate, such as a group of VoIP phones. Ony ine asterisk is allowed and it must be the last character. The most specific format overrides other formats. For instance, 00:11:30:21:ab:cd overrides an entry of 00:11:30:*. group-name Name of an existing MAC user group. Defaults None. Access Enabled. History MSS Version 1.0 Introduced command MSS Version 6.2 MAC glob introduced.
AAA Commands History Version 1.0 Command introduced Version 1.1 Authorization attributes encryption-type and time-of-day added Version 3.0 Authorization attributes end-date, ssid, start-date, and url added Version 5.0 Authorization attribute acct-interim-interval added Version 7.1 Attributes qos-profile, simultaneous-logins, and termination-action added. Usage To change the value of an attribute, enter set mac-user attr with the new value. To delete an attribute, use clear mac-user attr.
AAA Commands Table 9– 9. Authentication Attributes for Local Users (continued) Attribute Description mobility-profile (network access mode only) Mobility Profile attribute for the Name of an existing Mobility Profile, up to user. (For more information, see 32 alphanumeric characters, with no tabs or spaces. set mobility-profile on page 9-183.
AAA Commands Table 9– 9. Authentication Attributes for Local Users (continued) Attribute Description Valid Value(s) time-of-day (network access mode only) Day(s) and time(s) during which One of the following: the user is permitted to log into ❑ never—Access is always denied. the network. ❑ any—Access is always allowed. After authorization, the user session can last until either the ❑ al—Access is always allowed.
AAA Commands Table 9– 9. Authentication Attributes for Local Users (continued) Attribute Description Valid Value(s) acct-interim-interv al Interval in seconds between Number between 180 and 3,600 seconds, or 0 to disable accounting updates, if start-stop periodic accounting updates. accounting mode is enabled. The MX ignores the acct-interim-interval value and issues a log message if the value is below 60 seconds.
AAA Commands Examples The following command creates the MAC user group eastcoasters and assigns the group members to VLAN orange: MX# set mac-usergroup eastcoasters attr vlan-name orange success: change accepted. See Also clear mac-usergroup attr on page 9-156 show aaa on page 9-190 ● ● set mobility-profile Creates a Mobility Profile and specifies the MP and/or wired authentication ports on the MX through which any user assigned to the profile is allowed access.
AAA Commands To enable the use of the Mobility Profile feature on the MX switch, use the set mobility-profile mode command. Warning! When the Mobility Profile feature is enabled, a user is denied access if assigned a Mobility-Profile attribute in the local MX database or RADIUS server when no Mobility Profile of that name exists on the MX. To change the ports in a profile, use set mobility-profile again with the updated port list.
AAA Commands History Introduced in MSS 1.0. Examples To enable the use of the Mobility Profile feature, type the following command: MX# set mobility-profile mode enable success: change accepted. See Also ● ● ● clear mobility-profile on page 9-156 set mobility-profile on page 9-183 show mobility-profile on page 9-201 set user Configures a user profile in the local database on the MX for a user with a password. (To configure a user profile in RADIUS, see the documentation for your RADIUS server.
AAA Commands See Also ● ● clear user on page 9-157 show aaa on page 9-190 set user attr Configures an authorization attribute in the local database on the MX for a user with a password. (To assign authorization attributes in RADIUS, see the documentation for your RADIUS server.) Syntax set user username attr attribute-name value username Username of a user with a password.
AAA Commands See Also clear user attr on page 9-157 show aaa on page 9-190 ● ● set user expire-password-in Specifies how long a user’s password is valid before it must be reset. Syntax set user username expire-password-in time username Username of a user with a password. time How long the specified user’s password is valid. The amount of time can be specified in days (for example, 30 or 30d), hours (720h), or a combination of days and hours (30d12h).
AAA Commands Examples The following command adds user Hosni to the cardiology user group: MX# set user Hosni group cardiology success: change accepted. See Also ● ● clear user group on page 9-158 show aaa on page 9-190 set usergroup Creates a user group in the local database on the MX for users and assigns authorization attributes for the group. (To create user groups and assign authorization attributes in RADIUS, see the documentation for your RADIUS server.
AAA Commands show aaa on page 9-190 ● set usergroup expire-password-in Specifies how long the passwords for the users in user group are valid before they must be reset. Syntax set usergroup group-name expire-password-in time group-name Name of a group for password users. time How long the passwords for the users in the specified group are valid. The amount of time can be specified in days (for example, 30 or 30d), hours (720h), or a combination of days and hours (30d12h).
AAA Commands Examples To disable WebAAA, type the following command: MX# set web-portal disable success: change accepted. See Also ● ● ● clear authentication web on page 9-152 set service-profile [rsn-id | wpa-ie] auth-fallthru on page 12-287 set user on page 9-185 show aaa Deprecated command. Syntax show aaa Defaults None. Access Enabled. History Version 1.0 Command introduced Version 4.0 Web Portal section added, to indicate the state of the WebAAA feature Version 6.
AAA Commands Examples To display all MAC users, type the following command: MX# show mac-user MX# show mac-user [|verbose] MAC ---------------- Group -------- VLAN ------- 00:11:11:21:11:1 2 Guests insecure 00:11:11:21:11:* Guests red MX# show mac-user 00:11:11:21:11:12 MAC ---------------- Group -------- VLAN ------- 00:11:11:21:11:1 2 Guests insecure AAA Commands 9 – 191
AAA Commands MX# show mac-user verbose MAC: 00:11:11:21:12 Group: Guests VLAN insecure Other attributes: ssid: trapeze end-date: 01/08/23-12:00 idle-timeout: 120 acct-interim-interval: 180 MAC: 00:11:11:21:* Group: Guests VLAN insecure Other attributes: 9 – 192 ssid: trapeze end-date: 01/08/23-12:00 idle-timeout: 120 acct-interim-interval: 180 Mobility System Software Command Reference Guide Version 7.
AAA Commands MX# show mac-user 00:11:11:21:11* verbose MAC: 00:11:11:21:* Group: Guests VLAN insecure Other attributes: ssid: trapeze end-date: 01/08/23-12:00 idle-timeout: 120 acct-interim-interval: 180 Table 9– 14 describes the fields that can appear in the show mac-user output. Table 9– 10.
AAA Commands History Introduced in MSS Version 6.2 Examples The following command displays information about MAC usergroups: MX# show mac-usergroup [|verbose] MAC Usergroup ------------------ Users Mapped to Group -------------- VLAN ------ Other Attr.
AAA Commands Table 9– 11. show mac-usergroup output Field Description MAC MAC address Group Member of a configured group VLAN Current VLAN of the MAC user Other attributes Other AAA attributes ssid Current SSID configured for the MAC user end-date The expiration date fo the MAC user idle-timeout Number of seconds the user is idle before the connection is lost. acct-interim-interval Interval in seconds between accounting updates, if start-stop accounting mode is enabled.
AAA Commands MX# show user verbose User name: johndoe Status: disabled Password: iforgot(encypted) Group: Admin VLAN: red Password-expires-in: 12 days Other attributes: ssid: trapeze end-date: 01/08/23-12:00 idle-timeout: 120 acct-interim-interval: 180 User name: johnsmith Status: enabled Password: iforgot2(encypted) Group: Admin VLAN: red Password-expires-in: 12 days Other attributes: None User name: guest_access Status: disabled Password: iforgot3(encypted) Group: A
AAA Commands idle-timeout: 120 acct-interim-interval: 180 User name: johnsmith Status: enabled Password: iforgot2(encypted) Group: Admin VLAN: red Password-expires-in: 12 days Other attributes: None Table 9– 12 decscribes the fields tht can appear in show user output. Table 9– 12. show user Output Field Description User Name Name configured for a user on the MX.
AAA Commands Examples MX# show usergroup [} Usergroup ------------------ Users Mapped to Group -------------- VLAN ------ Other Attr.
AAA Commands Table 9– 13. show usergroup Output Field Description end-date The date and time that the usergroup is no longer valid. idle-timeout The length of time, in seconds, that a user can be idle before logging out of the network. acct-interm-interval Interval in seconds between accounting updates, if start-stop accounting mode is enabled Users in this group: All users configured in the usergroup User Name Configured user names in this group VLAN Assigned VLAN for each user. Table 9– 14.
AAA Commands Acct-Session-Id=SESS-3-01f82f-520236-24bb1223 User-Name=vineet AAA_ACCT_SVC_ATTR=2 Acct-Session-Time=551 Event-Timestamp=1134520788 Acct-Output-Octets=3204 Acct-Input-Octets=1691 Acct-Output-Packets=20 Acct-Input-Packets=19 AAA_VLAN_NAME_ATTR=default Calling-Station-Id=00-06-25-12-06-38 Nas-Port-Id=3/1 Called-Station-Id=00-0B-0E-00-CC-01 AAA_SSID_ATTR=vineet-dot1x Dec 14 00:39:53 Acct-Status-Type=START Acct-Authentic=0 User-Name=vineet Acct-Multi-Session-Id=SESS-4-01f82f-520793-bd779517 Acct-S
AAA Commands Table 9– 15. show accounting statistics Output (continued) Field Description Acct-Output-Packets Number of packets the MX sent during the session. Acct-Input-Packets Number of packets the MX received during the session. Vlan-Name Name of the client VLAN. Calling-Station-Id MAC address of the supplicant (client). Nas-Port-Id Number of the port and radio on the MP through which the session was conducted.
AAA Commands History Version 1.0 Version 2.0 Command introduced Port type description added: AP—MP access port ❑ DAP—Distributed MP connection ❑ Examples The following command displays the Mobility Profile magnolia: MX# show mobility-profile magnolia Mobility Profiles Name Ports ========================= magnolia AP 12 See Also ● ● 9 – 202 clear mobility-profile on page 9-156 set mobility-profile on page 9-183 Mobility System Software Command Reference Guide Version 7.
10 Mobility Domain Commands Use Mobility Domain commands to configure and manage Mobility Domain groups. A Mobility Domain is a system of MXs and MPs working together to support a roaming user (client). One MX acts as a seed MX, which maintains and distributes a list of IP addresses of the domain members. Smart Cluster is a network resiliency feature added in MSS 7.0. It has the following features: ❑ ❑ ❑ ❑ Centralized configuration of MXs and MPs. Autodistribution of configuration parameters to MPs.
Mobility Domain Commands show cluster on page 10-210 sshow cluster ap on page 10-211 clear domain security Disables MX-MX security. Syntax Defaults clear domain security None. Access Enabled. History Introduced in MSS 5.0. Usage This command is equivalent to the set domain security none command. Examples The following command disables MX-MX security on an MX: MX-20# clear domain security success: change accepted.
Mobility Domain Commands clear mobility-domain ap-affinity-group [address ipaddr netmask netmask | ip/netmask] Syntax Defaults None Access Enabled. History Introduced in MSS 7.1 clear mobility-domain member On the seed MX, the command removes the identified member from the Mobility Domain. Syntax clear mobility-domain member ip-addr IP address of the Mobility Domain member, in dotted decimal notation. ip-addr Defaults None. Access Enabled. History Introduced in MSS 1.0.
Mobility Domain Commands None Defaults Access Enabled. History . MSS 7.0 Command introduced. MSS 7.3 restore-backup-config deprecated. Usage You must enable cluster mode on all MXs that are members of the cluster. Examples The following command enables cluster mode on an MX in a mobility domain: MX# set cluster mode enable success: change accepted. set cluster preempt Use this command on the secondary seed of the cluster to allow the secondary seed to become active if the primary seed fails.
Mobility Domain Commands success: change accepted. set mobility-domain ap-affinity-group Allows you to specify prefered IP subnets for a primary and backup MX on the network. It places APs in affinity groups based on the subnets. A cluster member can belong to multiple affinity groups. set mobility-domain ap-affinity-group address [ipaddr netmask netmask |ip/ masklen] Syntax Defaults None Access Enabled. History Introduced in MSS 7.1 Usage Extends the configuration between the PAM and members.
Mobility Domain Commands success: change accepted. MX# set mobility-domain member 192.168.1.10 success: change accepted. See Also ● ● ● clear mobility-domain member on page 10-205 set mobility-domain mode seed domain-name on page 10-210 show mobility-domain config on page 10-212 set mobility-domain mode member secondary-seed-ip Sets the IP address of the secondary seed MX on a nonseed MX.
Mobility Domain Commands Access Enabled. History Version 1.0 Command introduced Version 5.0 Option key hex-bytes added. Examples The following command sets the current MX as a nonseed member of the Mobility Domain whose seed has the IP address 192.168.1.8: MX# set mobility-domain mode member secondary-seed-ip 192.168.1.
Mobility Domain Commands Examples The following command configures this MX as the secondary seed in a Mobility Domain named Pleasanton: MX# set mobility-domain mode secondary-seed domain-name Pleasanton mode is: secondary-seed domain name is: Pleasanton See Also ● ● clear mobility-domain member on page 10-205 show mobility-domain on page 10-212 set mobility-domain mode seed domain-name Creates a Mobility Domain by setting the current MX as the seed device and naming the Mobility Domain.
Mobility Domain Commands History Introduced in MSS 7.0. Examples The following command displays the cluster configuration and resiliency state: Network Resiliency Cluster Enabled Mode : PRIMARY-SEED Active Seed : YES Network is Resilient show cluster ap Displays all MPs configured on cluster member. Syntax Defaults show cluster ap None Access Enabled History Introduced in MSS 7.0.
Mobility Domain Commands Syntax Defaults show cluster upgrade None Access Enabled History Introduced in MSS 7.1. show mobility-domain config This command was deprecated in MSS 7.0 show mobility-domain On the seed MX, displays the Mobility Domain status and members. Syntax Defaults Access show mobility-domain None. Enabled. History Version 1.0 Command introduced Version 7.
Mobility Domain Commands Table 10– 1. show mobility-domain Output (continued) Flags Indicates various states of the Mobility Domain members. ❑ u = up ❑ d = down ❑ c = cluster enabled ❑ p = primary seed ❑ s = secondary seed ❑ m = member ❑ a = active seed ❑ y = syncing ❑ w = waiting to sync ❑ n = sync completed ❑ f = sync failed Member IP addresses of the seed MX and members in the Mobility Domain Flags State of the MX in the Mobility Domain: Letters indicate which flags are present.
Mobility Domain Commands 10 – 214 Mobility System Software Command Reference Guide Version 7.
11 Network Domain Commands Use Network Domain commands to configure and manage Network Domain groups. A Network Domain is a group of geographically dispersed Mobility Domains that share information over a WAN link. This shared information allows a user configured on an MX in one Mobility Domain to establish connectivity with an MX in another Mobility Domain in the same Network Domain. The MX forwards the user traffic by creating a VLAN tunnel to an MX in the remote Mobility Domain.
Network Domain Commands set network-domain mode seed domain-name on page 11-216 ● clear network-domain mode Removes the Network Domain seed or member configuration from the MX. Syntax clear network-domain mode {seed | member} seed Clears the Network Domain seed configuration from the MX. member Clears the Network Domain member configuration from the MX. Defaults None. Access Enabled. History Introduced in MSS 4.1.
Network Domain Commands success: change accepted. See Also set network-domain peer on page 11-216 clear network-domain seed-ip Removes the specified Network Domain seed from the MX configuration. When you enter this command, the Network Domain TCP connections between the MX switch and the specified Network Domain seed are closed. Syntax clear network-domain seed-ip seed-ip IP address of the Network Domain seed in dotted decimal notation. ip-addr Defaults None. Access Enabled.
Network Domain Commands success: change accepted. The following command sets the MX as a member of a Network Domain with a seed that has the IP address 192.168.9.254 and sets the affinity for that seed to 7. If the MX specifies other Network Domain seeds, and they are configured with the default affinity of 5, then 192.168.9.254 becomes the primary Network Domain seed for the MX. MX# set network-domain mode member seed-ip 192.168.9.254 affinity 7 success: change accepted.
Network Domain Commands Usage Before you use this command, the current MX must have an IP address set with the set system ip-address command. After you enter this command, Network Domain traffic is sent and received from the specified IP address. You can configure multiple MX switches as Network Domain seeds. If you do this, you must identify them as peers by using the set network domain peer command.
Network Domain Commands Table 11– 1. show network-domain Output Field Description Output if MX is the Network Domain seed: Network Domain name Name of the Network Domain for which the MX is a seed. Peer IP addresses of the other seeds in the Network Domain.
12 MP Access Point Commands Use MP access point commands to configure and manage MP access points. Be sure to do the following before using the commands: ● Define the country-specific IEEE 802.11 regulations on the MX. (See set system countrycode on page 4-30.) ● Install the MP and connect it to a port on the MX. (See the Trapeze Indoor Mobility Point Installation Guide or Trapeze Mobility Point MP-620 Installation Guide.) Configure an MP as a directly connected MP or a Distributed MP.
MP Access Point Commands set ap auto radiotype on page 12-233 set ap upgrade-firmware on page 12-257 External Antennas set ap radio antennatype on page 12-247 set ap radio antenna-location on page 12-247 MP-MP Tunneling set ap tunnel-affinity on page 12-256 MP-MX security set ap fingerprint on page 12-242 set ap security on page 12-255 Static IP Address Assignment for Distributed MPs set ap boot-configuration ip on page 12-236 set ap boot-configuration switch on page 12-240 set ap boot-configuration
MP Access Point Commands Updated set service-profile rsn-ie on page 12-303 Updated set service-profile [rsn-ie | wpa-ie ]cipher-ccmp on page 12-292 Updated set service-profile [rsn-ie | wpa-ie] cipher-tkip on page 12-293 Updated set service-profile [rsn-ie | wpa-ie] cipher-wep104 on page 12-293 Updated set service-profile [rsn-ie | wpa-ie ] cipher-wep40 on page 12-294 set service-profile [rsn-ie | wpa-ie] psk-phrase on page 12-301 Updated set service-profile [rsn-ie | wpa-ie] psk-raw on page 12-
MP Access Point Commands set service-profile soda enforce-checks on page 12-305 set service-profile soda failure-page on page 12-306 set service-profile soda remediation-acl on page 12-308 set service-profile soda success-page on page 12-309 set service-profile soda logout-page on page 12-307 Radio transmit rates set service-profile transmit-rates on page 12-312 set radio-profile rate-enforcement on page 12-276 Transmission retries set service-profile long-retry-count on page 12-298 set service-profile
MP Access Point Commands Updated set ap power-mode on page 12-246 Updated set ap radio channel on page 12-249 set ap radio tx-power on page 12-254 set ap image on page 12-243 set ap led-mode on page 12-244 clear ap radio on page 12-225 show ap config radio on page 12-328 show ap status on page 12-340 show ap counters on page 12-330 show ap global on page 12-351 show ap connection on page 12-349 show ap unconfigured on page 12-352 show ap qos-stats on page 12-336 show ap etherstats on page 12-338 MP Loca
MP Access Point Commands Defaults None. Access Enabled. History Version 5.0 Command introduced. Version 6.0 Option dap removed. Version 6.2 Added index value range of 1-9999. Usage Use this command to configure an MP that was converted to an AirDefense sensor to revert back to an MP. When you do this, the next time the MP is booted, it becomes a Trapeze Mobility Point.
