- DL manuals
- 3Com
- Switch
- 3CRWX120695A
- Command Reference Manual
3Com 3CRWX120695A Command Reference Manual
Summary of 3CRWX120695A
Page 1
Http://www.3com.Com/ part no. 730-9502-0072, revision a published october 2004 wireless lan mobility system wireless lan switch and controller command reference 3crwx120695a, 3crwx440095a.
Page 2
3com corporation 350 campus drive marlborough, ma usa 01752-3064 copyright © 2004, 3com corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without writt...
Page 3: Ontents
C ontents a bout t his g uide conventions 17 documentation 18 documentation comments 19 1 u sing the c ommand -l ine i nterface overview 21 cli conventions 22 command prompts 22 syntax notation 22 text entry conventions and allowed characters 23 mac address notation 23 ip address and mask notation 2...
Page 4
3 s ystem s ervice c ommands commands by usage 37 clear banner motd 38 clear history 38 clear prompt 39 clear system 39 display banner motd 40 display base-information 41 display license 41 display system 42 help 45 history 46 set banner motd 46 set confirm 47 set length 48 set license 49 set prompt...
Page 5: Vlan C
Reset port 73 set dap 73 set port 76 set port-group 76 set port name 78 set port negotiation 78 set port poe 79 set port preference 80 set port speed 81 set port trap 81 set port type ap 82 set port type wired-auth 86 5 vlan c ommands commands by usage 89 clear fdb 90 clear vlan 91 display fdb 92 di...
Page 6
Clear ip telnet 112 clear ntp server 113 clear ntp update-interval 113 clear snmp trap receiver 114 clear summertime 115 clear system ip-address 115 clear timezone 116 display arp 117 display interface 118 display ip alias 119 display ip dns 120 display ip https 121 display ip route 123 display ip t...
Page 7: Aaa C
Set ntp server 148 set ntp update-interval 149 set snmp community 149 set snmp trap 150 set snmp trap receiver 153 set summertime 153 set system ip-address 155 set timedate 156 set timezone 157 telnet 158 traceroute 159 7 aaa c ommands commands by usage 163 clear accounting 165 clear authentication ...
Page 10: Stp C
Set radio-profile preamble-length 289 set radio-profile rts-threshold 290 set radio-profile service-profile 291 set radio-profile short-retry 294 set service-profile auth-dot1x 295 set service-profile auth-fallthru 296 set service-profile auth-psk 298 set service-profile beacon 299 set service-profi...
Page 11: Igmp S
Display spantree portvlancost 325 display spantree statistics 325 display spantree uplinkfast 331 set spantree 332 set spantree backbonefast 333 set spantree fwddelay 334 set spantree hello 334 set spantree maxage 335 set spantree portcost 336 set spantree portfast 337 set spantree portpri 337 set s...
Page 12: Acl C
12 s ecurity acl c ommands security acl commands by usage 365 clear security acl 366 clear security acl map 367 commit security acl 369 display security acl 370 display security acl hits 371 display security acl info 372 display security acl map 373 display security acl resource-usage 374 hit-sample...
Page 13: 802.1X M
Set server group 411 set server group load-balance 412 15 802.1x m anagement c ommands commands by usage 415 clear dot1x bonded-period 416 clear dot1x max-req 417 clear dot1x port-control 417 clear dot1x quiet-period 418 clear dot1x reauth-max 418 clear dot1x reauth-period 419 clear dot1x timeout au...
Page 14: Rf D
17 rf d etection c ommands commands by usage 449 clear rfdetect countermeasures mac 450 clear rfdetect ignore 451 display rfdetect countermeasures 452 display rfdetect data 453 display rfdetect ignore 455 display rfdetect mobility-domain 455 display rfdetect visible 457 set rfdetect active-scan 458 ...
Page 15
Display trace 483 save trace 484 set trace authentication 484 set trace authorization 485 set trace dot1x 486 set trace sm 486 20 s ystem l og c ommands commands by usage 489 clear log 489 display log buffer 490 display log config 492 display log trace 492 set log 494 set log trace mbytes 496 21 b o...
Page 16
A o btaining s upport for your p roduct register your product 517 purchase value-added services 517 troubleshoot online 517 access software downloads 518 telephone technical support and repair 518 contact us 519 i ndex.
Page 17: Bout
Conventions 17 a bout t his g uide this command reference explains mobility system software (mss™) command line interface (cli) that you enter on a 3com wx1200 wireless switch or wx4400 wireless lan controller to configure and manage the mobility system™ wireless lan (wlan). Read this reference if y...
Page 18
18 a bout t his g uide this manual uses the following text and syntax conventions: documentation the mss documentation set includes the following documents. ■ wireless lan switch manager (3wxm) release notes these notes provide information about the system software release, including new features an...
Page 19
Documentation comments 19 ■ wireless lan switch manager reference manual this manual shows you how to plan, configure, deploy, and manage a mobility system wireless lan (wlan) using the 3com wireless lan switch manager (3wxm). ■ wireless lan switch and controller installation and basic configuration...
Page 20
20 a bout t his g uide.
Page 21: Sing
1 u sing the c ommand -l ine i nterface this chapter discusses the 3com wireless switch manager (3wxm) command-line interface (cli). Described are the cli conventions (see “cli conventions” on page 22), editing on the command line (see “command-line editing” on page 27), using the cli help feature (...
Page 22
22 c hapter 1: u sing the c ommand -l ine i nterface cli conventions be aware of the following mss cli conventions for command entry: ■ “command prompts” on page 22 ■ “syntax notation” on page 22 ■ “text entry conventions and allowed characters” on page 23 ■ “user globs, mac address globs, and vlan ...
Page 24
24 c hapter 1: u sing the c ommand -l ine i nterface ip address and mask notation mss displays ip addresses in dotted decimal notation — for example, 192.168.1.111. Mss makes use of both subnet masks and wildcard masks. Subnet masks unless otherwise noted, use classless interdomain routing (cidr) fo...
Page 25
Cli conventions 25 table 3 gives examples of user globs. Mac address globs a media access control (mac) address glob is a similar method for matching some authentication, authorization, and accounting (aaa) and forwarding database (fdb) commands to one or more 6-byte mac addresses. In a mac address ...
Page 26
26 c hapter 1: u sing the c ommand -l ine i nterface vlan globs a vlan glob is a method for matching one of a set of local rules on an wireless lan switch, known as the location policy, to one or more users. Mss compares the vlan glob, which can optionally contain wildcard characters, against the vl...
Page 27
Command-line editing 27 ■ a hyphen-separated range of port numbers, with no spaces. For example: wx1200# reset port 1-3 ■ any combination of single numbers, lists, and ranges. Hyphens take precedence over commas. For example: wx1200# display port status 1-3,6 virtual lan identification the names of ...
Page 28
28 c hapter 1: u sing the c ommand -l ine i nterface history buffer the history buffer stores the last 63 commands you entered during a terminal session. You can use the up arrow and down arrow keys to select a command that you want to repeat from the history buffer. Tabs the mss cli uses the tab ke...
Page 29
Using cli help 29 using cli help the cli provides online help. To see the full range of commands available at your access level, type the help command. For example: wx1200# help commands: ------------------------------------------------------------------------- clear clear, use 'clear help' for more...
Page 30
30 c hapter 1: u sing the c ommand -l ine i nterface to see all the variations, type one of the commands followed by a question mark (?). For example: wx1200# display ip ? Alias display ip aliases dns display dns status https display ip https route display ip route table telnet display ip telnet to ...
Page 31
Understanding command descriptions 31 ■ one or more examples of the command in context, with the appropriate system prompt and response. ■ one or more related commands..
Page 32
32 c hapter 1: u sing the c ommand -l ine i nterface.
Page 33: Access Commands
2 access commands this chapter describes access commands used to control access to the mobility software system (mss) command-line interface (cli). Commands by usage this chapter presents access services commands alphabetically. Use table 5 to located commands in this chapter based on their use. Dis...