MP Access Point Commands ● ● set ap local-switching vlan-profile on page 12-245 set vlan-profile on page 6-75 clear ap radio Disables an MP radio and resets it to its factory default settings. Syntax clear ap apnum radio {1 | 2 | all} ap apnum Index value that identifies the MP on the MX. You can specify a value between 1 and 9999. radio 1 Radio 1 of the MP. radio 2 Radio 2 of the MP. (This option does not apply to single-radio models.) radio all All radios on the MP.
MP Access Point Commands Access Enabled History Version 1.0 Command introduced. Version 2.0 Option dap added for Distributed MPs. Version 5.0 ❑ ❑ Option antenna-location added. Option auto-tune min-client-rate removed. Option auto-tune max-retransmissions removed. Version 6.0 ❑ Option dap removed for distributed MPs. Version 6.2 Added index value range of 1 to 9999.
MP Access Point Commands See Also ● ● ● set ap boot-configuration ip on page 12-236 set ap boot-configuration vlan on page 12-241 show ap boot-configuration on page 12-348 clear ap radio load-balancing group Removes an MP radio from a load-balancing group. Syntax clear ap apnum radio {1 | 2} load-balancing group ap apnum Index value that identifies the MP on the MX. You can specify a value from 1 to 9999. radio 1 Radio 1 of the MP. radio 2 Radio 2 of the MP.
MP Access Point Commands clear radio-profile Removes a radio profile or resets one of the profile parameters to the default value. Syntax clear radio-profile name [parameter] name Radio profile name.
MP Access Point Commands The following commands disable the radios using radio profile rptest and remove the profile: MX# set radio-profile rptest mode disable MX# clear radio-profile rptest success: change accepted. See Also ● ● ● ● set ap radio radio-profile on page 12-254 set radio-profile mode on page 12-272 show ap config radio on page 12-328 show radio-profile on page 12-354 clear service-profile Removes a service profile or resets one of the profile parameters to the default value.
MP Access Point Commands success: change accepted. MX# clear service-profile svcprof6 success: change accepted. ● clear radio-profile on page 12-228 set radio-profile mode on page 12-272 ● show service-profile on page 12-357 ● reset ap Restarts an MP access point. Syntax reset ap apnum Index value that identifies the MP on the MX. You can specify a value between 1 and 9999. ap apnum Defaults None. Access Enabled. History Version 1.0 Command introduced. Version 2.
MP Access Point Commands History Version 4.0 Command introduced. Version 4.2 Option persistent added. Version 5.0 ❑ ❑ ❑ Option force-image-download added. Option radio num auto-tune min-client-rate removed. Option radio num tx-pwr removed. Version 6.0 Option dap removed. Version 7.1 ❑ Options power-mode, time-out, and tunnel-affinity added. Usage Table 12– 2 lists the configurable profile parameters and the default values. The only parameter that requires configuration is the profile mode.
MP Access Point Commands Examples The following command creates a profile for automatic Distributed MP configuration: MX# set ap auto success: change accepted.
MP Access Point Commands ● ● set ap radio radio-profile on page 12-254 set ap upgrade-firmware on page 12-257 set ap auto persistent Converts a temporary MP configuration created by the MP configuration profile into a persistent MP configuration on the MX. Syntax set ap auto persistent [apnum | all] apnum Index value that identifies the MP on the MX. You can specify a value from 1 to 9999. all Converts the configurations of all Auto-APs being managed by the MX into permanent configurations.
MP Access Point Commands Access Enabled. History Version 4.0 Command introduced. Version 5.0 Option 11a supported. Version 6.0 Option dap removed. Usage If you set the radiotype to 11a and the MP configuration profile is used to configure a two-radio MP model, radio 1 is configured as an 802.11b/g radio and radio 2 is configured as the 802.11a radio. Because this is the reverse of the standard configuration (where radio 1 is the 802.11a radio and radio 2 is the 802.
MP Access Point Commands MX that has the greatest capacity to add more active MPs. For example, if an MP is dual homed to two MX-400 switches, and one of the switches has 50 active MPs while the other MX has 60 active MPs, the new MP selects the MX that has only 50 active MPs. If the boot request on MP port 1 fails, the MP attempts to boot over its port 2, using the same process described above.
MP Access Point Commands set ap blink Enables or disables LED blink mode on an MP to make it easy to identify. When blink mode is enabled on MP-xxx models, the health and radio LEDs alternately blink green and amber. When blink mode is enabled on an AP2750, the 11a LED blinks on and off. By default, blink mode is disabled. Syntax set ap apnum blink {enable | disable} ap apnum Index value that identifies the MP on the MX. You can specify a value from 1 to 9999. enable Enables blink mode.
MP Access Point Commands gateway gateway-addr The IP address of the next-hop router, in dotted decimal notation. mode {enable | disable} Enables or disables the static IP address for the MP. Defaults By default MPs use DHCP to obtain an IP address, rather than a using a manually assigned IP address. Access Enabled. History Version 4.2 Command introduced. Version 6.0 Option dap removed. Version 6.2 Added the index value range of 1 to 9999.
MP Access Point Commands Examples The following command enables WLAN mesh services for MP 7: MX# set ap 7 boot-configuration mesh mode enable success: change accepted. See Also ● ● ● set ap boot-configuration mesh ssid on page 12-239 set service-profile mesh on page 12-299 show ap mesh-links on page 12-339 set ap boot-configuration mesh psk-phrase Specifies a preshared key (PSK) phrase that a Mesh AP uses for authentication to its Mesh Portal AP.
MP Access Point Commands Syntax set ap apnum boot-configuration mesh psk-raw hex Index value that identifies the MP on the MX. You can specify a value from 1 to 9999. apnum A 64-bit ASCII string representing a 32-digit hexadecimal number. Enter the two-character ASCII form of each hexadecimal number. hex Defaults None. Access Enabled. History Version 6.0 Command introduced. Version 6.2 Added the index value range of 1 to 9999.
MP Access Point Commands Usage You must connect the MP to an MX and enter this command to specify the mesh SSID prior to deploying the Mesh AP in its final untethered location. When the MP is booted in an untethered location, and determines that it has no Ethernet link to the network, it then associates with the specified mesh-ssid. Note that when the mesh-ssid is specified, the regulatory domain of the MX and the power restrictions are copied to the MP flash memory.
MP Access Point Commands When a static IP address is specified for a Distributed MP, there is no preconfigured DNS information or DNS name for the MX that the Distributed MP attempts to use as the boot device. If you configure a static IP address for a Distributed MP, but do not specify a boot device, then the MX must be reachable via subnet broadcast. Examples The following command configures Distributed MP 1 to use an MX with address 172.16.0.21 as its boot device.
MP Access Point Commands See Also ● ● ● clear ap boot-configuration on page 12-226 set ap boot-configuration ip on page 12-236 show ap boot-configuration on page 12-348 set ap fingerprint Verifies an MP fingerprint on an MX. If MP-MX security is required by an MX, an MP can establish a management session with the MX only if you have verified the MP identity by verifying the fingerprint on the MX. Syntax set ap apnum fingerprint fingerprint ap apnum Index value that identifies the MP on the MX.
MP Access Point Commands Syntax set ap auto force-image-download {enable | disable} ap auto Configures forced image download for the MP configuration profile. (See set ap auto on page 12-230.) force-imagedownload enable Enables forced image download. force-imagedownload disable Disables forced image download. Defaults Forced image download is disabled by default. Access Enabled. History Version 5.0 Command introduced. Version 6.0 Option dap removed.
MP Access Point Commands Access Enabled. History Version 5.0 Command introduced. Version 6.0 Option dap removed. Version 6.2 Added the index value range of 1 to 9999. Usage After the AirDefense sensor software is copied to the MX, use this command to configure an MP to load the software. When you do this, the software is transferred to the MP, which then reboots and comes up as an AirDefense sensor. Examples The following command causes Distributed MP 1 to load the adconvert.
MP Access Point Commands enable Enables local switching for the MP. disable Disables local switching for the MP. Defaults Local switching is disabled by default. Access Enabled. History Version 6.0 Command introduced. Version 6.2 Added the index value range of 1 to 9999. Usage Local switching allows traffic for specified VLANs to be switched by the MP, instead of tunneling traffic back to an MX. The VLANs that perform local switching are specified in a VLAN profile.
MP Access Point Commands See Also ● ● ● set ap local-switching mode on page 12-244 clear ap local-switching vlan-profile on page 12-224 set vlan-profile on page 6-75 set ap name Changes an MP name. Syntax set ap apnum name name ap apnum Index value that identifies the MP on the MX. You can specify a value from 1 to 9999. name Alphanumeric string of up to 16 characters, with no spaces.
MP Access Point Commands Examples To set an MP to use the maximum available power, use the following command: MX# set ap 3 power-mode high success: change accepted. set ap radio antenna-location Specifies the location (indoors or outdoors) of an external antenna. Use this command to ensure that the proper set of channels is available on the radio. In some cases, the set of valid channels for a radio differs depending on whether the antenna is located indoors or outdoors.
MP Access Point Commands antennatype {ANT5060 | ANT5120 | ANT5180 | internal} MP-3xx 802.11a external antenna models: ❑ ❑ ❑ ❑ ANT5060—60° 802.11a antenna ANT5120—120° 802.11a antenna ANT5180—180° 802.11a antenna internal—Uses the internal antenna instead antennatype MP-620 external antenna models: {ANT-1360-OUT | ANT-5360-OUT | A ❑ ANT-1360-OUT—360° 802.11b/g antenna NT-5060-OUT | ANT-5120-OUT | int ❑ ANT-5360-OUT—360° 802.11a antenna ernal} ❑ ANT-5060-OUT—60° 802.11a antenna ❑ ❑ ANT-5120-OUT—120° 802.
MP Access Point Commands radio 2 Radio 2 of the MP. (This option does not apply to single-radio models.) power-level Maximum power setting RF Auto-Tuning can assign to the radio, expressed as the number of decibels in relation to 1 milliwatt (dBm). You can specify a value from 1 up to the maximum value allowed for the country of operation. The power-level can be a value from 1 to 20 or you can set it to default.
MP Access Point Commands Defaults The default channel depends on the radio type: ● ● The default channel number for 802.11b/g is 6. The default channel number for 802.11a is the lowest valid channel number for the country of operation. Access Enabled. History Version 1.0 Command introduced Version 2.0 Option dap added for Distributed MPs Version 6.0 Option dap removed. Version 6.2 Added the index value range of 1 to 9999. Version 7.3 Option channel-number changed to channel.
MP Access Point Commands History Version 6.0 Command introduced. Version 6.2 Added index value range of 1 to 9999. Usage A Mesh Portal MP can be configured to emit link calibration packets to assist with positioning the Mesh AP. A link calibration packet is an unencrypted 802.11 management packet of type Action. When enabled on an MP, link calibration packets are sent at a rate of 5 per second.
MP Access Point Commands Examples The following command disables RF load balancing for MP radio 1 on MP 7: MX# set ap 7 radio 1 load-balancing disable See Also ● set load-balancing strictness on page 12-259 ● clear ap radio load-balancing group on page 12-227 set ap local-switching mode on page 12-244 show load-balancing group on page 12-353 ● ● set ap radio load-balancing group Assigns an MP radio to a load balancing group.
MP Access Point Commands set ap radio mode Enables or disables a radio on an MP. Syntax set ap {apnum | auto}} radio {1 | 2} mode {enable |sentry| disable} ap apnum Index value that identifies the MP on the MX. You can specify a value from 1 to 9999. ap auto Sets the radio mode for MPs managed by the MP configuration profile. (See set ap auto on page 12-230.) radio 1 Radio 1 of the MP. radio 2 Radio 2 of the MP. (This option does not apply to single-radio models.) mode enable Enables a radio.
MP Access Point Commands set ap radio radio-profile Assigns a radio profile to an MP radio and enables or disables the radio. Syntax set ap {apnum | auto} radio {1 | 2} radio-profile name mode {enable | disable} ap apnum Index value that identifies the MP on the MX. You can specify a value from 1 to 9999. radio 1 Radio 1 of the MP. radio 2 Radio 2 of the MP. (This option does not apply to single-radio models.
MP Access Point Commands ap apnum Index value that identifies the MP on the MX. You can specify a value from 1 to 9999. radio 1 Radio 1 of the MP. radio 2 Radio 2 of the MP. (This option does not apply to single-radio models.) tx-power power-level Number of decibels in relation to 1 milliwatt (dBm). The valid values depend on the country of operation.
MP Access Point Commands The maximum transmission unit (MTU) for encrypted MP management traffic is 1498 bytes, whereas the MTU for unencrypted management traffic is 1474 bytes. Make sure the devices in the intermediate network between the MX switch and Distributed MP can support the higher MTU. Note: Syntax set ap security secsetting {require | optional | none} security secsetting Name of the security setting.
MP Access Point Commands History Added in MSS Version 7.1. Syntax set ap [apnum |auto] tunnel-affinity affinity apnum Number of the MP to configure for MP-MP tunneling. auto Enable MP-MP tunneling on all MPs. tunnel-affinity The default value for affinity is 4 with a range of 0 to 10 where 0 indicates that the MP is not used as a tunnel endpoint. affinity set ap upgrade-firmware Disables or reenables automatic upgrade of an MP boot firmware.
MP Access Point Commands Syntax set band-preference {none | 5GHz | 2GHz} none When a client supports both 802.11a and 802.11b/g radio bands, does not steer the client to a specific MP radio. 5GHz When a client supports 802.11b/g radio band, steers the client to the 5 GHz radio. 2GHz When a client supports both 802.11a radio bands, steers the client to the 2 GHz radio. Defaults By default, clients are not steered to specific MP radios for RF load balancing. Access Enabled.
MP Access Point Commands ● ● ● set band-preference on page 12-257 set ap radio load-balancing on page 12-251 show load-balancing group on page 12-353 set load-balancing strictness Controls the degree to which MSS balances the client load among MPs when performing RF load balancing. Syntax set load-balancing strictness {low | med | high | max} low No clients are denied service. New clients can be steered to other MPs, but only to the extent that service can be provided to all clients.
MP Access Point Commands set radio-profile 11g-only Deprecated in MSS Version 4.2. To configure radio data rates, see set service-profile transmit-rates on page 12-312. set radio-profile 11n Configures 11n radio ranges on the MP-432. Syntax set radio-profile profile-name 11n channel-width-na {20MHz | 40MHz} profile-name Radio profile name 11n channel-width-na Set the channel width to 20 MHz or 40 MHz Defaults None Access Enabled History Introduced in MSS 7.
MP Access Point Commands success: change accepted. set radio-profile auto-tune channel-config Disables or reenables dynamic channel tuning (RF Auto-Tuning) for the MP radios in a radio profile. Syntax set radio-profile profile-name auto-tune channel-config {enable | disable} profile-name Radio profile name. enable Configures radios to dynamically select channels when the radios are started.
MP Access Point Commands Syntax set radio-profile profile-name auto-tune channel-holddown holddown profile-name Radio profile name. rate Minimum number of seconds a radio must remain on its current channel setting before RF Auto-Tuning is allowed to change the channel. You can specify from 0 to 65535 seconds. Defaults The default RF Auto-Tuning channel holddown is 900 seconds. Access Enabled. History Introduced in MSS Version 3.0.
MP Access Point Commands Examples The following command sets the channel interval for radios in radio profile rp2 to 2700 seconds (45 minutes): MX# set radio-profile rp2 auto-tune channel-interval 2700 success: change accepted.
MP Access Point Commands Syntax set radio-profile profile-name auto-tune ignore-clients {enable | disable} profile-name Radio profile name. enable Configures auto-tune to ignore client connections. disable Disables the feature. Defaults None Access Enabled History Introduced in MSS 6.0. set radio-profile auto-tune power-config Enables or disables dynamic power tuning (RF Auto-Tuning) for the MP radios in a radio profile.
MP Access Point Commands Syntax set radio-profile name auto-tune power-interval seconds name Radio profile name. seconds Number of seconds MSS waits before changing radio power levels to adjust to RF changes, if needed. You can specify from 1 to 65535 seconds. Defaults The default power tuning interval is 600 seconds. Access Enabled. History Introduced in MSS Version 3.0.
MP Access Point Commands ● show radio-profile on page 12-354 set radio-profile auto-tune power-ramp-interval Changes the interval at which power is increased or decreased, in 1 dBm increments, on radios in a radio profile until the optimum power level calculated by RF Auto-Tuning is reached. Syntax set radio-profile profile-name auto-tune power-ramp-interval seconds profile-name Radio profile name. seconds Number of seconds MSS waits before increasing or decreasing radio power by another 1 dBm.
MP Access Point Commands See Also ● ● set radio-profile mode on page 12-272 show radio-profile on page 12-354 set radio-profile cac background Sets Quality of Service (QoS) options for a radio profile. set radio-profile profile-name cac background {max-utilization percentage | mode [enable | disable] | policing [enable | disable]} Syntax profile-name Name of radio profile. max-utilization Set maximum admission control limit for background traffic.
MP Access Point Commands set radio-profile cac video set radio-profile profile-name cac video {max-utilization percentage | mode [enable | disable] | policing [enable | disable]} Syntax profile-name Name of radio profile. max-utilization Set maximum admission control limit for video traffic. You can configure a percentage from 1 to 100 percent. percentage mode Configures CAC to be mandatory for the radio profile. policing Configure admission control policing for the radio profile.