Page 34
34 c hapter 2: a ccess c ommands see also ■ “enable” on page 34 enable places the cli session in enabled mode, which provides access to all commands required for configuring and monitoring the system. Syntax — enable access — all. History — introduced in mss version 3.0. Usage — mss displays a passw...
Page 35
Set enablepass 35 set enablepass sets the password that provides enabled access (for configuration and monitoring) to the wx switch. Syntax — set enablepass defaults — none. Access — enabled. History — introduced in mss version 3.0. Usage — after typing the set enablepass command, press enter. If yo...
Page 36
36 c hapter 2: a ccess c ommands.
Page 37: Ystem
3 s ystem s ervice c ommands use system services commands to configure and monitor system information for a wx switch. Commands by usage this chapter presents system services commands alphabetically. Use table 6 to located commands in this chapter based on their use. Table 6 system services commands...
Page 38
38 c hapter 3: s ystem s ervice c ommands clear banner motd deletes the message-of-the-day (motd) banner that is displayed before the login prompt for each cli session on the wireless lan switch. Syntax — clear banner motd default — none. Access — enabled. History — introduced in mss version 3.0. Ex...
Page 39
Clear prompt 39 examples — to clear the history buffer, type the following command: wx4400# clear history success: command buffer was flushed. See also ■ “history” on page 46 clear prompt resets the system prompt to its previously configured value. If the prompt was not configured previously, this c...
Page 40
40 c hapter 3: s ystem s ervice c ommands ■ location — resets the location of the wx switch to null. ■ name — resets the name of the wx switch to the default system name, which is the model number. Default — none. Access — enabled. History — introduced in mss version 3.0. Examples — to clear the loc...
Page 41
Display base-information 41 see also ■ “clear banner motd” on page 38 ■ “set banner motd” on page 46 display base-information provides an in-depth snapshot of the status of the wireless lan switch, which includes details about the boot image, the version, ports, and other configuration values. This ...
Page 42
42 c hapter 3: s ystem s ervice c ommands default — none. Access — all. Examples — to view the wx switch license, type the following command: wx4400# display license serial number : m8xe4ibb8db10 license number : 245 license key : wxl-076e-93e9-62da-54d8 activation key : wxa-3e04-4cc2-430d-b508 feat...
Page 43
Display system 43 =============================================================================== fan status: fan1 ok fan2 ok fan3 ok temperature: temp1 ok temp2 ok temp3 ok psu status: lower power supply dc ok ac ok upper power supply missing memory: 97.04/744.03 (13%) total power over ethernet : 2...
Page 44
44 c hapter 3: s ystem s ervice c ommands see also ■ “clear system” on page 39 ■ “set system contact” on page 51 ■ “set system countrycode” on page 51 ■ “set system ip-address” on page 53 ■ “set system location” on page 54 ■ “set system name” on page 55 temperature status of temperature sensors at t...
Page 45
Help 45 help displays a list of commands that can be used to configure and monitor the wx switch. Syntax — help default — none. Access — all. History — introduced in mss version 3.0. Examples — use this command to see a list of available commands. If you have restricted access, you see fewer command...
Page 46
46 c hapter 3: s ystem s ervice c ommands see also ■ “using cli help” on page 29 history displays the command history buffer for the current cli session. Syntax — history default — none. Access — all. History — introduced in mss version 3.0. Examples — to show the history of your session, type the f...
Page 47
Set confirm 47 usage — type a caret (^), then the message, then another caret. Do not use the following characters with commands in which you set text to be displayed on the wx switch, such as message-of-the-day (motd) banners: ■ ampersand (&) ■ angle brackets () ■ double quotation marks (“”) ■ numb...
Page 48
48 c hapter 3: s ystem s ervice c ommands mss displays a message requiring confirmation when you enter certain commands that can have a potentially large impact on the network. For example: wx4400# clear vlan red this may disrupt user connectivity. Do you wish to continue? (y/n) [n] examples — to tu...
Page 49
Set license 49 set license installs an upgrade license, for managing more maps. Syntax — set license license-key activation-key ■ license-key — license key, starting with wxl. You can enter the key with or without the hyphens. ■ activation-key — activation key, starting with wxa. You can enter the k...
Page 50
50 c hapter 3: s ystem s ervice c ommands set prompt changes the cli prompt for the wx switch to a string you specify. Syntax — set prompt string ■ string — alphanumeric string up to 32 characters long. To include spaces in the prompt, you must enclose the string in double quotation marks (“”). Defa...
Page 51
Set system contact 51 set system contact stores a contact name for the wx switch. Syntax — set system contact string ■ string — alphanumeric string up to 256 characters long, with no blank spaces. Default — none. Access — enabled. History — introduced in mss version 3.0. To view the system contact s...
Page 52
52 c hapter 3: s ystem s ervice c ommands belgium be brazil br canada ca china cn czech republic cz denmark dk finland fi france fr germany de greece gr hong kong hk hungary hu iceland is india in ireland ie israel il italy it japan jp liechtenstein li luxembourg lu malaysia my mexico mx netherlands...
Page 53
Set system ip-address 53 default — the factory default country code is none. Access — enabled. History — introduced in mss version 3.0. Usage — you must set the system county code to a valid value before using any set ap commands to configure a map. Examples — to set the country code to canada, type...
Page 54
54 c hapter 3: s ystem s ervice c ommands default — none. Access — enabled. History — introduced in mss version 3.0. Examples — the following command sets the ip address of the wx switch to 192.168.253.1: wx4400# set system ip-address 192.168.253.1 success: change accepted. See also ■ “clear system”...
Page 55
Set system name 55 ■ “set system contact” on page 51 ■ “set system name” on page 55 set system name changes the name of the wx switch from the default system name and also provides content for the cli prompt, if you do not specify a prompt. Syntax — set system name string ■ string — alphanumeric str...
Page 56
56 c hapter 3: s ystem s ervice c ommands.
Page 57: Ort
4 p ort c ommands use port commands to configure and manage individual ports and load-sharing port groups. Commands by usage this chapter presents port commands alphabetically. Use table 9 to locate commands in this chapter based on their use. Table 9 port commands by usage type command port type “s...
Page 58
58 c hapter 4: p ort c ommands clear dap removes a distributed map. Caution: when you clear a distributed map, mss ends user sessions that are using the map. Syntax — clear dap dap-num ■ dap-num — number of the distributed map(s) you want to remove. Defaults — none. Access — enabled. History — intro...
Page 59
Clear port-group 59 access — enabled. History — introduced in mss version 3.0. Examples — the following command clears all port statistics counters and resets them to 0: wx4400# clear port counters success: cleared port counters see also ■ “display port counters” on page 62 ■ “monitor port counters”...
Page 60
60 c hapter 4: p ort c ommands defaults — none. Access — enabled. History — introduced in mss version 3.0. Examples — the following command clears the names of ports 1 through 3: wx4400# clear port 1-3 name see also ■ “display port status” on page 66 ■ “set port name” on page 78 clear port preferenc...
Page 61
Clear port type 61 clear port type removes all configuration settings from a port and resets the port as a network port. Caution: when you clear a port, mss ends user sessions that are using the port. Syntax — clear port type port-list ■ port-list — list of physical ports. Mss resets and removes the...
Page 62
62 c hapter 4: p ort c ommands examples — the following command clears port 5: wx1200# clear port type 5 this may disrupt currently authenticated users. Are you sure? (y/n) [n]y success: change accepted. See also ■ “set port type ap” on page 82 ■ “set port type wired-auth” on page 86 display port co...
Page 63
Display port-group 63 examples — the following command shows octet statistics for port 3: wx1200> display port counters octets port 3 port status rx octets tx octets ============================================================================= 3 up 27965420 34886544 this command’s output has the sam...