MP Access Point Commands Syntax set radio-profile profile-name countermeasures {all | rogue | none} profile-name Radio profile name. all Configures radios to attack rogues and interfering devices. rogue Configures radios to attack rogues only. none Disables countermeasures for this radio profile. Defaults Countermeasures are disabled by default. Access Enabled. History Version 4.0 Command introduced. Version 4.1 New option configured added to support on-demand countermeasures. Version 7.
MP Access Point Commands set radio-profile dtim-interval Changes the number of times after every beacon that each MP radio in a radio profile sends a delivery traffic indication map (DTIM). An MP sends the multicast and broadcast frames stored in its buffers to clients who request them in response to the DTIM. The DTIM interval applies to both the beaconed SSID and the nonbeaconed SSID. Note: Syntax set radio-profile profile-name dtim-interval interval profile-name Radio profile name.
MP Access Point Commands Access Enabled History Introduced in MSS Version 6.2. Examples To configure weighted queuing for a service and radio profile, use the following command: MX# set radio-profile wireless weighted-fair-queuing enable weight mp_conference 25 success: change accepted. set radio-profile frag-threshold Changes the fragmentation threshold for the MP radios in a radio profile.
MP Access Point Commands set radio-profile long-retry Deprecated in MSS Version 4.2. In 4.2, this parameter is associated with service profiles instead of radio profiles. See set service-profile long-retry-count on page 12-298. set radio-profile max-rx-lifetime Changes the maximum receive threshold for the MP radios in a radio profile. The maximum receive threshold specifies the number of milliseconds that a frame received by a radio can remain in buffer memory.
MP Access Point Commands Table 12– 3. Defaults for Radio Profile Parameters Parameter Default Value Radio Behavior When Parameter Set To Default Value active-scan enable Sends probe any requests (probe requests with a null SSID name) to solicit probe responses from other access points. auto-tune enable Allows dynamic configuration of channel and power settings by MSS. beacon-interval 100 Waits 100 ms between beacons.
MP Access Point Commands History Version 1.0 Command introduced Version 3.0 ❑ ❑ Version 4.2 ❑ ❑ Version 5.0 Parameters that no longer apply to radio profiles in MSS Version 3.0 removed: • auth-dot1x • auth-psk • beaconed-ssid • cipher-ccmp • cipher-tkip • cipher-wep104 • cipher-wep40 • clear-ssid • crypto-ssid • psk-phrase • psk-raw • shared-key-auth • tkip-mc-time • wep key-index • wep active-multicast-index • wep active-unicast-index • wpa-ie auto-tune and service-profile parameters added.
MP Access Point Commands See Also ● ● ● ● set ap radio mode on page 12-253 set ap radio radio-profile on page 12-254 show ap config radio on page 12-328 show radio-profile on page 12-354 set radio-profile preamble-length Changes the preamble length for which an 802.11b/g MP radio advertises support. This command does not apply to 802.11a. Syntax set radio-profile name preamble-length {long | short} name Radio profile name. long Advertises support for long preambles.
MP Access Point Commands Syntax set radio-profile name qos-mode {svp | wmm} svp Optimizes forwarding prioritization of MP radios for SpectraLink Voice Priority (SVP). wmm Classifies and marks traffic based on 802.1p and DSCP, and optimizes forwarding prioritization of MP radios for Wi-Fi Multimedia (WMM). Defaults The default QoS mode is wmm. Access Enabled. History Introduced in MSS Version 4.2.
MP Access Point Commands You can use this command to enforce the data rates, which means that a connecting client must transmit at one of the mandatory or standard rates in order to associate with the MP. When data rate enforcement is enabled, clients transmitting at the disabled rates are not allowed to associate with the MP. This command is useful if you want to completely prevent clients from transmitting at disabled data rates.
MP Access Point Commands set radio-profile rf-scanning mode Configures RF scanning mode in active or passive states. Syntax set radio-profile profile-name rf-scanning mode [passive | active] passive The radio scans once per predefined time and audits the packets on the wireless network. The default time is 1 second. active The radio actively sends probes to other channels and then audits the packets on the wireless network. Defaults None Access Enabled History Added in MSS Version 6.
MP Access Point Commands set radio-profile rts-threshold Changes the RTS threshold for the MP radios in a radio profile. The RTS threshold specifies the maximum length a frame can be before the radio uses the RTS/CTS method to send the frame. The RTS/CTS method clears the air of other traffic to avoid corruption of the frame due to a collision with another frame. Syntax set radio-profile profile-name rts-threshold threshold profile-name Radio profile name. threshold Maximum frame length, in bytes.
MP Access Point Commands Table 12– 4. Defaults for Service Profile Parameters (continued) Parameter Default Value Radio Behavior When Parameter Set To Default Value auth-fallthru none Denies access to users who do not match an 802.1X or MAC authentication rule for the SSID requested by the user. auth-psk disable Does not support using a preshared key (PSK) to authenticate WPA clients. beacon enable Sends beacons to advertise the SSID managed by the service profile.
MP Access Point Commands Table 12– 4. Defaults for Service Profile Parameters (continued) Parameter Default Value Radio Behavior When Parameter Set To Default Value mesh none Enables mesh mode on the network. proxy-arp disable Does not reply on behalf of wireless clients to ARP requests for client IP addresses. Instead, the radio forwards the ARP Requests as wireless broadcasts. psk-encrypted none Sets an encrypted preshared key.
MP Access Point Commands Table 12– 4. Defaults for Service Profile Parameters (continued) Parameter Default Value Radio Behavior When Parameter Set To Default Value user-idle-timeout 180 Allows a client to remain idle for 180 seconds (3 minutes) before MSS changes the client’s session to the Disassociated state.
MP Access Point Commands ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● set service-profile [rsn-ie | wpa-ie] auth-dot1x on page 12-287 set service-profile [rsn-id | wpa-ie] auth-fallthru on page 12-287 set service-profile [rsn-ie | wpa-ie] auth-psk on page 12-289 set service-profile beacon on page 12-289 set service-profile cac-mode on page 12-290 set service-profile cac-session on page 12-291 set service-profile [rsn-ie | wpa-ie ]cipher-ccmp on page 12-292 set service-profile [r
MP Access Point Commands Syntax set radio-profile profile-name snoop snoop-filter profile-name Name of the radio-profile. snoop-filter Name of the snoop filter to add to the radio profile. Defaults None Access Enabled History Added in MSS Version 7.0. set radio-profile wmm Deprecated in MSS Version 4.2. To enable or disable WMM, see set radio-profile qos-mode on page 12-275.
MP Access Point Commands set service-profile 11n Configures maximum MPDU and MSDU packet length, frame aggregation for 802.11n and the short guard interval for 11n network traffic. set service-profile profile-name 11n a-mpdu-max-length [ 8K | 16K | 32K | 64K] a-msdu-max-length [4K | 8K] frame-aggregation [msdu | mpdu | all | disable] mode-na [enable | disable |required] mode-ng [enable | disable |required] short-guard-interval [enable | disable] Syntax profile-name Name of the service profile.
MP Access Point Commands set service-profile attr Configures authorization attributes that are applied by default to users accessing the SSID managed by the service profile. These SSID default attributes are applied in addition to any supplied by the RADIUS server or from the local database. Syntax set service-profile profile-name attr attribute-name value profile-name Service profile name.
MP Access Point Commands The following command limits the days and times when users accessing the SSID managed by service profile sp2 can access the network, to 5 p.m. to 2 a.m. every weekday, and all day Saturday and Sunday: MX# set service-prof sp2 attr time-of-day Wk1700-0200,Sa,Su success: change accepted. See Also ● ● show service-profile on page 12-357 show sessions network on page 19-454 set service-profile [rsn-ie | wpa-ie] auth-dot1x Disables or reenables 802.
MP Access Point Commands SSID does not have an authentication rule that matches the username, authentication for the user falls through to the fallthru type. The fallthru type is a service profile parameter, and applies to all radios within the radio profiles that are mapped to the service profile.
MP Access Point Commands set service-profile [rsn-ie | wpa-ie] auth-psk Enables pre-shared key (PSK) authentication of Wi-Fi Protected Access (WPA) clients by MP radios in a radio profile, when the WPA information element (IE) is enabled in the service profile. Syntax set service-profile name [rsn-id | wpa-ie] auth-psk {enable | disable} name Service profile name. enable Enables PSK authentication of WPA clients. disable Disables PSK authentication of WPA clients.
MP Access Point Commands Examples The following command disables beaconing of the SSID managed by service profile sp2: MX# set service-profile sp2 beacon disable success: change accepted. See Also ● ● ● ● set radio-profile beacon-interval on page 12-266 set service-profile ssid-name on page 12-310 set service-profile ssid-type on page 12-310 show service-profile on page 12-357 set service-profile bridging Enables wireless bridging for a service profile configured for WLAN mesh services.
MP Access Point Commands Syntax set service-profile profile-name cac-mode {none | session | voip-call} profile-name Service profile name. none CAC is not used. session CAC is based on the number of active sessions. voip-call CAC is based on VoIP calls. Defaults The default CAC mode is none. Access Enabled. History MSS Version 4.2 Command introduced. MSS Version 7.1 Added option voip-call.
MP Access Point Commands set service-profile cac-voip-call Configures the maximum number of VoIP calls for a service profile. Syntax set service-profile profile-name cac-voip-call max-voip-calls profile-name Service profile name. max-voip-calls Configure between 0 and 500 calls allowed on the service profile. Defaults None Access Enabled History Introduced in MSS Version 7.
MP Access Point Commands set service-profile [rsn-ie | wpa-ie] cipher-tkip Disables or reenables Temporal Key Integrity Protocol (TKIP) encryption in a service profile. Syntax set service-profile name [ rsn-ie | wpa-ie] cipher-tkip {enable | disable} name Service profile name. enable Enables TKIP encryption for RSN or WPA clients. disable Disables TKIP encryption for RSN or WPA clients. Defaults When RNS IE or WPA IE is enabled, you can enable TKIP encryption. It is disabled by default.
MP Access Point Commands History MSS Version 3.0 Command introduced. MSS Version 7.1 Moved command to rsn-ie and wpa-ie as part of the mixed cipher feature. Usage To use 104-bit WEP with RSN or WPA clients, you must also enable RSN-IE or WPA IE. When 104-bit WEP in RSN or WPA is enabled in the service profile, radios managed by a radio profile that is mapped to the service profile can also support non-RSN or non-WPA clients that use dynamic WEP.
MP Access Point Commands When 40-bit WEP in RSN or WPA is enabled in the service profile, radios managed by a radio profile that is mapped to the service profile can also support non-WPA clients that use dynamic WEP. To support WPA clients that use 104-bit dynamic WEP, you must enable WEP with 104-bit keys in the service profile. Use the set service-profile wpa-ie cipher-wep104 command. Microsoft Windows XP does not support WEP with WPA.
MP Access Point Commands set service-profile dhcp-restrict Enables or disables DHCP Restrict on a service profile. DHCP Restrict filters the traffic from a newly associated client and allows DHCP traffic only, until the client has been authenticated and authorized. All other traffic is captured by the MX and is not forwarded. After the client is successfully authorized, the traffic restriction is removed.
MP Access Point Commands Syntax set service-profile profile-name idle-client-probing {enable | disable} profile-name Service profile name. enable Enables keepalives. disable Disables keepalives. Defaults Idle-client probing is enabled by default. Access Enabled. History Introduced in MSS Version 4.2. Usage The length of time a client can remain idle (unresponsive to idle-client probes) is specified by the user-idle-timeout command.
MP Access Point Commands See Also show service-profile on page 12-357 set service-profile load-balancing-exempt Exempts a service profile from performing RF load balancing. Syntax set service-profile profile-name load-balancing-exempt {enable | disable} profile-name Service profile name. enable Exempts the specified service profile from RF load balancing. disable If a service profile has previously been exempted from RF load balancing, restores RF load balancing for the service profile.
MP Access Point Commands Examples The following command changes the long retry threshold for service profile sp1 to 8: MX# set service-profile sp1 long-retry-count 8 success: change accepted. See Also ● ● ● set radio-profile frag-threshold on page 12-271 set service-profile short-retry-count on page 12-304 show service-profile on page 12-357 set service-profile max-bw Configures the maximum bandwidth for a service profile.
MP Access Point Commands See Also ● ● set ap boot-configuration mesh ssid on page 12-239 show ap mesh-links on page 12-339 set service-profile no-broadcast Disables or reenables the no-broadcast mode. The no-broadcast mode helps reduce traffic overhead on an SSID by having more SSID bandwidth available for unicast traffic. The no-broadcast mode also helps VoIP handsets conserve power by reducing the amount of broadcast traffic sent to the phones.
MP Access Point Commands If the ARP request is for a client with an IP address not on the MX, the MX allows MP radios to send the ARP request to clients. If the no-broadcast mode is also enabled, the MP radios send the ARP request as a unicast to only the clients with unknown addresses on the MX. However, if no-broadcast mode is disabled, the MP radios sends the ARP request as a broadcast to all clients on the SSID.
MP Access Point Commands Syntax set service-profile profile-name [rsn-ie | wpa-ie] psk-phrase passphrase profile-name Service profile name. rsn-ie | wpa-ie Enable psk-encryption on RSN IE or WPA IE clients. passphrase An ASCII string from 8 to 63 characters long. The string can contain blanks if you use quotation marks at the beginning and end of the string. Defaults None. Access Enabled. History MSS Version 3.0 Command introduced. MSS Version 7.
MP Access Point Commands History MSS Version 3.0 Command introduced. MSS Version 7.1 Command moved to rsn-ie and wpa-ie as part of the mixed cipher feature. Usage MSS converts the hexadecimal number into a 256-bit binary number for system use. MSS also stores the hexadecimal key in the MX configuration. The binary number is never displayed in the configuration. To use PSK authentication, you must enable it and you also must enable RSN-IE or WPA IE.
MP Access Point Commands ● ● ● ● ● set service-profile [rsn-ie | wpa-ie] auth-psk on page 12-289 set service-profile [rsn-ie | wpa-ie ]cipher-ccmp on page 12-292 set service-profile [rsn-ie | wpa-ie] cipher-wep104 on page 12-293 set service-profile [rsn-ie | wpa-ie ] cipher-wep40 on page 12-294 show service-profile on page 12-357 set service-profile shared-key-auth Enables shared-key authentication, in a service profile. Note: Syntax Use this command only if advised to do so by Trapeze Networks.
MP Access Point Commands Syntax set service-profile profile-name short-retry-count threshold profile-name Service profile name. threshold Number of times a radio can send the same short unicast frame. You can enter a value from 1 through 15. Defaults The default short unicast retry threshold is 5 attempts. Access Enabled. History Introduced in MSS Version 4.2.
MP Access Point Commands Syntax set service-profile profile-name soda enforce-checks {enable | disable} profile-name Service profile name. enable SODA agent checks are performed before the client is allowed access to the network. disable Allows the client access to the network immediately after the SODA agent is downloaded, without waiting for the checks to be run. Defaults By default, SODA agent checks are performed before the client is allowed access to the network.
MP Access Point Commands Usage Use this command to specify a custom page to be loaded by the client when the SODA agent checks fail. After this page is loaded, the specified remediation ACL takes effect, or if there is no remediation ACL configured, then the client is disconnected from the network. This functionality occurs only when the enforce checks option is enabled for the service profile. The enforce checks option is enabled by default. The page is assumed to reside in the root directory on the MX.
MP Access Point Commands The following command specifies logout.html, in the soda-files directory, as the page to load when a client closes the SODA virtual desktop: MX# set service-profile sp1 soda logout-page soda-files/logout.html success: change accepted. See Also ● ● set ip https server on page 8-109 show service-profile on page 12-357 set service-profile soda mode Enables or disables Sygate On-Demand (SODA) functionality for a service profile.
MP Access Point Commands History Introduced in MSS Version 4.2. Usage If the SODA agent checks fail on a client, by default the client is disconnected from the network. Optionally, you can specify a failure page for the client to load (with the set service-profile soda failure-page command). When the failure page is loaded, you can optionally specify a remediation ACL to apply to the client. The remediation ACL can be used to grant the client limited access to network resources, for example.
MP Access Point Commands See Also ● ● ● set service-profile soda enforce-checks on page 12-305 set service-profile soda mode on page 12-308 show service-profile on page 12-357 set service-profile ssid-name Configures the SSID name in a service profile. Syntax set service-profile profile-name ssid-name ssid-name profile-name Service profile name. ssid-name Name of up to 32 alphanumeric characters. You can include blank spaces in the name, if you delimit the name with single or double quotation marks.
MP Access Point Commands Defaults The default SSID type is crypto. Access Enabled. History Introduced in MSS Version 3.0. Examples The following command changes the SSID type for service profile clear_wlan to clear: MX# set service-profile clear_wlan ssid-type clear success: change accepted. See Also ● ● set service-profile ssid-name on page 12-310 show service-profile on page 12-357 set service-profile static-cos Enables or disables static CoS on a service profile.
MP Access Point Commands set service-profile tkip-mc-time Changes the length of time that MP radios use countermeasures if two message integrity code (MIC) failures occur within 60 seconds. When countermeasures are in effect, MP radios dissociate all TKIP and WPA WEP clients and refuse all association and reassociation requests until the countermeasures end. Syntax set service-profile profile-name tkip-mc-time wait-time profile-name Service profile name.
MP Access Point Commands mandatory rate-list Set of data transmission rates that clients are required to support in order to associate with an SSID on an MP radio. A client must support at least one of the mandatory rates. These rates are advertised in the basic rate set of 802.11 beacons, probe responses, and reassociation response frames sent by MP radios. Data frames and management frames sent by MP radios use one of the specified mandatory rates.
MP Access Point Commands Examples The following command sets 802.11a mandatory rates for service profile sp1 to 6 Mbps and 9 Mbps, disables rates 48 Mbps and 54 Mbps, and changes the beacon rate to 9 Mbps: MX# set service-profile sp1 transmit-rates 11a mandatory 6.0,9.0 disabled 48.0,54.0 beacon-rate 9.0 success: change accepted.
MP Access Point Commands Syntax set service-profile profile-name user-idle-timeout seconds profile-name Service profile name. seconds Number of seconds a client is allowed to remain idle before MSS changes the session to the Dissociated state. You can specify from 20 to 86400 seconds. To disable the timer, specify 0. Defaults The default user idle timeout is 180 seconds (3 minutes). Access Enabled. History Introduced in MSS Version 4.2.