Page 64
64 c hapter 4: p ort c ommands see also ■ “clear port-group” on page 59 ■ “set port-group” on page 76 display port poe displays status information for ports on which power over ethernet (poe) is enabled. Syntax — display port poe [port-list] ■ port-list — list of physical ports. If you do not specif...
Page 65
Display port preference 65 see also ■ “set port poe” on page 79 display port preference displays the interface preferences set on wx4400 gigabit ethernet ports. Syntax — display port preference [port-list] ■ port-list — list of physical ports. Mss displays the preference for all the specified ports....
Page 66
66 c hapter 4: p ort c ommands examples — the following command displays the preference settings on all four ports of a wx4400 switch: wx4400# display port preference port preference =========================================================== 1 gbic 2 rj45 3 gbic 4 gbic table 13 describes the fields...
Page 67
Display port status 67 examples — the following command displays information for all ports on a wx1200 switch: wx1200# display port status port name admin oper config actual type media =============================================================================== 1 1 up up auto 100/full network 10/...
Page 68
68 c hapter 4: p ort c ommands see also ■ “clear port type” on page 61 ■ “set port” on page 76 ■ “set port name” on page 78 ■ “set port negotiation” on page 78 ■ “set port speed” on page 81 ■ “set port type ap” on page 82 ■ “set port type wired-auth” on page 86 monitor port counters displays and con...
Page 69
Monitor port counters 69 configured. Statistics types are displayed in the following order by default: ■ octets ■ packets ■ receive errors ■ transmit errors ■ collisions ■ receive ethernet statistics ■ transmit ethernet statistics access — all. History — introduced in mss version 3.0. Usage — each t...
Page 70
70 c hapter 4: p ort c ommands as soon as you press enter, mss clears the window and displays statistics at the top of the window. Port status rx octets tx octets =============================================================================== 1 up 27965420 34886544 ... To cycle the display to the ne...
Page 71
Monitor port counters 71 packets rx unicast number of unicast packets received. This number does not include packets that contain errors. Rx nonunicast number of broadcast and multicast packets received. This number does not include packets that contain errors. Tx unicast number of unicast packets t...
Page 72
72 c hapter 4: p ort c ommands see also ■ “display port counters” on page 62 collisions single coll total number of frames transmitted that experienced one collision before 64 bytes of the frame were transmitted on the network. Multiple coll total number of frames transmitted that experienced more t...
Page 73
Reset port 73 reset port resets a port by toggling its link state and power over ethernet (poe) state. Syntax — reset port port-list ■ port-list — list of physical ports. Mss resets all the specified ports. Defaults — none. Access — enabled. History — introduced in mss version 3.0. Usage — the reset...
Page 74
74 c hapter 4: p ort c ommands ■ for a wx4400, you can specify a number from 1 to 256. ■ for a wx1200, you can specify a number from 1 to 30. ■ serial-id serial-id — map access point serial id. The serial id is listed on the map case. To show the serial id using the cli, use the display version deta...
Page 75
Set dap 75 802.11b/g radios in models mp-52, mp-252, and mp-262, and mp-352, is 802.11g in regulatory domains that support 802.11g, or 802.11b in regulatory domains that do not support 802.11g. Map radios configured for 802.11g also allow associations from 802.11b clients by default. To disable supp...
Page 78
78 c hapter 4: p ort c ommands set port name assigns a name to a port. After naming a port, you can use the port name or number in other cli commands. Syntax — set port port name name ■ port — number of a physical port. You can specify only one port. ■ name name — alphanumeric string of up to 16 cha...
Page 79
Set port poe 79 access — enabled. History — introduced in mss version 3.0. Usage — wx1200 10/100 ethernet ports support half-duplex and full-duplex operation. Examples — the following command disables autonegotiation on ports 3 and 5: wx1200# set port negotiation 3,5 disable the following command en...
Page 80
80 c hapter 4: p ort c ommands examples — the following command disables poe on ports 4 and 5, which are connected to an map access point: wx1200# set port poe 4,5 disable if you are enabling power on these ports, they must be connected only to approved poe devices with the correct wiring. Do you wi...