MP Access Point Commands Examples The following command changes the Web-Portal ACL name to on service profile sp3 to creditsrvr: MX# set service-profile sp3 web-portal-acl creditsrvr success: change accepted. See Also ● ● set service-profile [rsn-id | wpa-ie] auth-fallthru on page 12-287 show service-profile on page 12-357 set service-profile web-portal-form Specifies a custom login page that loads for WebAAA users requesting the SSID managed by the service profile.
MP Access Point Commands MX# mkdir corpa success: change accepted. MX# copy tftp://10.1.1.1/corpa-login.html corpa/corpa-login.html success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec] MX# copy tftp://10.1.1.1/corpa-logo.jpg corpa/corpa-logo.jpg success: received 1202 bytes in 0.402 seconds [ 2112 bytes/sec] MX# dir corpa =============================================================================== file: Filename Size Created file:corpa-login.
MP Access Point Commands Examples The following command configures the Web Portal logout URL as wifizone.trpz.com/ logout.html for service profile sp1. MX# set service-profile sp1 web-portal-logout logout-url https://wifizone.trpz.com/ logout.html success: change accepted.
MP Access Point Commands Syntax set service-profile name web-portal-session-timeout seconds name Service profile name. seconds Number of seconds MSS allows Web Portal WebAAA sessions to remain in the Deassociated state before being terminated automatically. You can specify from 5 to 28800 seconds. Defaults The default Web Portal WebAAA session timeout is 5 seconds. Access Enabled. History Introduced in MSS Version 4.2.
MP Access Point Commands success: change accepted. See Also ● ● ● set service-profile wep active-unicast-index on page 12-320 set service-profile wep key-index on page 12-320 show service-profile on page 12-357 set service-profile wep active-unicast-index Specifies the static Wired-Equivalent Privacy (WEP) key (one of four) to use for encrypting unicast frames. Syntax set service-profile profile-name wep active-unicast-index num profile-name Service profile name. num WEP key number.
MP Access Point Commands Defaults By default, no static WEP keys are defined. Access Enabled. History Introduced in MSS Version 3.0. Usage MSS automatically enables static WEP when you define a WEP key. MSS continues to support dynamic WEP. Examples The following command configures a 5-byte WEP key for key index 1 on service profile sp2 to aabbccddee: MX# set service-profile sp2 wep key-index 1 key aabbccddee success: change accepted.
MP Access Point Commands ● ● ● set service-profile [rsn-ie | wpa-ie] cipher-wep104 on page 12-293 set service-profile [rsn-ie | wpa-ie ] cipher-wep40 on page 12-294 show service-profile on page 12-357 show ap 11n-counters Displays 802.11n statistics for 802.11n MPs. Syntax show ap 11n-counters [apnum | radio [1 | 2]] Defaults None Access Enabled History Introduced in MSS Version 7.0. Usage Displays channel width, data rates, HT modes, and Ethernet links for 802.11n MPs.
MP Access Point Commands Examples Use the following command to display 802.11n statistics for all 802.11n MPs or a single 802.11n radio.
MP Access Point Commands Table 12– 5.
MP Access Point Commands History I Version 6.0 Command introduced. Version 6.2 Added index value range of 1 to 9999. Usage For MSS to count hits for a security ACL, you must specify hits in the set security acl commands that define ACE rules for the ACL.
MP Access Point Commands ● set security acl on page 15-395 show ap acl resource-usage Displays statistics about the resources used by security ACL filtering on the MP. Syntax show ap acl resource-usage apnum Index value that identifies the MP on the MX. You can specify a value from 1 to 9999. apnum Defaults None. Access Enabled. History Version 6.0 Command introduced. Version 6.2 Added index value range from 1 to 9999.
MP Access Point Commands 10.5.4.51 10.5.4.53 00:0b:0e:00:04:0c 00:0b:0e:02:76:f7 1 EXPIRED DYNAMIC 1 RESOLVED LOCAL Table 13 describes the fields in this display. Table 13.Output for show ap arp Field Description Host IP address, hostname, or alias. HW Address MAC address mapped to the IP address, hostname, or alias. VLAN VLAN the entry is for. State Entry state: ❑ ❑ ❑ Type RESOLVING—MSS sent an ARP request for the entry and is waiting for the reply. RESOLVED—Entry is resolved.
MP Access Point Commands show ap config radio Displays global and radio-specific settings for an MP. Syntax show ap apnum config [port-list [radio {1 | 2}]] apnum Index value that identifies the MP on the MX. You can specify a value from 1 to 9999. radio 1 Shows configuration information for radio 1. radio 2 Shows configuration information for radio 2. (This option does not apply to single-radio models.) Defaults None. Access Enabled. History Version 1.0 Command introduced. Version 1.
MP Access Point Commands location: contact: Radio 1: type: 802.11g, mode: disabled, channel: dynamic tx pwr: 18, profile: default auto-tune max-power: default, load-balance-group: , load-balance-enable: YES, force-rebalance: NO, local-switching: disabled, vlan-profile: default Table 12– 1 describes the fields in this display. Table 12– 1. Output for show ap config Field Description Port MX port number to which the MP is connected, if specified for the MP.
MP Access Point Commands Table 12– 1. Output for show ap config (continued) Field Description auto-tune max-power Maximum power level the RF Auto-Tuning feature can set on the radio. ❑ ❑ load-balance-group The value default means RF Auto-Tuning can set the power up to the maximum level allowed for the country of operation. A specific numeric value means you or another administrator set the maximum value. Names of the RF load-balancing groups to which the MP belongs.
MP Access Point Commands radio 1 Shows statistics counters for radio 1. radio 2 Shows statistics counters for radio 2. (This option does not apply to single-radio models.) Defaults None. Access Enabled. History Version 1.0 Command introduced. Version 1.1 New fields added for Wi-Fi Protected Access (WPA): ❑ ❑ ❑ ❑ ❑ ❑ ❑ Version 2.0 Version 4.
MP Access Point Commands TxUniPkt TxUniByte RxPkt UndcrptPkt TxMultiPkt TxMultiByte RxByte UndcrptByte PhyErr 1.0: 1017 0 10170 0 14 8347 0 0 3964 2.0: 5643 55683 822545 8697520 3 1670 0 0 8695 5.5: 0 0 0 0 5 258 0 0 4 6.0: 0 0 0 0 0 0 0 0 51 9.0: 0 0 0 0 1 172 0 0 53 11.0: 0 0 0 0 17 998 0 0 35 12.0: 0 0 0 0 0 0 0 0 26 18.0: 0 0 0 0 0 0 0 0 38 24.0: 0 0 0 0 0 0 0 0 47 36.0: 0 0 0 0 0 0 0 0 1 48.0: 0 0 0 0 1 68 0 0 29 54.0: 0 0 0 0 0 0 0 0 5 TOTL: 6660 55683 832715 8697520 41 11513 0 0 12948 ...
MP Access Point Commands Table 12– 2. Output for show ap counters (continued) Field Description Radio Recv Phy Err Ct Number of times radar caused packet errors. If this counter increments rapidly, there is a problem in the RF environment. Note: This counter increments only when radar is detected. Rate-specific Phy errors are instead counted in the PhyError columns for individual data rates. Radio Adjusted Tx Pwr Current power level set on the radio.
MP Access Point Commands Table 12– 2. Output for show ap counters (continued) Field Description CCMP Pkt Replays Number of CCMP packets that were resent by a client to the MP. (See the description for TKIP Pkt Replays.) RadioResets Number of times the radio has been reset. Generally, a reset occurs as a result of RF noise. It is normal for this counter to increment a few times per day. Transmit Retries Number of times the radio retransmitted a unicast packet because it was not acknowledged.
MP Access Point Commands See Also show sessions network on page 19-454 show ap counters voice-details Displays information about VoIP calls on the network. Syntax show ap counters apnum [radio {1 | 2}] voice-details Defaults None Access Enabled History Added in MSS Version 7.
MP Access Point Commands History Version 6.0 Command introduced. Version 6.2 Added index value range of 1 to 9999. Examples The following command displays FDB entries for AP 7: MX# show ap fdb 7 AP 7: # = System Entry. $ = Authenticate Entry VLAN TAG Dest MAC/Route Des [CoS] Destination Ports ---- ---- ------------------ ----- ----------------4095 4095 00:0b:0e:00:ca:c1 # CPU 4095 0 00:0b:0e:00:04:0c eth0 Table 12– 4 describes the fields in the show ap fdb output. Table 12– 4.
MP Access Point Commands History Version 4.0 Command introduced. Version 4.2 TxDrop field added. Version 5.0 Option clear added. Version 6.0 Option dap removed. Version 6.2 Added index value range of 1 to 9999. Usage Repeating this command with the clear option at regular intervals allows you to monitor transmission and drop rates.
MP Access Point Commands show ap etherstats Displays Ethernet statistics for an Ethernet port on an MP. Syntax show ap etherstats apnum apnum Index value that identifies the MP on the MX. You can specify a value from 1 to 9999. Defaults None. Access Enabled. History Version 3.0 Command introduced. Version 6.2 Added index value range from 1 to 9999.
MP Access Point Commands Table 12– 6. Output for show ap etherstats (continued) Field Description RxAlignErrs Number of received frames that were both misaligned and contained a CRC error. RxShortFrames Number of received frames that were shorter than the minimum frame length. RxCrcErrors Number of received frames that were discarded due to CRC errors. RxOverruns Number of frames known to be lost due to a temporary lack of hardware resources.
MP Access Point Commands Examples The following command mesh link information for AP 7: MX# show ap mesh-links 7 AP: 7 IP-addr: 1.1.1.3 Operational Mode: Mesh-Portal Downlink Mesh-APs ------------------------------------------------BSSID: 00:0b:0e:17:bb:3f (54 Mbps) packets bytes TX: 307 44279 RX: 315 215046 Table 12– 7 describes the fields in the show ap mesh-links output. Table 12– 7. Output for show ap mesh-links Field Description AP Identifier for the MP on the MX.
MP Access Point Commands History Version 1.0 Command introduced. Version 1.1 Radio type fields indicate when 802.11b protection is enabled on an 802.11b/g radio. Version 2.0 ❑ ❑ ❑ ❑ Version 3.0 ❑ ❑ ❑ ❑ Option dap added for Distributed MPs. Option all added. IP-addr field added for Distributed MPs. The dual-homed field was removed. (This field was located on the same line as the Link field.) in boot field removed.
MP Access Point Commands MX# show ap status 9991 Flags: o = operational[0], c = configure[0], d = download[0], b = boot[0] x= down a = auto AP, m = mesh AP, p/P = mesh portal (ena/actv), r = redundant[0] i = insecure, e = encrypted, u = unencrypted Radio: E = enabled - 20MHz channel, S = sentry W/w = enabled - 40MHz wide channel (HTplus/HTminus) D = admin disabled IP Address: * = AP behind NAT AP Flag IP Address Model MAC Address Radio 1 Radio 2 Uptime ---- ---- --------------- ------------ ----------
MP Access Point Commands Table 12– 8. Output for show ap status Field Description Flags The following flags are displayed as part of the MP status: ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ Radio o = operational —The MP is operational on the network. c = configure [0] — The MP is configured. d = download [0] — The MP is configured to download new software. b = boot — The MP can boot on the network. x = down — The MP is down on the network. n = unconfigured — The MP has no configuration.
MP Access Point Commands Table 12– 9. Output for show ap status verbose Field Description IP Address ❑ ❑ IP address of the MP. The address is assigned to the MP by a DHCP server. VLAN assigned to the MP. Note: This field is applicable only if the MP is configured on the MX as a Distributed MP. Port 1 link: ❑ ❑ ❑ Port 2 link: ❑ ❑ ❑ Status Configured duplex speed PoE type Stauts Configured duplex speed PoE type and status State: Operational status flags for the MP.
MP Access Point Commands History Version 6.0 Command introduced. Version 6.2 Introduced index value range of 1 to 9999. Version 7.0 Added all option.
MP Access Point Commands Defaults None. Access Enabled. Examples Version 3.0 Command introduced. Version 6.0 Option dap removed. Version 6.2 Added index value range from 1 to 9999.
MP Access Point Commands show auto-tune neighbors Displays the other Trapeze radios and third-party 802.11 radios that a Trapeze radio can hear. Syntax show auto-tune neighbors [ap apnum [radio {1 | 2| all}]] apnum Index value that identifies the MP on the MX. You can specify a value from 1 to 9999. radio 1 Shows neighbor information for radio 1. radio 2 Shows neighbor information for radio 2. (This option does not apply to single-radio models.
MP Access Point Commands ● ● ● ● ● ● ● set radio-profile auto-tune 11a-channel-range on page 12-260 set radio-profile auto-tune channel-holddown on page 12-261 set radio-profile auto-tune channel-interval on page 12-262 set radio-profile auto-tune power-config on page 12-264 set radio-profile auto-tune power-interval on page 12-264 show auto-tune attributes on page 12-345 show radio-profile on page 12-354 show ap boot-configuration Displays information about the static IP address configuration (if any) o
MP Access Point Commands Table 12– 13. Output for show ap boot-configuration Field Description AP MP number. IP address Whether static IP address assignment is enabled for this Distributed MP. VLAN Tag Whether the Distributed MP is configured to use a VLAN tag. Switch Whether the Distributed MP is configured to use a manually specified MX as the boot device. Mesh Whether WLAN mesh services are enabled for this MP. IP address The static IP address assigned to this Distributed MP.
MP Access Point Commands This command provides information only if the Distributed MP is configured on the MX where you entered the command. The MX does not need to be the one that booted the MP, but it must have the MP in the configuration. Also, the MX that booted the MP must be in the same Mobility Domain as the MX where you entered the command.
MP Access Point Commands show ap global Displays connection information for Distributed MPs configured on an MX . Syntax show ap global [apnum | serial-id serial-ID] apnum Index value that identifies the MP on the MX. You can specify a value from 1 to 9999. serial-id serial-ID MP access point serial ID. Defaults None. Access Enabled. History Version 2.0 Command introduced. Version 6.0 Option dap removed. Version 6.2 Added index value range from 1 to 9999.
MP Access Point Commands Table 12– 15. Output for show ap global (continued) Field Description MX IP Address System IP address of the MX on which the Distributed MP is configured. A separate row of output is displayed for each MX on which the Distributed MP is configured.
MP Access Point Commands Table 12– 16. Output for show ap unconfigured Field Description Serial Id Serial ID of the MP. Model MP model number. IP Address IP address of the MP. This is the address that the MP receives from a DHCP server. The MP uses this address to send a Find MX message to request configuration information from MX switches. However, the MP cannot use the address to establish a connection unless the MP first receives a configuration from an MX.
MP Access Point Commands MX# show load-balancing group blue Load-balancing group: blue IP address AP Radio Clients ------------------ ---- ----- ------10.2.28.200 3 1 0 Table 12– 17 describes the fields in displayed by the show load-balancing group command. Table 12– 17. Output for show load-balancing group Field Description IP address The IP address of the MP in the load-balancing group.
MP Access Point Commands Version 3.0 ❑ ❑ ❑ Version 4.0 ❑ ❑ Version 4.2 ❑ ❑ ❑ Version 5.0 ❑ ❑ Fields removed for items that are no longer managed by radio profiles: • Encrypted Network Name • Clear Network Name • Network name(s) broadcast in the wireless beacon • WEP Key 1 value • WEP Key 2 value • WEP Key 3 value • WEP Key 4 value • WEP Unicast Index • WEP Multicast Index • Shared Key Auth • WPA enabled These items are now managed by service profiles.
MP Access Point Commands Table 12– 18. Output for show radio-profile Field Description Beacon Interval Rate (in milliseconds) at which each MP radio in the profile advertises the beaconed SSID. DTIM Interval Number of times after every beacon that each MP radio in the radio profile sends a delivery traffic indication map (DTIM). Max Tx Lifetime Number of milliseconds that a frame received by a radio in the radio profile can remain in buffer memory.
MP Access Point Commands Table 12– 18. Output for show radio-profile (continued) Field Description QoS Mode Indicates the Quality-of-Service setting for MP radio forwarding queues: ❑ ❑ wmm—MP forwarding queues provide standard priority handling for WMM devices. svp—MP forwarding queues are optimized for SpectraLink Voice Priority (SVP). For information about the QoS modes, see the “Configuring Quality of Service” chapter in the Trapeze Mobility System Software Configuration Guide.
MP Access Point Commands profile-name Displays information about the named service profile. ? Displays a list of service profiles. Defaults None. Access Enabled. History Version 3.0 Command introduced Version 4.1 New fields added to indicate the configured SSID default attributes in the service profile. Version 4.2 New fields added: ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ ❑ Version 5.0 New fields added: ❑ ❑ ❑ Version 6.
MP Access Point Commands Short retry limit: 5 Long retry limit: 5 Auth fallthru: none Sygate On-Demand (SODA): no Enforce SODA checks: yes SODA remediation ACL: Custom success web-page: Custom failure web-page: Custom logout web-page: Custom agent-directory: Static COS: no COS: 0 Client DSCP: no CAC mode: none CAC sessions: 14 User idle timeout: 180 Idle client probing: yes Keep initial vlan: no Web Portal Session Timeout: 5 Mesh enabled: no Web Portal ACL: Bridging enabled: no Load Balance Exempt: no Web
MP Access Point Commands Table 12– 19. Output for show service-profile (continued) Field Description Auth fallthru Secondary (fallthru) encryption type when a user tries to authenticate but the MX managing the radio does not have an authentication rule with a userglob that matches the username. ❑ ❑ ❑ last-resort—Automatically authenticates the user and allows access to the SSID requested by the user, without requiring a username and password.
MP Access Point Commands Table 12– 19. Output for show service-profile (continued) Field Description Keep initial VLAN Indicates whether the keep-initial-vlan option is enabled. Web Portal Session Timeout When a Web Portal WebAAA session is placed in the Deassociated state, how many seconds the session can remain in that state before being terminated automatically. Mesh enabled Whether WLAN mesh services are enabled for the service profile.
MP Access Point Commands Table 12– 19. Output for show service-profile (continued) Field Description vlan-name, session-timeout, service-type These are examples of authorization attributes that are applied by default to a user accessing the SSID managed by this service profile (in addition to any attributes assigned to the user by a RADIUS server or the local database). Attributes are listed here only if they have been configured as default attribute settings for the service profile.