Page 81
Set port speed 81 examples — the following command sets the preference of port 2 on a wx4400 to rj-45 (copper): wx4400# set port preference 2 rj45 see also ■ “clear port preference” on page 60 ■ “display port preference” on page 65 set port speed changes the speed of a port. Syntax — set port speed ...
Page 82
82 c hapter 4: p ort c ommands ■ enable — enables the telnet server. ■ disable — disables the telnet server. Defaults — snmp linkup and linkdown traps are disabled by default. Access — enabled. History — introduced in mss version 3.0. Usage — the set port trap command overrides the global setting of...
Page 83
Set port type ap 83 country-specific regulations on the wx switch. See “set system countrycode” on page 51. For an map that is indirectly connected to the wx switch through an intermediate layer 2 or layer 3 network, use the set dap command to configure a distributed map. Before changing the port ty...
Page 85
Set port type ap 85 this command does not apply to any gigabit ethernet ports or to ports 7 and 8 on the wx1200 switch. To manage a map access point on a wx4400switch, use the set dap command to configure a distributed map connection on the switch. Examples — the following command sets ports 1 throu...
Page 87
Set port type wired-auth 87 examples — the following command sets port 2 for a wired authentication user: wx1200# set port type wired-auth 2 success: change accepted the following command sets port 7 for a wired authentication user and subdivides the port into three virtual ports to support three si...
Page 88
88 c hapter 4: p ort c ommands.
Page 89: Vlan C
5 vlan c ommands use virtual lan (vlan) commands to configure and manage parameters for individual port vlans on network ports, and to display information about clients roaming within a mobility domain. Commands by usage this chapter presents vlan commands alphabetically. Use table 19 to locate comm...
Page 91
Clear vlan 91 the following command clears all dynamic forwarding database entries that match all vlans: wx4400# clear fdb dynamic success: change accepted. The following command clears all dynamic forwarding database entries that match ports 3 and 5: wx4400# clear fdb port 3,5 success: change accep...
Page 92
92 c hapter 5: vlan c ommands usage — if you do not specify a port-list, the entire vlan is removed from the configuration. You cannot delete the default vlan but you can remove ports from it. To remove ports from the default vlan, use the port port-list option. Examples — the following command remo...
Page 93
Display fdb 93 ■ perm — displays permanent entries. A permanent entry does not age out and remains in the database even after a reboot, reset, or power cycle. ■ static — displays static entries. A static entry does not age out, but is removed from the database after a reboot, reset, or power cycle. ...
Page 94
94 c hapter 5: vlan c ommands the following command displays all entries that begin with the mac address glob 00: wx4400# display fdb 00:* * = static entry. + = permanent entry. # = system entry. Vlan tag dest mac/route des [cos] destination ports [protocol type] ---- ---- ------------------ ----- -...
Page 95
Display fdb count 95 default — none. Access — all. History — introduced in mss version 3.0. Examples — the following command displays the aging timeout period for all vlans: wx1200# display fdb agingtime vlan 2 aging time = 600 sec vlan 1 aging time = 300 sec because the forwarding database aging ti...
Page 96
96 c hapter 5: vlan c ommands the following command lists the number of dynamic entries that the forwarding database contains: wx1200# display fdb count dynamic total matching entries = 2 see also ■ “display fdb” on page 92 display roaming station shows a list of the stations roaming to the wireless...
Page 97
Display roaming vlan 97 table 21 describes the fields in the display. See also ■ “display roaming vlan” on page 97 display roaming vlan shows all vlans in the mobility domain, the wx switches servicing the vlans, and their tunnel affinity values configured on each switch for the vlans. Table 21 outp...
Page 98
98 c hapter 5: vlan c ommands syntax — display roaming vlan default — none. Access — enabled. History — introduced in mss version 3.0. Examples — the following command shows the current roaming vlans: wx4400# display roaming vlan vlan wx affinity ---------------- --------------- -------- vlan-cs 192...