MP Access Point Commands ● ● ● ● ● ● ● ● ● ● set service-profile static-cos on page 12-311 set service-profile tkip-mc-time on page 12-312 set service-profile transmit-rates on page 12-312 set service-profile user-idle-timeout on page 12-314 set service-profile web-portal-form on page 12-316 set service-profile web-portal-session-timeout on page 12-318 set service-profile wep active-multicast-index on page 12-319 set service-profile wep active-unicast-index on page 12-320 set service-profile wep key-index
MP Access Point Commands 12 – 364 Mobility System Software Command Reference Guide Version 7.
13 STP Commands Use Spanning Tree Protocol (STP) commands to configure and manage spanning trees on the virtual LANs (VLANs) configured on an MX, to maintain a loop-free network. This chapter presents STP commands alphabetically. Use the following table to locate commands in this chapter based on their use.
STP Commands Access Enabled. History Introduced in MSS Version 1.0. Usage This command resets the cost in all VLANs. To reset the cost for only specific VLANs, use the clear spantree portvlancost command. Examples The following command resets the STP port cost on ports 5 and 6 to the default value: MX# clear spantree portcost 5-6 success: change accepted.
STP Commands clear spantree portvlancost Resets to the default value the cost of a network port or ports on paths to the STP root bridge for a specific VLAN on an MX switch, or for all VLANs. Syntax clear spantree portvlancost port-list {all | vlan vlan-id} port-list List of ports. The port cost is reset on the specified ports. all Resets the cost for all VLANs. vlan vlan-id VLAN name or number. MSS resets the cost for only the specified VLAN. Defaults None. Access Enabled.
STP Commands ● ● ● set spantree portpri on page 13-362 set spantree portvlanpri on page 13-363 show spantree on page 13-364 clear spantree statistics Clears STP statistics counters for a network port or ports and resets them to 0. Syntax clear spantree statistics port-list [vlan vlan-id] port-list List of ports. Statistics counters are reset on the specified ports. vlan vlan-id VLAN name or number. MSS resets statistics counters for only the specified VLAN. Defaults None. Access Enabled.
STP Commands See Also show spantree on page 13-364 set spantree backbonefast Enables or disables STP backbone fast convergence on an MX. This feature accelerates port recovery following the failure of an indirect link. Syntax set spantree backbonefast {enable | disable} enable Enables backbone fast convergence. disable Disables backbone fast convergence. Defaults STP backbone fast path convergence is disabled by default. Access Enabled. History Introduced in MSS Version 1.0.
STP Commands Syntax set spantree hello interval {all | vlan vlan-id} interval Interval value. You can specify from 1 through 10 seconds. all Changes the interval on all VLANs. vlan vlan-id VLAN name or number. MSS changes the interval on only the specified VLAN. Defaults The default hello timer interval is 2 seconds. Access Enabled. History Introduced in MSS Version 1.0.
STP Commands Defaults The default port cost depends on the port speed and link type. Table 1 lists the defaults for STP port path cost. Table 1.
STP Commands show spantree portfast on page 13-367 See Also set spantree portpri Changes the STP priority of a network port or ports for selection as part of the path to the STP root bridge in the default VLAN on an MX. Syntax set spantree portpri port-list priority value port-list List of ports. MSS changes the priority on the specified ports. priority value Priority value. You can specify a value from 0 (highest) through 255 (lowest).
STP Commands See Also ● ● ● ● ● clear spantree portcost on page 13-355 clear spantree portvlancost on page 13-357 set spantree portcost on page 13-360 show spantree on page 13-364 show spantree portvlancost on page 13-368 set spantree portvlanpri Changes the priority of a network port or ports for selection as part of the path to the STP root bridge, on one VLAN or all VLANs. Syntax set spantree portvlanpri port-list priority value {all | vlan vlan-id} port-list List of ports.
STP Commands Examples The following command sets the bridge priority of VLAN pink to 69: MX# set spantree priority 69 vlan pink success: change accepted. show spantree on page 13-364 See Also set spantree uplinkfast Enables or disables STP uplink fast convergence on an MX. This feature enables an MX with redundant links to the network backbone to immediately switch to the backup link to the root bridge if the primary link fails.
STP Commands Examples The following command displays STP information for VLAN default: MX# show VLAN Spanning Spanning Spanning spantree vlan default 1 Tree Mode PVST+ Tree Type IEEE Tree Enabled Designated Root 00-02-4a-70-49-f7 Designated Root Priority 32768 Designated Root Path Cost 19 Designated Root Port 1 Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Bridge ID MAC ADDR 00-0b-0e-02-76-f7 Bridge ID Priority 32768 Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Port Vlan STP-S
STP Commands Table 13– 1. Output for show spantree (continued) Field Description Port Port number. Note: Only network ports are listed. STP does not apply to MP ports or wired authentication ports. Vlan VLAN ID. STP-State or Port-State ❑ Cost STP cost of the port. STP state of the port: Blocking—The port is not forwarding Layer 2 traffic but is listening to and forwarding STP control traffic. ❑ Disabled—This state can indicate any of the following conditions: • The port is inactive.
STP Commands set spantree backbonefast on page 13-359 See Also show spantree blockedports Lists information about MX ports that STP has blocked on one or all of the VLANs. Syntax show spantree blockedports [vlan vlan-id] vlan vlan-id VLAN name or number. If you do not specify a VLAN, MSS displays information for blocked ports on all VLANs. Defaults None. Access All. History Introduced in MSS Version 1.0. Usage The command lists information separately for each VLAN.
STP Commands 6 7 8 10 15 16 17 18 19 20 21 22 11 12 13 14 1 1 1 1 1 1 1 1 1 1 1 1 2 2 2 2 disable disable disable disable disable disable disable disable disable disable disable disable enable disable disable enable Table 13– 2 describes the fields in this display. Table 13– 2. Output for show spantree portfast Field Description Port Port number. VLAN VLAN number.
STP Commands show spantree statistics Displays STP statistics for one or more MX network ports. Syntax show spantree statistics [port-list [vlan vlan-id]] port-list List of ports. If you do not specify any ports, MSS displays STP statistics for all ports. vlan vlan-id VLAN name or number. If you do not specify a VLAN, MSS displays STP statistics for all VLANs. Defaults None. Access All. History Introduced in MSS Version 1.0. Usage The command displays statistics separately for each port.
STP Commands message age timer message age timer value topology change timer topology change timer value hold timer hold timer value delay root port timer delay root port timer value delay root port timer restarted is ACTIVE 0 INACTIVE 0 INACTIVE 0 INACTIVE 0 FALSE VLAN based information & statistics spanning tree type spanning tree multicast address bridge priority bridge MAC address bridge hello time bridge forward delay topology change initiator: last topology change occured: topology change topology
STP Commands Table 13– 3. Output for show spantree statistics (continued) Field Description state STP state of the port: ❑ Blocking—The port is not forwarding Layer 2 traffic but is listening to and forwarding STP control traffic. ❑ Disabled—The port is not forwarding any traffic, including STP control traffic. The port might be administratively disabled or the link might be disconnected. ❑ Forwarding—The port is forwarding Layer 2 traffic.
STP Commands Table 13– 3. Output for show spantree statistics (continued) Field Description message age timer Status of the message age timer. This timer measures the age of the received protocol information recorded for a port. message age timer value Current value of the message age timer, in seconds. topology change timer Status of the topology change timer.
STP Commands Table 13– 3. Output for show spantree statistics (continued) Field Description next state Port state before it is set by STP. src MAC count Number of BPDUs with the same source MAC address. total src MAC count Number of BPDUs with all the source MAC addresses. curr_src_mac Source MAC address of the current received BPDU. next_src_mac Other source MAC address from a different source.
STP Commands 13 – 374 Mobility System Software Command Reference Guide Version 7.
14 IGMP Snooping Commands Use Internet Group Management Protocol (IGMP) snooping commands to configure and manage multicast traffic reduction on an MX. This chapter presents IGMP snooping commands alphabetically. Use the following table to locate commands in this chapter based on their use.
IGMP Snooping Commands See Also show igmp statistics on page 14-388 set igmp Disables or reenables IGMP snooping on one VLAN or all VLANs on an MX. Syntax set igmp {enable | disable} [vlan vlan-id] enable Enables IGMP snooping. disable Disables IGMP snooping. vlan vlan-id VLAN name or number. If you do not specify a VLAN, IGMP snooping is disabled or reenabled on all VLANs. Defaults IGMP snooping is disabled on all VLANs by default. Access Enabled. History Introduced in MSS Version 1.0.
IGMP Snooping Commands set igmp mrouter Adds or removes a port in an MX list of ports that the MX forwards traffic to multicast routers. Static multicast ports are immediately added to or removed from the list of router ports and do not age out. Syntax set igmp mrouter port port-list {enable | disable} port port-list Port list. MSS adds or removes the specified ports in the list of static multicast router ports. enable Adds the port to the list of static multicast router ports.
IGMP Snooping Commands See Also set igmp mrsol mrsi on page 14-378 set igmp mrsol mrsi Changes the interval between multicast router solicitations by an MX on one VLAN or all VLANs. Syntax set igmp mrsol mrsi seconds [vlan vlan-id] seconds Number of seconds between multicast router solicitations. You can specify a value from 1 through 65,535. vlan vlan-id VLAN name or number. If you do not specify a VLAN, MSS changes the multicast router solicitation interval for all VLANs.
IGMP Snooping Commands ● ● ● set igmp querier on page 14-380 set igmp mrouter on page 14-377 set igmp rv on page 14-381 set igmp proxy-report Disables or reenables proxy reporting by an MX switch on one VLAN or all VLANs. Syntax set igmp proxy-report {enable | disable} [vlan vlan-id] enable Enables proxy reporting. disable Disables proxy reporting. vlan vlan-id VLAN name or number. If you do not specify a VLAN, proxy reporting is disabled or reenabled on all VLANs.
IGMP Snooping Commands See Also ● ● ● ● ● ● set igmp lmqi on page 14-376 set igmp oqi on page 14-378 set igmp qri on page 14-380 set igmp querier on page 14-380 set igmp mrouter on page 14-377 set igmp rv on page 14-381 set igmp qri Changes the IGMP query response interval timer on one VLAN or all VLANs on an MX.
IGMP Snooping Commands disable Disables the pseudo-querier. vlan vlan-id VLAN name or number. If you do not specify a VLAN, the pseudo-querier is enabled or disabled on all VLANs. Defaults The pseudo-querier is disabled on all VLANs by default. Access Enabled. History Introduced in MSS Version 1.0. Usage Trapeze Networks recommends that you use the pseudo-querier only when the VLAN contains local multicast traffic sources and no multicast router is servicing the subnet.
IGMP Snooping Commands Syntax set igmp rv num [vlan vlan-id] num Robustness value. You can specify a value from 2 through 255. Set the robustness value higher to adjust for more traffic loss. vlan vlan-id VLAN name or number. If you do not specify a VLAN, MSS changes the robustness value for all VLANs. Defaults The default robustness value for all VLANs is 2. Access Enabled. History Introduced in MSS Version 1.0.
IGMP Snooping Commands router information: Port Mrouter-IPaddr Mrouter-MAC Type TTL ---- --------------- ----------------- ----- ----10 192.28.7.5 00:01:02:03:04:05 dvmrp 17 Group Port Receiver-IP Receiver-MAC TTL --------------- ---- --------------- ----------------- ----224.0.0.2 none none none undef 237.255.255.255 5 10.10.10.11 00:02:04:06:08:0b 258 237.255.255.255 5 10.10.10.13 00:02:04:06:08:0d 258 237.255.255.255 5 10.10.10.14 00:02:04:06:08:0e 258 237.255.255.255 5 10.10.10.
IGMP Snooping Commands Table 14– 1. Output for show igmp (continued) Field Description Configuration values (lmqi) Last member query interval. Configuration values (rvalue) Robustness value. Multicast router information List of multicast routers and active multicast groups. The fields containing this information are described separately. The show igmp mrouter command shows the same information. Port Number of the physical port through which the MX switch can reach the router.
IGMP Snooping Commands See Also ● show igmp mrouter on page 14-385 show igmp querier on page 14-386 show igmp receiver-table on page 14-387 ● show igmp statistics on page 14-388 ● ● show igmp mrouter Displays the multicast routers in an MX subnet, on one VLAN or all VLANs. Routers are listed separately for each VLAN, according to the port number through which the switch can reach the router. Syntax show igmp mrouter [vlan vlan-id] vlan vlan-id VLAN name or number.
IGMP Snooping Commands show igmp querier Displays information about the active multicast querier, on one VLAN or all VLANs. Queriers are listed separately for each VLAN. Each VLAN can have only one querier. Syntax show igmp querier [vlan vlan-id] vlan vlan-id VLAN name or number. If you do not specify a VLAN, MSS displays querier information for all VLANs. Defaults None. Access Enabled. History Introduced in MSS Version 1.0.
IGMP Snooping Commands show igmp receiver-table Displays the receivers to which an MX forwards multicast traffic. You can display receivers for all VLANs, a single VLAN, or a group or groups identified by group address and network mask. Syntax show igmp receiver-table [vlan vlan-id] [group group-ip-addr/mask-length] vlan vlan-id VLAN name or number. If you do not specify a VLAN, MSS displays the multicast receivers on all VLANs.
IGMP Snooping Commands Table 14– 4. Output for show igmp receiver-table (continued) Field Description Receiver-MAC MAC address of the receiver. TTL Number of seconds before this entry ages out if the MX does not receive a group membership message from the receiver. For static multicast receiver entries, the TTL value is undef. Static multicast receiver entries do not age out. See Also set igmp receiver on page 14-381 show igmp statistics Displays IGMP statistics.
IGMP Snooping Commands Table 14– 5. Output for show igmp statistics Field Description IGMP statistics for vlan VLAN name. Statistics are listed separately for each VLAN. IGMP message type Type of IGMP message: ❑ General-Queries—General group membership queries sent by the multicast querier (multicast router or pseudo-querier). ❑ GS-Queries—Group-specific queries sent by the the multicast querier to determine whether there are receivers for a specific group.
IGMP Snooping Commands 14 – 390 Mobility System Software Command Reference Guide Version 7.
15 Security ACL Commands Use security ACL commands to configure and monitor security access control lists (ACLs). Security ACLs filter packets to restrict or permit network usage by certain users or traffic types, and can assign to packets a class of service (CoS) to define the priority of treatment for packet filtering. (Security ACLs are different from the location policy on an MX, which helps you locally control user access. For location policy commands, see Chapter , “AAA Commands,” on page 9-147.
Security ACL Commands History MSS Version 1.0 Command introduced. MSS Version 1.1 ACL names changed from case-sensitive to case-insensitive. Usage This command deletes security ACLs only in the edit buffer. You must use the commit security acl command with this command to delete the ACL or ACE from the running configuration and nonvolatile storage.
Security ACL Commands clear security acl map Deletes the mapping between a security ACL and a virtual LAN (VLAN), one or more physical ports, or a virtual port. Or deletes all ACL maps to VLANs, ports, and virtual ports on an MX . Note: Security ACLs are applied to users or groups dynamically via the Filter-Id attribute. To delete a security ACL from a user or group in the local MX database, use the command clear user attr, clear mac-user attr, clear usergroup attr, or clear mac-usergroup attr.
Security ACL Commands success: change accepted. See Also ● ● ● clear security acl on page 15-391 set security acl map on page 15-400 show security acl map on page 15-405 commit security acl Saves a security ACL, or all security ACLs, in the edit buffer to the running configuration and nonvolatile storage on the MX. Or, when used with the clear security acl command, commit security acl deletes a security ACL, or all security ACLs, from the running configuration and nonvolatile storage.
Security ACL Commands ● ● ● set security acl on page 15-395 show security acl on page 15-402 show security acl info on page 15-404 hit-sample-rate This command has been renamed in MSS Version 4.1. To configure the hit sample rate, see set security acl hit-sample-rate on page 15-401. rollback security acl Clears changes made to the security ACL edit buffer since it was last saved. The ACL is rolled back to its state after the last commit security acl command was entered.
Security ACL Commands Syntax By source address set security acl ip acl-name {permit [cos cos] | deny} {source-ip-addr mask | any} [before editbuffer-index | modify editbuffer-index] [hits] By Layer 4 protocol set security acl ip acl-name {permit [cos cos] | deny} protocol-number {source-ip-addr mask | any} {destination-ip-addr mask | any} [[precedence precedence] [tos tos] | [dscp codepoint]] [before editbuffer-index | modify editbuffer-index] [hits] By IP packets set security acl ip acl-name {permit [cos
Security ACL Commands acl-name Security ACL name. ACL names must be unique within the MX, must start with a letter, and are case-insensitive. Specify an ACL name of up to 32 of the following characters: ❑ Letters a through z and A through Z ❑ Numbers 0 through 9 ❑ Hyphen (-), underscore (_), and period (.) Trapeze Networks recommends that you do not use the same name with different capitalizations for ACLs. For example, do not configure two separate ACLs with the names acl_123 and ACL_123.
Security ACL Commands precedence precedence Filters packets by precedence level. Specify a value from 0 through 7: 0—routine precedence ❑ 1—priority precedence ❑ 2—immediate precedence ❑ 3—flash precedence ❑ 4—flash override precedence ❑ 5—critical precedence ❑ 6—internetwork control precedence ❑ 7—network control precedence ❑ tos tos Filters packets by type of service (TOS) level. Specify one of the following values, or any sum of these values up to 15.
Security ACL Commands Usage The MX does not apply security ACLs until you activate them with the commit security acl command and map them to a VLAN, port, or virtual port, or to a user. If the MX is reset or restarted, any ACLs in the edit buffer are lost. You cannot perform ACL functions that include permitting, denying, or marking with a Class of Service (CoS) level on packets with a multicast or broadcast destination address. The order of security ACEs in a security ACL is important.
Security ACL Commands set security acl map Assigns a committed security ACL to a VLAN, physical port or ports, virtual port, or Distributed MP on the MX switch. Note: To assign a security ACL to a user or group in the local MX database, use the command set user attr, set mac-user attr, set usergroup attr, or set mac-usergroup attr with the Filter-Id attribute. To assign a security ACL to a user or group with Filter-Id on a RADIUS server, see the documentation for your RADIUS server.
Security ACL Commands ● ● ● ● ● ● set mac-user attr on page 9-178 set mac-usergroup attr on page 9-182 set security acl on page 15-395 set user attr on page 9-186 set usergroup on page 9-188 show security acl map on page 15-405 set security acl hit-sample-rate Specifies the time interval, in seconds, that the packet counter for each security ACL is sampled for display. The counter counts the number of packets filtered by the security ACL—or “hits.
Security ACL Commands show security acl Displays a summary of the security ACLs that are mapped. Syntax show security acl Defaults None. Access Enabled. History Introduced in MSS Version 1.0. Usage This command lists only the ACLs mapped to something (a user, or VLAN, or port, and so on). To list all committed ACLs, use the show security acl info command. To list ACLs that are not yet committed, use the show security acl editbuffer command.
Security ACL Commands ---------------------------- ---- -------------acl_111 IP Not committed acl-a IP Not committed To view details about these uncommitted ACLs, type the following command. MX# show security acl info all editbuffer ACL edit-buffer information for all set security acl ip acl-111 (ACEs 3, add 3, del 0, modified 2) ---------------------------------------------------1. permit IP source IP 192.168.254.12 0.0.0.0 destination IP any 2. permit IP source IP 192.168.253.11 0.0.0.
Security ACL Commands show security acl info Displays the contents of a specified security ACL or all security ACLs that are committed—saved in the running configuration and nonvolatile storage—or the contents of security ACLs in the edit buffer before they are committed. Syntax show security acl info [acl-name | all] [editbuffer] acl-name Name of an existing security ACL to display. ACL names must start with a letter and are case-insensitive. all Displays the contents of all security ACLs.
Security ACL Commands ● set security acl on page 15-395 show security acl map Displays the VLANs, ports, and virtual ports on the MX that a security ACL is assigned. Syntax show security acl map acl-name Name of an existing security ACL to display static mapping. ACL names must start with a letter and are case-insensitive. acl-name Defaults None. Access Enabled. History MSS Version 1.0 Command introduced MSS Version 1.
Security ACL Commands Longest leaf chain Number of non-leaf nodes Uncompressed Rule Count Maximum node depth Sub-chain count PSCBs in primary memory PSCBs in secondary memory Leaves in primary Leaves in secondary Sum node depth : : : : : : : : : : 2 0 2 1 0 0 0 2 0 1 (max: 512) (max: 9728) (max: 151) (max 12096) Information on Network Processor status --------------------------------------Fragmentation control : 0 UC switchdest : 0 ACL resources Port number Number of action types LUdef in use Default a
Security ACL Commands Table 15– 1. show security acl resource-usage Output (continued) Field Description Leaves in secondary Number of ACL data entries stored in secondary leaf memory. Sum node depth Total number of security ACL data entries. Fragmentation control Control value for handling fragmented IP packets. Note: The current MSS version filters only the first packet of a fragmented IP packet and passes the remaining fragments. UC switchdest Control value for handling fragmented IP packets.
Security ACL Commands Table 15– 1. show security acl resource-usage Output (continued) Field Description No VLAN or PORT mapping ❑ Application of security ACLs to MX VLANs or ports on the MX: True—No security ACLs are mapped to VLANs or ports. ❑ False—Security ACLs are mapped to VLANs or ports. No VPORT mapping Application of security ACLs to MX virtual ports on the MX: ❑ True—No security ACLs are mapped to virtual ports. ❑ False—Security ACLs are mapped to virtual ports.
16 Cryptography Commands A digital certificate is a form of electronic identification for computers. The MX requires digital certificates to authenticate communications to RingMaster and Web View, to WebAAA clients, and to Extensible Authentication Protocol (EAP) clients for which the MX performs all EAP processing. Certificates can be generated on the MX or obtained from a certificate authority (CA).
Cryptography Commands crypto ca-certificate Installs a certificate authority’s own PKCS #7 certificate into the MX certificate and key storage area. Syntax crypto ca-certificate {admin | eap | web} PEM-formatted-certificate admin Stores the certificate authority’s certificate that signed the administrative certificate for the MX. The administrative certificate authenticates the MX to RingMaster or Web View.
Cryptography Commands crypto certificate Installs one of the MX PKCS #7 certificates into the certificate and key storage area on the MX. The certificate, which is issued and signed by a certificate authority, authenticates the MX either to RingMaster or Web View, or to 802.1X supplicants (clients). Syntax crypto certificate {admin | eap | web} PEM-formatted certificate admin Stores the certificate authority’s administrative certificate, which authenticates the MX switch to RingMaster or Web View.
Cryptography Commands crypto generate key Generates an RSA public-private encryption key pair that is required for a Certificate Signing Request (CSR) or a self-signed certificate. For SSH, generates an authentication key. crypto generate key {admin | domain | eap | ssh | web} {128 | 512 | 1024 | 2048} Syntax admin Generates an administrative key pair for authenticating the MX to RingMaster or Web View.
Cryptography Commands Syntax crypto generate request {admin | eap | web} admin Generates a request for an administrative certificate to authenticate the MX to RingMaster or Web View. eap Generates a request for an EAP certificate to authenticate the MX to 802.1X supplicants (clients). web Generates a request for a WebAAA certificate to authenticate the MX to WebAAA clients.
Cryptography Commands State Name: CA Locality Name: Pleasanton Organizational Name: Trapeze Organizational Unit: ENG Common Name: ENG Email Address: admin@example.
Cryptography Commands Common Name string Specify a unique name for the MX, in up to 80 alphanumeric characters with no spaces. Use a fully qualified name if such names are supported on your network. This field is required. Note: If you are generating a WebAAA (web) certificate, use a common name that looks like a domain name (two or more strings connected by dots, with no spaces). For example, use common.name instead of common name. The string is not required to be an actual domain name.
Cryptography Commands web Creates a one-time password for installing a PKCS #12 object file for a WebAAA certificate and key pair—and optionally the certificate authority’s own certificate—to authenticate the MX to WebAAA clients. one-time-password Password of at least 1 alphanumeric character, with no spaces, for clients other than Microsoft Windows clients. The password must be the same as the password protecting the PKCS #12 object file.
Cryptography Commands web Unpacks a PKCS #12 object file for a WebAAA certificate and key pair—and optionally the certificate authority’s own certificate—for authenticating the MX switch to WebAAA clients. file-location-url Location of the PKCS #12 object file to be installed. Specify a location of between 1 and 128 alphanumeric characters, with no spaces. Defaults The password you enter with the crypto otp command must be the same as the one protecting the PKCS #12 file. Access Enabled.
Cryptography Commands History Version 1.0 Command introduced Version 3.0 webaaa option added Version 4.1 webaaa option renamed to web Examples To display information about the certificate of a certificate authority, type the following command: MX# show crypto ca-certificate Table 16– 1 describes the fields in the display. Table 16– 1. show crypto ca-certificate Output Fields Description Version Version of the X.509 certificate.
Cryptography Commands Examples To display information about a cryptographic certificate, type the following command: MX# show crypto certificate eap Table 16– 2 describes the fields of the display. Table 16– 2. crypto certificate Output Fields Description Version Version of the X.509 certificate. Serial Number A unique identifier for the certificate or signature. Subject Name of the certificate owner. Signature Algorithm Algorithm that created the signature, such as RSA MD5 or RSA SHA.
Cryptography Commands Examples To display SSH key information, type the following command: MX# show crypto key ssh ec:6f:56:7f:d1:fd:c0:28:93:ae:a4:f9:7c:f5:13:04 See Also 16 – 420 crypto generate key on page 16-412 Mobility System Software Command Reference Guide Version 7.
17 RADIUS, LDAP, and Server Groups Commands Use RADIUS commands to set up communication between an MX switch and groups of up to four RADIUS servers for remote authentication, authorization, and accounting (AAA) of administrators and network users. This chapter presents RADIUS commands alphabetically. Use the following table to locate commands in this chapter based on their uses. With MSS 7.1, LDAPv3 is now available as an authentication method.
RADIUS, LDAP, and Server Groups Commands (For information about RADIUS attributes, see the RADIUS appendix in the Trapeze Mobility System Software Configuration Guide.) clear ldap auth-port Syntax clear ldap auth-port port Defaults None Access Enabled History Introduced in MSS 7.1. clear ldap base-dn Syntax clear ldap base-dn basedn Defaults None Access Enabled History Introduced in MSS 7.1.
RADIUS, LDAP, and Server Groups Commands Usage Clears the MAC address format from the LDAP configuration. clear ldap timeout Syntax clear ldap timeout secs Defaults None Access Enabled History Introduced in MSS 7.1. clear ldap server Syntax clear ldap server name Defaults None Access Enabled History Introduced in MSS 7.1. clear ldap server group Syntax clear ldap server group name Defaults None Access Enabled History Introduced in MSS 7.
RADIUS, LDAP, and Server Groups Commands Usage To override the globally set values on a particular RADIUS server, use the set radius server command. Examples To reset all global RADIUS parameters to their factory defaults, type the following commands: MX# clear radius deadtime success: change accepted. MX# clear radius key success: change accepted. MX# clear radius retransmit success: change accepted. MX# clear radius timeout success: change accepted.
RADIUS, LDAP, and Server Groups Commands See Also ● ● set radius client system-ip on page 431 show aaa on page 190 clear radius proxy client Removes RADIUS proxy client entries for third-party APs. Syntax clear radius proxy client all Defaults None. Access Enabled. History Introduced in MSS 4.0. Examples The following command clears all RADIUS proxy client entries from the MX: MX# clear radius proxy client all success: change accepted.
RADIUS, LDAP, and Server Groups Commands See Also ● ● set radius server on page 433 show aaa on page 190 clear server group Removes a RADIUS server group from the configuration, or disables load balancing for the group. Syntax clear server group group-name [load-balance] group-name Name of a RADIUS server group configured to perform remote AAA services for MX switches. load-balance Ability of group members to share demand for services among servers. Defaults None. Access Enabled.
RADIUS, LDAP, and Server Groups Commands MX# radping {server |servername | group servergroup}request [acct-off | acct-on | acct-start | acct-stop | acct-update | authentication] user username password password auth-type {plain|mschap2} Syntax server servername Name of a RADIUS server configured to perform remote AAA services for MX switches. group servergroup Name of a RADIUS server group configured to perform remote AAA services for MX switches.
RADIUS, LDAP, and Server Groups Commands set ldap [ auth-port port] [base-dn basedn] [bind-mode simpleauth | sasl-md5] [deadtime mins] [mac-addr-format hyphens |colons | one-hyphen | raw] [timeout seconds] Syntax auth-port port The designated port used for LDAP authentication. base-dn basedn The suffix to be appended to a Domain Name.
RADIUS, LDAP, and Server Groups Commands Examples To add LDAP server, testldap, to the server group, corpldap, use the following command: MX# set ldap server group corpldap members testldap success: change accepted. set ldap server group load-balance Allows you to balance traffic between LDAP server groups on your network. Syntax set ldap server group server-group-name load-balance [enable | disable] Defaults None Access Enabled History Introduced in MSS 7.
RADIUS, LDAP, and Server Groups Commands mac-addr-format [colons | hyphens | one-hyphen | raw] Sets the MAC address format for all RADIUS servers using the author-password option. MAC addresses can have the following formats: ❑ colons—12:34:56:78:9a:bc ❑ hyphens—12–34–56–78–9a–bc ❑ one-hyphen— 123456–789abc ❑ raw—123456789abc retransmit number Number of transmission attempts the MX makes before declaring an unresponsive RADIUS server unavailable. You can specify from 1 to 100 retries.
RADIUS, LDAP, and Server Groups Commands Access Enabled History Introduced in MSS Version 7.0 set radius dac Configure dyanmic RADIUS extensions in support of RFC 3576. MX#set radius-dac name ip-addr key string [disconnect [enable|disable] change-of-author[enable|disable] replay-protection [enable|disable] replay-window seconds] Syntax Defaults None Access Enabled. History Introduced in MSS Version 6.2.
RADIUS, LDAP, and Server Groups Commands Syntax set radius client system-ip Defaults None. If you do not use this command, RADIUS packets leaving the MX have the source IP address of the outbound interface, which can change as routing conditions change. Access Enabled. History Introduced in MSS 1.0. Usage The MX system IP address must be set before you use this command.
RADIUS, LDAP, and Server Groups Commands set radius proxy port Configures the MX port connected to a third-party AP as a RADIUS proxy for the SSID supported by the AP. set radius proxy port port-list [tag tag-value] ssid ssid-name Syntax port port-list MX port(s) connected to the third-party AP. tag tag-value 802.1Q tag value in packets sent by the third-party AP for the SSID. ssid ssid-name SSID supported by the third-party AP. Defaults None. Access Enabled. History Introduced in MSS 4.0.
RADIUS, LDAP, and Server Groups Commands deadtime minutes Number of minutes the MX waits after declaring an unresponsive RADIUS server unavailable before retrying that RADIUS server. Specify between 0 (zero) and 1440 minutes (24 hours). A zero value causes the MX to identify unresponsive servers as available. key string | encrypted-key string Password (shared secret key) the MX uses to authenticate to RADIUS servers. You must provide the same password that is defined on the RADIUS server.
RADIUS, LDAP, and Server Groups Commands ❑ ❑ ❑ ❑ ❑ ❑ ❑ set authentication console on page 165 set authentication dot1x on page 167 set authentication mac on page 170 set authentication web on page 174 set radius on page 429 set server group on page 435 show aaa on page 190 set server group Configures a group of one to four RADIUS servers.
RADIUS, LDAP, and Server Groups Commands History Introduced in MSS 1.0. Usage You can optionally enable load balancing after assigning the server group members. If you configure load balancing, MSS sends each AAA request to a separate server, starting with the first one on the list and skipping unresponsive servers. If no server in the group responds, MSS moves to the next method configured with set authentication and set accounting.
RADIUS, LDAP, and Server Groups Commands Examples Use the following command to display information about LDAP configurations.
RADIUS, LDAP, and Server Groups Commands show radius Displays configuration information about RADIUS servers. Syntax show radius Defaults None Access Enabled History Command introduced in MSS 6.2. Examples Use the following command to display information about RADIUS configurations.
RADIUS, LDAP, and Server Groups Commands describes the fields that can appear in the show radius output. Table 17– 2. show radius Output Field Description Default values RADIUS default values for all parameters. Server Name of each RADIUS server currently active. IP Address IP address of each RADIUS server currently active. Auth Port UDP port on the MX for transmission of RADIUS authorization and authentication messages. The default port is 1812.
RADIUS, LDAP, and Server Groups Commands 17 – 440 Mobility System Software Command Reference Guide Version 7.
18 802.1X Management Commands Use 802. IEEE X management commands to modify the default settings for IEEE 802.1X sessions on an MX. For best results, change the settings only if you are aware of a problem with 802.1X performance on the MX. This chapter presents 802.1X commands alphabetically. Use the following table to locate commands in this chapter based on their use. For information about configuring 802.1X commands for user authentication, see Chapter , “AAA Commands,” on page 147. ! 802.
802.1X Management Commands clear dot1x bonded-period Resets the Bonded Auth period to its default value. Syntax clear dot1x max-req Defaults The default bonded authentication period is 0 seconds. Access Enabled. History Introduced in MSS Version 2.1. Usage Examples To reset the Bonded period to its default, type the following command: MX# clear dot1x bonded-period success: change accepted.
802.1X Management Commands Examples Type the following command to reset the wired authentication port control: MX# clear dot1x port-control success: change accepted. See Also ● ● set dot1x port-control on page 18-442 show dot1x on page 18-447 clear dot1x quiet-period Resets the quiet period after a failed authentication to the default setting. Syntax clear dot1x quiet-period Defaults The default is 60 seconds. Access Enabled. History Introduced in MSS 1.0.
802.1X Management Commands Access Enabled. History Introduced in MSS 1.0. Examples Type the following command to reset the default reauthentication time period: MX# clear dot1x reauth-period success: change accepted. See Also ● ● set dot1x reauth-period on page 18-444 show dot1x on page 18-447 clear dot1x timeout auth-server Resets to the default setting the number of seconds that must elapse before the MX times out a request to a RADIUS server.
802.1X Management Commands clear dot1x tx-period Resets to the default setting the number of seconds that must elapse before the MX retransmits an EAP over LAN (EAPoL) packet. Syntax clear dot1x tx-period Defaults The default is 5 seconds. Access Enabled. History Introduced in MSS 1.0. Examples Type the following command to reset the EAPoL retransmission time: MX# clear dot1x tx-period success: change accepted.
802.1X Management Commands set dot1x bonded-period Changes the Bonded Auth™ (bonded authentication) period. The Bonded Auth period is the number of seconds MSS allows a Bonded Auth user to reauthenticate. Syntax set dot1x bonded-period seconds Number of seconds MSS retains session information for an authenticated computer while waiting for a client to (re)authenticate on the same computer. You can change the bonded authentication period to a value from 1 to 300 seconds.
802.1X Management Commands set dot1x max-req Sets the maximum number of times the MX retransmits an EAP request to a supplicant (client) before ending the authentication session. Syntax set dot1x max-req number-of-retransmissions number-of-retransmissions Specify a value between 0 and 10. Defaults The default number of EAP retransmissions is 2. Access Enabled. History Introduced in MSS 1.0. Usage To support SSIDs that have both 802.
802.1X Management Commands set dot1x port-control Determines the 802.1X authentication behavior on individual wired authentication ports or groups of ports. Syntax set dot1x port-control {forceauth | forceunauth | auto} port-list forceauth Forces the specified wired authentication port(s) to unconditionally authorize all 802.1X authentication attempts, with an EAP success message. forceunauth Forces the specified wired authentication port(s) to unconditionally reject all 802.
802.1X Management Commands set dot1x reauth Determines whether the MX switch allows the reauthentication of supplicants (clients). Syntax set dot1x reauth {enable | disable} enable Permits reauthentication. disable Denies reauthentication. Defaults Reauthentication is enabled by default. Access Enabled. History Introduced in MSS 1.0. Examples Type the following command to enable reauthentication of supplicants (clients): MX# set dot1x reauth enable success: dot1x reauthentication enabled.
802.1X Management Commands set dot1x reauth-period Sets the number of seconds that must elapse before the MX switch attempts reauthentication. Syntax set dot1x reauth-period seconds Specify a value between 60 (1 minute) and 1,641,600 (19 days). seconds Defaults The default is 3600 seconds (1 hour). Access Enabled. History MSS Version 1.0 Command introduced. MSS Version 1.1 Maximum value changed.