Page 99
Display vlan config 99 default — none. Access — enabled history — introduced in mss version 3.0. Examples — to display all tunnels from a wx switch to other wx switches in the mobility domain, type the following command. Wx4400# display tunnel vlan local address remote address state port lvid rvid -...
Page 100
100 c hapter 5: vlan c ommands default — none. Access — all. History — introduced in mss version 3.0. Examples — the following command displays information for vlan burgundy: wx1200# display vlan config burgundy admin vlan tunl port vlan name status state affin port tag state ---- ---------------- -...
Page 102
102 c hapter 5: vlan c ommands ■ vlan vlan-id — name or number of a vlan of which the port is a member. The entry is added only for the specified vlan. ■ tag tag-value — vlan tag value that identifies a virtual port. You can specify a number from 1 through 4095. If you do not specify a tag value, an...
Page 103
Set vlan name 103 default — the aging timeout period is 300 seconds (5 minutes). Access — enabled. History — introduced in mss version 3.0. Examples — the following command changes the aging timeout period to 600 seconds for entries that match vlan orange: wx4400# set fdb agingtime orange age 600 su...
Page 104
104 c hapter 5: vlan c ommands vlan names are case-sensitive for radius authorization when a client roams to a wireless lan switch. If the wx switch is not configured with the vlan the client is on, but is configured with a vlan that has the same spelling but different capitalization, authorization ...
Page 105
Set vlan tunnel-affinity 105 if you do specify a tag value, 3com recommends that you use the same value as the vlan number. Mss does not require the vlan number and tag value to be the same but some other switches do. Examples — the following command assigns the name beige to vlan 11 and adds ports ...
Page 106
106 c hapter 5: vlan c ommands if more than one wx switch has the highest affinity value, mss randomly selects one of the wx switches for the tunnel. Examples — the following command changes the vlan affinity for vlan beige to 10: wx4400# set vlan beige tunnel-affinity 10 success: change accepted. S...
Page 107: Ip S
6 ip s ervices c ommands use ip services commands to configure and manage ip interfaces, management services, the domain name service (dns), network time protocol (ntp), and aliases, and to ping a host or trace a route. Commands by usage this chapter presents ip services commands alphabetically. Use...
Page 108
108 c hapter 6: ip s ervices c ommands https management “set ip https server” on page 139 “display ip https” on page 121 dns “set ip dns” on page 137 “set ip dns domain” on page 138 “set ip dns server” on page 138 “display ip dns” on page 120 “clear ip dns domain” on page 110 “clear ip dns server” o...
Page 109
Clear interface 109 clear interface removes an ip interface. Syntax — clear interface vlan-id ip ■ vlan-id — vlan name or number defaults — none. Access — enabled. History — introduced in mss version 3.0. Usage — if the interface you want to remove is configured as the system ip address, removing th...
Page 110
110 c hapter 6: ip s ervices c ommands clear ip alias removes an alias, which is a string that represents an ip address. Syntax — clear ip alias name name — alias name defaults — none. Access — enabled. History — introduced in mss version 3.0. Examples — the following command removes the alias serve...
Page 111
Clear ip dns server 111 ■ “set ip dns domain” on page 138 ■ “set ip dns server” on page 138 clear ip dns server removes a dns server from a wx switch configuration. Syntax — clear ip dns server ip-addr ■ ip-addr — ip address of a dns server. Defaults — none. Access — enabled. History — introduced in...
Page 112
112 c hapter 6: ip s ervices c ommands ■ ip-addr/mask-length — ip address and subnet mask length in cidr format (for example, 10.10.10.10/24). ■ gateway — ip address, dns hostname, or alias of the next-hop router. Defaults — none. Access — enabled. History — introduced in mss version 3.0. Examples —...
Page 114
114 c hapter 6: ip s ervices c ommands examples — to reset the ntp interval to the default value, type the following command: wx4400# clear ntp update-interval success: change accepted. See also ■ “clear ntp server” on page 113 ■ “display ntp” on page 125 ■ “set ntp” on page 147 ■ “set ntp server” o...