802.1X Management Commands set dot1x timeout supplicant Sets the number of seconds that must elapse before the MX switch times out an authentication session with a supplicant (client). Syntax set dot1x timeout supplicant seconds Specify a value between 1 and 65,535. seconds Defaults The default is 30 seconds. Access Enabled. History Introduced in MSS 1.0.
802.1X Management Commands set dot1x unicast-rekey-period Enables or disables unicast periodic rekeying with a configurable interval. Syntax set dot1x unicast-rekey-period [integer] Configure an integer from 30 to 86400. integer Defaults None Access Enabled History Introduced in MSS 7.1 Usage set dot1x wep-rekey Enables or disables Wired Equivalency Privacy (WEP) rekeying for broadcast and multicast encryption keys.
802.1X Management Commands Access Enabled. History MSS Version 1.0 Command introduced. MSS Version 1.1 Maximum value changed. Examples Type the following command to set the WEP-rekey period to 300 seconds: MX# set dot1x wep-rekey-period 300 success: dot1x wep-rekey-period set to 300 See Also ● ● set dot1x wep-rekey on page 18-446 show dot1x on page 18-447 show dot1x Displays 802.1X client information for statistics and configuration settings.
802.1X Management Commands 00:02:2d:6f:44:77 00:05:5d:7e:94:89 00:06:80:00:5c:02 00:02:2d:6a:de:f2 00:02:2d:5e:5b:76 00:02:2d:80:b6:e1 00:30:65:16:8d:69 00:02:2d:64:8e:1b Authenticated Authenticated Authenticated Authenticated Authenticated Authenticated Authenticated Authenticated vlan-eng vlan-eng vlan-eng vlan-pm vlan-pm vlan-cs vlan-wep vlan-eng EXAMPLE\ethan EXAMPLE\fmarshall EXAMPLE\bmccarthy neailey@xmple.com EXAMPLE\tamara dmc@xmple.
802.1X Management Commands Starts While Authenticated: Logoffs While Authenticated: Bad Packets Received: 85 1 0 Table 18– 1 explains the counters in the show dot1x stats output. Table 18– 1. show dot1x stats Output Field Description Enters Connecting Number of times that the MX state transitions to the CONNECTING state from any other state. Logoffs While Connecting Number of times that the MX state transitions from CONNECTING to DISCONNECTED as a result of receiving an EAPoL-Logoff message.
802.1X Management Commands 18 – 450 Mobility System Software Command Reference Guide Version 7.
19 Session Management Commands Use session management commands to display and clear administrative and network user sessions. This chapter presents session management commands alphabetically. Use the following table to locate commands in this chapter based on their use.
Session Management Commands To clear all administrative Telnet sessions, type the following command: MX# clear sessions telnet This will terminate manager sessions, do you wish to continue? (y|n) [n]y To clear Telnet client session 0, type the following command: MX# clear sessions telnet client 0 See Also show sessions on page 19-451 clear sessions network Clears all network sessions for a specified username or set of usernames, MAC address or set of MAC addresses, virtual LAN (VLAN) or set of VLANs, or
Session Management Commands To clear the session of user Natasha, type the following command: MX-20# clear sessions network user Natasha To clear the sessions of users whose name begins with the characters Jo, type the following command: MX-20# clear sessions network user Jo* To clear the sessions of all users on VLAN red, type the following command: MX-20# clear sessions network vlan red See Also ● ● show sessions on page 19-451 show sessions network on page 19-454 show sessions Displays session informa
Session Management Commands User Name -------------- Sess ID --------- Type VLAN -------- IP or MAC Address -------------- engineering-05:0c:78 AP/ Radio 28* dot1x 10.7.255.2 yellow 5/1 engineering-79:86:73 29* dot1x 10.7.254.3 red 2/1 engineering-1a:68:78 30* dot1x 10.7.254.
Session Management Commands Table 19– 2. show sessions telnet client Output Field Description Session Session number assigned by MSS when the client session is established. Server Address IP address of the remote device. Server Port TCP port number of the remote device’s TCP server. Client Port TCP port number MSS is using for the client side of the session. clear sessions on page 19-449 See Also show sessions mesh-ap Displays summary or verbose information about Mesh AP sessions on the MX.
Session Management Commands See Also clear sessions on page 19-449 show sessions network Displays summary or verbose information about all network sessions, or network sessions for a specified username or set of usernames, MAC address or set of MAC addresses, VLAN or set of VLANs, or session ID.
Session Management Commands Version 4.2 ❑ ❑ ❑ ❑ Version 5.0 ❑ Host name field added to show sessions network verbose output. MP serial number added to show sessions network verbose output. The following fields added to show sessions network session-id output: • Local Id • SSID • Last Auth Time • Last Activity • Idle Time-To-Live • Login Type • Protocol • Session CAC Authentication Method field renamed to EAP Method.
Session Management Commands The following command displays summary information about all the sessions of users whose names begin with E: MX> show sessions network user E* User Name Sess Type --------------------------- ---- ----EXAMPLE\Eval 13* web Address -------------10.10.10.39 VLAN AP/Radio/ ------------ ----vlan-eng 1/2 (Table 19– 4 on page 457 describes the summary displays of show sessions network commands.
Session Management Commands Idle Time-To-Live: 175 EAP Method: NONE, using server 172.16.0.1 Protocol: 802.11 CoS: flow-through Session CAC: disabled Radio type: 802.
Session Management Commands Table 19– 4. show sessions network (summary) Output (continued) Field Description IP or MAC Address IP address of the session user, or the user’s MAC address if the user has not yet received an IP address. VLAN Name Name of the VLAN associated with the session. Port/Radio Number of the port and radio through which the user is accessing this session. Table 19– 5.
Session Management Commands Table 19– 5. Additional show sessions network verbose Output (continued) Field Description Vlan-Name (and other attributes if set) Authorization attributes for the user and how they were assigned (the sources of the attribute values). For Vlan-Name, the source of the attribute value can be one of the following: ❑ AAA—VLAN is from RADIUS or the local database.
Session Management Commands Table 19– 6. show sessions network session-id Output (continued) Field Description Tag System-wide supported VLAN tag type. Session Start Indicates when the session started. Last Auth Time Indicates when the most recent authentication of the session occurred. Last Activity Indicates when the last activity (transmission) occurred on the session. Session Timeout Assigned session timeout in seconds.
Session Management Commands Usage Examples To display a network session with a SIP configuration, use the following command: MX# show sessions network sip 1 of 6 sessions matched User Name SessID --------------------- -----jdoe Type Address VLAN AP/Radio ----- ----------------- --------------- -------- 49551* dot1x 172.21.50.45 eng-alpha 12/1 show sessions network voice-details Displays information about VoIP sessions on the network.
Session Management Commands IP: 172.21.50.51 MAC: 00:13:e8:95:51:8d AP/Radio: 12/2 Protocol: 802.11 Session CAC: disabled Radio type: 802.11a Last packet rate: 54 Mb/s Last packet RSSI: -67 dBm Last packet SNR: 28 Voice Queue: IDLE Name: TRAPEZE\jjones Session ID: 49549 SSID: alpha-tkip IP: 172.21.50.114 MAC: 00:1e:e5:a7:24:66 AP/Radio: 4/2 Protocol: 802.11 Session CAC: disabled Radio type: 802.
Session Management Commands Table 20. show sessions network voice-details Output Field Description Protocol: Identifies the wireless protocol configured for the session. Session CAC: Displays if CAC is enabled in the configuration. Radio type: Displays the wireless radio type for the client. Last Packet Rate: Indicates network speed for the client. Last Packet RSSI: Displays the radio strength of the last transmitted packet.
Session Management Commands 19 – 464 Mobility System Software Command Reference Guide Version 7.
20 RF Detection Commands MSS automatically performs RF detection scans on enabled and disabled radios to detect rogue access points. A rogue access point is a BSSID (MAC address associated with an SSID) that does not belong to a Trapeze device and is not a member of the ignore list configured on the seed MX of the Mobility Domain. MSS can issue countermeasures against rogue devices to prevent clients from being able to use them. You can configure RF detection parameters on individual MX switches.
RF Detection Commands Log Messages set rfdetect log on page 20-468 MX-to-Client RF Link rfping on page 20-464 clear rfdetect rogue-list Removes a MAC address from the attack list. Syntax clear rfdetect rogue-list [mac | all] mac MAC address you want to remove from the rogue list. all Removes all MAC addresses from the rogue list. Defaults None. Access Enabled. History MSS Version 4.0 Command introduced. MSS Version 6.
RF Detection Commands clear rfdetect countermeasures mac Deprecated in MSS Version 4.0. clear rfdetect neighbor-list Removes a device from the neighbor list for RF scans. MSS does not generate log messages or traps for the devices in the neighbor list. Syntax clear rfdetect neighbor-list [transmit-mac | oui | all] transmit-mac Basic service set identifier (BSSID), which is a MAC address, of the device to remove from the neighbor list.
RF Detection Commands ● show rfdetect ssid-list on page 20-480 clear rfdetect vendor-list Deprecated in MSS Version 6.2. rfping Provides information about the RF link between the MX and the client based on sending test packets to the client. Syntax rfping {mac mac-addr | session-id session-id} mac-addr Tests the RF link between the MX and the client with the specified MAC address. session-id Tests the RF link between the MX and the client with the specified local session ID. Defaults None.
RF Detection Commands set rfdetect active-scan Deprecated in MSS Version 4.0. You now can disable or reenable active scan in individual radio profiles. See set radio-profile active-scan on page 12-260. set rfdetect rogue-list Adds an entry to the rogue list. The rogue list specifies the MAC addresses of devices that MSS should issue countermeasures against whenever the devices are detected on the network. The rogue list can contain the MAC addresses of APs and clients.
RF Detection Commands History Introduced in MSS Version 4.0. Usage In addition to manually configured entries, the list can contain entries added by MSS. MSS can place a client in the blacklist due to an association, reassociation or disassociation flood from the client. The client black list applies only to the MX with the configured list. MX switches do not share client blacklists. MSS supports up to 1024 clients in the black list.
RF Detection Commands History Introduced in MSS 6.2 Examples To configure MSS to detect ad-hoc networks and classify them as rogue devices, use the following command: MX>set rfdetect classification ad-hoc rogue set rfdetect classification default Used to configure the default classification of unknown devices on the network. Syntax set rfdetect classification default [rogue | suspect | neighbor] rogue Sets the default classification as rogue. suspect Sets the default classification as suspect.
RF Detection Commands Syntax set rfdetect ssid-masquerade [rogue | skip-test] rogue Sets the classification as rogue. skip-test Sets the default classification as suspect. Defaults None Access Enabled History Introduced in MSS 6.2 Examples To configure MSS to detect unknown devices and classify them as rogue devices, use the following command: MX>set rfdetect classification ssid-masquerade rogue set rfdetect countermeasures Deprecated in MSS Version 4.0.
RF Detection Commands set rfdetect signature Enables MP signatures. An MP signature is a set of bits in a management frame sent by an MP that identifies that MP to MSS. If someone attempts to spoof management packets from a Trapeze MP, MSS can detect the spoof attempt. Syntax set rfdetect signature {enable | disable} enable Enables MP signatures. disable Disables MP signatures. Defaults MP signatures are disabled by default. Access Enabled. History Introduced in MSS Version 4.0.
RF Detection Commands Syntax set rfdetect ssid-list [ssid-name | ssid*] ssid-name SSID name you want to add to the permitted SSID list. ssid* SSID glob to add to the permitted SSID list. Defaults The permitted SSID list is empty by default and all SSIDs are allowed. However, after you add an entry to the list, MSS allows traffic only for the listed SSIDs. Access Enabled. History MSS Version 4.0 Command introduced. MSS Version 6.2 Added the ability to use wildcards for SSID names.
RF Detection Commands N If in the Neighbor List Neighbor Y If SSID Masquerade Rogue Y Client or Client DST MAC seen in network Rogue Y If Ad hoc device Rogue N If SSID in SSID list Neighbor Y Default Classification Suspect show rfdetect rogue-list Displays information about the MAC addresses in the rogue list. Syntax show rfdetect rogue-list Defaults None. Access Enabled. History Introduced in MSS Version 4.0. MSS Version 4.0 Command introduced. MSS Version 6.
RF Detection Commands See Also ● ● clear rfdetect black-list on page 20-462 set rfdetect black-list on page 20-465 show rfdetect clients Displays the wireless clients detected by an MX. Syntax show rfdetect clients [mac mac-addr] mac mac-addr Displays detailed information for a specific client. Defaults None. Access Enabled. History Introduced in MSS Version 4.0.
RF Detection Commands Table 20– 2. show rfdetect clients Output (continued) Field Description Type Classification of the rogue device: ❑ rogue—Wireless device that is on the network but is not supposed to be on the network. ❑ intfr—Wireless device that is not part of your network and is not a rogue, but might be causing RF interference with MP radios. ❑ known—Device that is a legitimate member of the network. Last seen Number of seconds since an MP radio last detected 802.11 packets from the device.
RF Detection Commands MX# show rfdetect countermeasures Total number of entries: 190 Rogue MAC Type Countermeasures Radio Mac ----------------- ----- -----------------00:0b:0e:00:71:c0 intfr 00:0b:0e:44:55:66 00:0b:0e:03:00:80 rogue 00:0b:0e:11:22:33 MX-IPaddr Port/Radio /Channel --------------- ------------10.1.1.23 ap 4/1/6 10.1.1.23 ap 2/1/11 Table 20– 4 describes the fields in this display. Table 20– 4. show rfdetect countermeasures Output Field Description Rogue MAC BSSID of the rogue.
RF Detection Commands 802.11 mgmt type 7 flood 802.11 mgmt type d flood 802.11 mgmt type e flood 802.11 mgmt type f flood 802.11 association flood 802.11 reassociation flood 802.
RF Detection Commands Examples The following command shows the devices detected by the MX during the most recent RF detection scan: MX# show rfdetect data Total number of entries: 197 BSSID Vendor Class AP Name RSSI ----------------- ------- ----- ------------- ------00:07:50:d5:cc:91 Cisco intfr 3 i----w 00:07:50:d5:dc:78 Cisco intfr 1 i----w 00:09:b7:7b:8a:54 Cisco intfr 3 i----00:0a:5e:4b:4a:c0 3Com intfr 3 i----00:0a:5e:4b:4a:c2 3Com intfr 3 i-t1-00:0a:5e:4b:4a:c4 3Com intfr 3 ic---00:0a:5e:4b:4a:c6 3
RF Detection Commands Syntax show rfdetect neighbor-list Defaults None. Access Enabled. History Introduced in MSS Version 3.0. MSS Version 3.0 Command introduced. MSS 6.2 Command changed from ignore to neighbor-list.
RF Detection Commands MX# show rfdetect mobility-domain Total number of entries: 194 Flags: i = infrastructure, a = ad-hoc, u = unresolved c = CCMP, t = TKIP, 1 = 104-bit WEP, 4 = 40-bit WEP, w = WEP(non-WPA) BSSID Vendor Type Flags SSID ----------------- ------------ ----- ------ -------------------------------00:07:50:d5:cc:91 Cisco intfr i----w r27-cisco1200-2 00:07:50:d5:dc:78 Cisco intfr i----w r116-cisco1200-2 00:09:b7:7b:8a:54 Cisco intfr i----00:0a:5e:4b:4a:c0 3Com intfr i----- public 00:0a:5e:4b:4
RF Detection Commands RSSI: -72 SSID: notmycorp Table 20– 6 and Table 20– 7 describe the fields in these displays. Table 20– 6. show rfdetect mobility-domain Output Field Description BSSID MAC address of the SSID used by the detected device. Vendor Company that manufactures or sells the rogue device. Type Classification of the rogue device: ❑ rogue—Wireless device that is not supposed to be on the network. The device has an entry in an MX switch’s FDB and is therefore on the network.
RF Detection Commands Table 20– 7. show rfdetect mobility-domain ssid or bssid Output (continued) Field Description SSID SSID mapped to the BSSID. See Also ● ● show rfdetect data on page 20-475 show rfdetect visible on page 20-480 show rfdetect ssid-list Displays the entries in the permitted SSID list. Syntax show rfdetect ssid-list Defaults None. Access Enabled. History Introduced in MSS Version 4.0.
RF Detection Commands radio 1 Shows neighbor information for radio 1. radio 2 Shows neighbor information for radio 2. (This option does not apply to single-radio models.) Defaults None. Access Enabled. History Version 3.0 Command introduced. Version 4.0 Vendor, Type, and Flags fields added. Usage If a Trapeze radio is supporting more than one SSID, each of the corresponding BSSIDs is listed separately.
RF Detection Commands Table 20– 8. show rfdetect visible Output (continued) Field Description Transmit MAC MAC address the rogue device that sent the 802.11 packet detected by the MP radio. Vendor Company that manufactures or sells the rogue device. Type Classification of the rogue device: ❑ rogue—Wireless device that is on the network but is not supposed to be on the network. ❑ intfr—Wireless device not part of your network and is not a rogue, but might be causing RF interference with MP radios.
21 File Management Commands Use file management commands to manage system files and to display software and boot information. This chapter presents file management commands alphabetically. Use the following table to locate commands in this chapter based on their use.
File Management Commands Defaults The default is all. Access Enabled. History Introduced in MSS Version 3.2. Usage You can create an archive located on a TFTP server or in the nonvolatile storage of the MX. If you specify a TFTP server as part of the filename, the archive is copied directly to the TFTP server and not stored locally on the MX. Use the critical option if you want to back up or restore only the system-critical files required to operate and communicate with the MX.
File Management Commands See Also ● ● set boot backup-configuration on page 496 show boot on page 497 clear boot config Resets to the factory default the configuration that MSS loads during a reboot. Syntax clear boot config Defaults None. Access Enabled. History Introduced in MSS Version 1.0. Examples The following commands back up the configuration file on an MX, reset the switch to its factory default configuration, and reboot the MX: MX# copy configuration tftp://10.1.1.
File Management Commands Syntax copy source-url destination-url source-url Name and location of the file to copy. The uniform resource locator (URL) can be one of the following: ❑ [subdirname/]filename ❑ file:[subdirname/]filename ❑ ftp://ip-addr/[subdirname/]filename ❑ scp://ip-addr/[subdirname/]filename ❑ tftp://ip-addr/[subdirname/]filename ❑ tmp:filename For the filename, specify between 1 and 128 alphanumeric characters, with no spaces. Enter the IP address in dotted decimal notation.
File Management Commands success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec] The following command copies system image MX020101.020 from a TFTP server to boot partition 1 in nonvolatile storage: MX# copy tftp://10.1.1.107/MX020101.020 boot1:MX020101.020 .......................................................................................... ..................success: received 9163214 bytes in 105.
File Management Commands Examples The following commands copy file testconfig to a TFTP server and delete the file from nonvolatile storage: MX# copy testconfig tftp://10.1.1.1/testconfig success: sent 365 bytes in 0.401 seconds [ 910 bytes/sec] MX# delete testconfig success: file deleted. Examples The following command deletes file dang_doc from subdirectory dang: MX# delete dang/dang_doc success: file deleted.
File Management Commands file:sysa_bak 12 KB Mar 15 2005, 19:18:44 file:testback 28 KB Apr 19 2005, 16:37:18 Total: 159 Kbytes used, 207663 Kbytes free =============================================================================== Boot: Filename Size Created boot0:mx040100.020 9780 KB Aug 23 2005, 15:54:08 *boot1:mx040100.
File Management Commands Table 21– 1. Output for dir Field Description Filename Filename or subdirectory name. For files, the directory name is shown in front of the filename (for example, file:configuration). The file: directory is the root directory. For subdirectories, a forward slash is shown at the end of the subdirectory name (for example, old/ ).
File Management Commands load config Warning! This command completely removes the running configuration and replaces it with the configuration contained in the file. Trapeze Networks recommends that you save a copy of the current running configuration to a backup configuration file before loading a new configuration. Loads configuration commands from a file and replaces the MX running configuration with the commands in the loaded file. Syntax load config [url] Filename.
File Management Commands ● show config on page 499 md5 Calculates the MD5 checksum for a file in the MX nonvolatile storage. Syntax md5 [boot0: | boot1:]filename boot0: | boot1: Boot partition into which you copied the file. filename Name of the file. Defaults None. Access Enabled. History Introduced in MSS Version 4.0. Usage You must include the boot partition name in front of the filename. If you specify only the filename, the CLI displays a message stating that the file does not exist.
File Management Commands file:dangcfg 13 KB May 16 2004, 18:30:44 dangdir/ 512 bytes May 16 2004, 17:23:44 old/ 512 bytes Sep 23 2003, 21:58:48 Total: 33 Kbytes used, 207822 Kbytes free =============================================================================== Boot: Filename Size Created *boot0:bload 746 KB May 09 2004, 19:02:16 *boot0:mx030000.020 8182 KB May 09 2004, 18:58:16 boot1:mx030000.
File Management Commands show version on page 500 ● restore Unzips a system archive created by the backup command and copies the files from the archive onto the switch. Syntax restore system [tftp:/ip-addr/]filename [all | critical] [force] [tftp:/ip-addr/]filename Name of the archive file to load. The archive can be located in the MX nonvolatile storage or on a TFTP server. all Restores system files and the user files from the archive.
File Management Commands success: restore complete. backup on page 483 See Also rmdir Removes a subdirectory from nonvolatile storage. Syntax rmdir [subdirname] subdirname Subdirectory name. Specify between 1 and 32 alphanumeric characters, with no spaces. Defaults None. Access Enabled. History Introduced in MSS Version 3.0. Usage MSS does not allow the subdirectory to be removed unless it is empty. Delete all files from the subdirectory before attempting to remove it.
File Management Commands Examples The following command saves the running configuration to the configuration file loaded during the most recent reboot. In this example, the filename used during the most recent reboot is configuration. MX# save config Configuration saved to configuration. The following command saves the running configuration to a file named testconfig1: MX# save config testconfig1 Configuration saved to testconfig1.
File Management Commands History Version 1.0 Command introduced Version 3.0 Subdirectory support added, to load a configuration file from a subdirectory Usage The file must be located in the MX nonvolatile storage. Examples The following command sets the boot configuration file to testconfig1: MX# set boot configuration-file testconfig1 success: boot config set.
File Management Commands History Version 1.0 Command introduced Version 1.1 The following fields were removed because they are not applicable in 1.1: Last boot status ❑ Unpacking status ❑ Version 2.1 ❑ New field, Product model, added Version 4.
File Management Commands show config Displays the configuration running on the MX. Syntax show config [all | cluster | local] [area area] area area Configuration area.
File Management Commands History Version 1.0 Command introduced Version 2.1 New comment added to the comments at top of the file, to list the model number Version 3.0 ❑ ❑ Version 4.0 ❑ ❑ New options added for area: • radio-profile • rfdevice • service-profile rf-detection option removed. (Use rfdevice instead.) New options added for remote traffic monitoring: snoop rfdevice changed to rfdetect Version 4.1 New options added: l2acl, network-domain, and qos Version 4.
File Management Commands Examples The following command displays version information for an MX: MX# show version Mobility System Software, Version: 4.1.0 QA 67 Copyright (c) 2002, 2003, 2004, 2005 Trapeze Networks, Inc. All rights reserved. Build Information: Model: Hardware Mainboard: PoE board: Serial number Flash: Kernel: BootLoader: (build#67) TOP 2005-07-21 04:41:00 MX version 24 ; revision 3 ; FPGA version 24 version 1 ; FPGA version 6 0321300013 4.1.0.14 - md0a 3.0.
File Management Commands Table 21– 3. Output for show version Field Description Build Information Factory timestamp of the image file. Label Software version and build date. Build Suffix Build suffix. Model Build model. Hardware Version information for the MX motherboard and Power over Ethernet (PoE) board. Serial number Serial number of the MX. Flash Flash memory version. Kernel Kernel version. BootLoader Boot code version. Port/AP Port number connected to an MP.
22 Trace Commands Use trace commands to perform diagnostic routines. While MSS allows you to run many types of traces, this chapter describes commands for those traces you are most likely to use. For a complete listing of the types of traces MSS allows, type the set trace ? command. Warning! Using the set trace command can have adverse effects on system performance.
Trace Commands Syntax clear trace {trace-area | all} trace-area Ends a particular trace process. Specify one of the following keywords to end the traces documented in this chapter: ❑ authorization—Ends an authorization trace ❑ dot1x—Ends an 802.1X trace ❑ authentication—Ends an authentication trace ❑ sm—Ends a session manager trace all Ends all trace processes. Defaults None. Access Enabled. History Introduced in MSS Version 1.0.
Trace Commands set trace authentication [ip-addr ip address] [mac-addr mac-address] [port port-num] [user username] [level level] Syntax ip-addr ip address Specify an IP address in the IPv4 format. mac-addr mac-address Traces a MAC address. Specify a MAC address, using colons to separate the octets (for example, 00:11:22:aa:bb:cc). port port-num Traces a port number. Specify an MX port number between 1 and 22. user username Traces a user.
Trace Commands History . MSS Version 1.0 Command introduced. MSS Version 7.0 The option ip-addr was added. Examples The following command starts a trace for information for authorization for MAC address 00:01:02:03:04:05: MX# set trace authorization mac-addr 00:01:02:03:04:05 success: change accepted. See Also ● ● clear trace on page 22-503 show trace on page 22-507 set trace dot1x Traces 802.1X sessions.
Trace Commands set trace sm Traces session manager activity. set trace sm [ip-addr ip address][mac-addr mac-address] [port port-num] [user username] [level level] Syntax ip-addr ip address Specify an IP address in the IPv4 format. mac-addr mac-address Traces a MAC address. Specify a MAC address, using colons to separate the octets (for example, 00:11:22:aa:bb:cc). port port-num Traces a port number. Specify an MX port number between 1 and 22. user username Traces a user.
Trace Commands -------------------- ----- ----------------- ----------------- ---- -------dot1x 5 0 sm 5 0 See Also ● clear trace on page 22-503 ● set trace authentication on page 22-504 set trace authorization on page 22-505 set trace dot1x on page 22-506 set trace sm on page 22-507 ● ● ● 22 – 508 Mobility System Software Command Reference Guide Version 7.
23 Snoop Commands Use snoop commands to monitor wireless traffic, by using an MP as a sniffing device. The MP copies the sniffed 802.11 packets and sends the copies to an observer, typically a protocol analyzer such as Ethereal or Tethereal. (For more information, including setup instructions for the monitoring station, see the “Remotely Monitoring Traffic” section in the “Troubleshooting an MX Switch” chapter of the Trapeze Mobility System Software Configuration Guide.
Snoop Commands Examples clear snoop map filter-name ap apnum radio {1 | 2} filter-name Name of the snoop filter. ap apnum Number of an MP to which to snoop filter is mapped. radio 1 Radio 1 of the MP. radio 2 Radio 2 of the MP. (This option does not apply to single-radio models.) Defaults None. Access Enabled. History Introduced in MSS Version 4.0.
Snoop Commands observer ip-addr Specifies the IP address of the station where the protocol analyzer is located. If you do not specify an observer, the MP radio still counts the packets that match the filter. snap-length num Specifies the maximum number of bytes to capture. If you do not specify a length, the entire packet is copied and sent to the observer. Trapeze Networks recommends specifying a snap length of 100 bytes or less. Defaults No snoop filters are configured by default. Access Enabled.
Snoop Commands filter-name Name of the snoop filter. ap ap-num Number of an MP to which to map the snoop filter. radio 1 Radio 1 of the MP. radio 2 Radio 2 of the MP. (This option does not apply to single-radio models.) Defaults Snoop filters are unmapped by default. Access Enabled. History Introduced in MSS Version 4.0. Usage You can map the same filter to more than one radio. You can map up to eight filters to the same radio.
Snoop Commands success: filter 'snoop1' enabled See Also ● ● ● ● show snoop on page 23-513 show snoop info on page 23-513 show snoop map on page 23-514 show snoop stats on page 23-514 show snoop Displays the MP radio mapping for all snoop filters. Syntax show snoop Defaults None. Access Enabled. History Introduced in MSS Version 4.0. Usage To display the mappings for a specific MP radio, use the show snoop map command.
Snoop Commands MX# show snoop info snoop1: observer 10.10.30.2 snap-length 100 all packets snoop2: observer 10.10.30.3 snap-length 100 frame-type eq data mac-pair (aa:bb:cc:dd:ee:ff, 11:22:33:44:55:66) See Also ● ● clear snoop on page 23-509 set snoop on page 23-510 show snoop map Shows the MP radios mapped to a specific snoop filter. Syntax show snoop map filter-name filter-name Name of the snoop filter. Defaults None. Access Enabled. History Introduced in MSS Version 4.0.
Snoop Commands Usage The MP retains statistics for a snoop filter until the filter is changed or disabled. The MP then clears the statistics. Examples The following command shows statistics for snoop filter snoop1: MX# show snoop stats snoop1 Filter AP Radio Rx Match Tx Match Dropped =================================================================== snoop1 3 1 96 4 0 Table 23– 1 describes the fields in this display. Table 23– 1.
Snoop Commands 23 – 516 Mobility System Software Command Reference Guide Version 7.
24 System Log Commands Use the system log commands to record information for monitoring and troubleshooting. MSS system logs are based on RFC 3164, which defines the log protocol. This chapter presents system log commands alphabetically. Use the following table to locate commands in this chapter based on their use.
System Log Commands set log Enables or disables logging of MX and MP events to the MX log buffer or other logging destination and sets the level of the events logged. For logging to a syslog server only, you can also set the facility logged.
System Log Commands ● ● ● Events at the error level and higher are logged to the MX console. Events at the error level and higher are logged to the MX system buffer. Trace logging is enabled, and debug-level output is stored in the MX trace buffer. Access Enabled. History Version 1.0 Command introduced. Version 4.2 Option port added. Usage Using the command with only enable or disable turns logging on or off for the target at all levels.
System Log Commands success: change accepted. See Also show log config on page 24-521 set log trace mbytes This command is deprecated in MSS Version 4.0. show log buffer Displays system information stored in the nonvolatile log buffer or the trace buffer. show log buffer [{+|-}number-of-messages] [facility facility-name] [matching string] [severity severity-level] Syntax Displays the log messages in nonvolatile storage.
System Log Commands MX# show log buffer facility ? Select one of: KERNEL, AAA, SYSLOGD, ACL, APM, ARP, ASO, BOOT, CLI, CLUSTER, CRYPTO, DOT1X, NET, ETHERNET, GATEWAY, HTTPD, IGMP, IP, MISC, NOSE, NP, RAND, RESOLV, RIB, ROAM, ROGUE, SM, SNMPD, SPAN, STORE, SYS, TAGMGR, TBRIDGE, TCPSSL, TELNET, TFTP, TLS, TUNNEL, VLAN, X509, XML, MP, RAPDA, WEBVIEW, EAP, FP, STAT, SSHD, SUP, DNSD, CONFIG, BACKUP.
System Log Commands show log trace [{+|-|/}number-of-messages] [facility facility-name] [matching string] [severity severity-level] Syntax trace Displays the log messages in the trace buffer. +|-|/ number-of-messages ❑ Displays the number of messages specified as follows: A positive number (for example, +100), displays that number of log entries starting from the oldest in the log. ❑ A negative number (for example, -100) displays that number of log entries starting from newest in the log.
System Log Commands 6 RSSI 22 Tech DOT_11A SSID trapeze See Also ● ● clear log on page 24-517 show log config on page 24-521 System Log Commands 24 – 523
System Log Commands 24 – 524 Mobility System Software Command Reference Guide Version 7.
25 Boot Prompt Commands Boot prompt commands enable you to perform basic tasks, including booting a system image file, from the boot prompt (boot>). A CLI session enters the boot prompt if MSS does not boot successfully or you intentionally interrupt the boot process. To interrupt the boot process, press q followed by Enter (return). ! Caution Generally, boot prompt commands are used only for troubleshooting.
Boot Prompt Commands OFF Disables the autoboot option. off Same effect as OFF. Defaults The autoboot option is enabled by default. Access Boot prompt. History Introduced in MSS Version 1.0. Examples The following command displays the current setting of the autoboot option: boot> autoboot The autoboot flag is on. See Also boot on page 25-526 boot Loads and executes a system image file.
Boot Prompt Commands Usage If you use an optional parameter, the parameter setting overrides the setting of the same parameter in the currently active boot profile. However, the boot profile itself is not changed. To display the currently active boot profile, use the show command. To change the currently active boot profile, use the change command. Examples The following command loads system image file MX010101.020 from boot partition 1: boot> boot FN=MX010101.
Boot Prompt Commands For information about each of the boot parameters you can set, see show on page 25-534. Examples The following command enters the configuration mode for the currently active boot profile, changes the device to boot1, and leaves the other parameters with their current settings: boot> change Changing the default configuration is not recommended.
Boot Prompt Commands Examples The following command creates a new boot profile in slot 1 on an MX that currently has only one boot profile, in slot 0: boot> create BOOT Index: BOOT TYPE: DEVICE: FILENAME: FLAGS: OPTIONS: 1 c boot1: default 00000000 run=nos;boot=0 See Also ● ● ● ● change on page 25-527 delete on page 25-529 next on page 25-533 show on page 25-534 delete Removes the currently active boot profile. (For information about boot profiles, see show on page 25-534.
Boot Prompt Commands Syntax dhcp [ON | on | OFF | off] ON Enables the DHCP option. on Same effect as ON. OFF Disables the DHCP option. off Same effect as OFF. Defaults The DHCP option is disabled by default. Access Boot prompt. History Introduced in MSS Version 1.0. Examples The following command displays the current setting of the DHCP option: boot> dhcp DHCP is currently enabled. The following command disables the DHCP option: boot> dhcp DHCP is currently disabled.
Boot Prompt Commands Usage To display the system image software versions, use the fver command. This command does not list the boot code versions. To display the boot code versions, use the version command. Examples The following command displays all the boot code and system image files on an MX switch: boot> dir Internal Compact Flash Directory (Primary): MX010101.020 5523634 bytes BLOAD 696176 bytes BSTRAP 38056 bytes Internal Compact Flash Directory (Secondary): MX010101.
Boot Prompt Commands Syntax help [command-name] Boot prompt command. command-name Defaults None. Access Boot prompt. History Introduced in MSS Version 1.0. Usage If you specify a command name, detailed information is displayed for that command. If you do not specify a command name, all the boot prompt commands are listed. Examples The following command displays detailed information for the fver command: boot> help fver fver USAGE: t3:file] Display the version of the specified device:filename.
Boot Prompt Commands See Also help on page 25-531 next Activates and displays the boot profile in the next boot profile slot. (For information about boot profiles, see show on page 25-534.) Syntax next Defaults None. Access Boot prompt. History Introduced in MSS Version 1.0. Usage An MX contains 4 boot profile slots, numbered 0 through 3. This command activates the boot profile in the next slot, in ascending numerical order.
Boot Prompt Commands Trapeze Networks MX Bootstrap/Bootloader Bootstrap Bootloader Bootstrap Bootloader MX Board MX Controller POE Board POE Controller BOOT Index: BOOT TYPE: DEVICE: FILENAME: FLAGS: OPTIONS: See Also Version version: version: version: version: 1.6.5 Revision: Revision: Revision: Revision: 3. 24. 1 6 0 0 1 1 Release 1.17 1.6.5 1.17 1.6.3 Active Active 0 c boot1: default 00000000 run=nos;boot=0 boot on page 25-526 show Displays the currently active boot profile.
Boot Prompt Commands The following is an example of a boot profile from an MXR-2 that is booted with a software image downloaded from a TFTP server. In the example, when the MXR-2 boots, it downloads a system image file called bootfile located on a TFTP server with address 172.16.0.1. boot> show BOOT Index: BOOT TYPE: DEVICE: FILENAME: HOST IP: LOCAL IP: GATEWAY IP: IP MASK: FLAGS: OPTIONS: 0 n emac1 bootfile 172.16.0.1 172.16.0.21 172.16.0.20 255.255.255.
Boot Prompt Commands test Displays or changes the state of the poweron test flag. The poweron test flag controls whether an MX performs a set of self tests prior to the boot process. Syntax test [ON | on | OFF | off] ON Enables the poweron test flag. on Same effect as ON. OFF Disables the poweron test flag. off Same effect as OFF. Defaults The poweron test flag is disabled by default. Access Boot prompt. History Introduced in MSS Version 1.0.