Page 115
Clear summertime 115 clear summertime clears the summertime setting from a wireless lan switch. Syntax — clear summertime defaults — none. Access — enabled. History — introduced in mss version 3.0. Examples — to clear the summertime setting from a wx switch, type the following command: wx1200# clear...
Page 116
116 c hapter 6: ip s ervices c ommands usage — clearing the system ip address can interfere with system tasks that use the system ip address, including the following: ■ mobility domain operations ■ topology reporting for dual-homed map access points ■ default source ip address used in unsolicited co...
Page 117
Display arp 117 ■ “display summertime” on page 129 ■ “display timedate” on page 130 ■ “display timezone” on page 131 display arp shows the arp table. Syntax — display arp [ip-addr] ■ ip-addr — ip address. Default — if you do not specify an ip address, the whole arp table is displayed. Usage — all. H...
Page 118
118 c hapter 6: ip s ervices c ommands see also ■ “set arp” on page 133 ■ “set arp agingtime” on page 134 display interface shows the ip interfaces configured on the wireless lan switch. Syntax — display interface [vlan-id] ■ vlan-id — vlan name or number. Default — if you do not specify a vlan id, ...
Page 119
Display ip alias 119 examples — the following command displays all the ip interfaces configured on a wx switch: wx4400# display interface vlan name address mask enabled state ---- --------------- --------------- --------------- ------- ----- 1 default 10.10.10.10 255.255.255.0 yes up 2 mauve 10.10.2...
Page 120
120 c hapter 6: ip s ervices c ommands examples — the following command displays all the aliases configured on a wx switch: wx4400# display ip alias name ip address -------------------- -------------------- hr1 192.168.1.2 payroll 192.168.1.3 radius1 192.168.7.2 table 28 describes the fields in this...
Page 121
Display ip https 121 table 29 describes the fields in this display. See also ■ “clear ip dns domain” on page 110 ■ “clear ip dns server” on page 111 ■ “set ip dns” on page 137 ■ “set ip dns domain” on page 138 ■ “set ip dns server” on page 138 display ip https shows information about the https manag...
Page 122
122 c hapter 6: ip s ervices c ommands examples — the following command shows the status and port number for the https management interface to the wx switch: wx4400# display ip https https is enabled https is set to use port 443 last 10 connections: ip address last connected time ago (s) -----------...
Page 123
Display ip route 123 display ip route shows the ip route table. Syntax — display ip route [destination] ■ destination — route destination ip address, in dotted decimal notation. Default — none. Access — all. History — introduced in mss version 3.0. Usage — when you add an ip interface to a vlan that...
Page 124
124 c hapter 6: ip s ervices c ommands see also ■ “clear ip route” on page 111 ■ “display interface” on page 118 ■ “display vlan config” on page 99 ■ “set interface” on page 135 ■ “set ip route” on page 140 table 31 output of display ip route field description destination/mask ip address and subnet ...
Page 125
Display ip telnet 125 display ip telnet shows information about the telnet management port. Syntax — display ip telnet default — none. Access — all. History — introduced in mss version 3.0. Examples — the following command shows the status and port number for the telnet management interface to the w...
Page 126
126 c hapter 6: ip s ervices c ommands default — none. Access — all. History — introduced in mss version 3.0. Examples — to display ntp information for a wx switch, type the following command: wx4400> display ntp ntp client: enabled current update-interval: 20(secs) current time: fri feb 06 2004, 12...
Page 127
Display snmp configuration 127 see also ■ “clear ntp server” on page 113 ■ “clear summertime” on page 115 ■ “clear timezone” on page 116 ■ “display timezone” on page 131 ■ “set ntp” on page 147 ■ “set ntp server” on page 148 ■ “set summertime” on page 153 ■ “set timezone” on page 157 display snmp co...
Page 128
128 c hapter 6: ip s ervices c ommands examples — to display snmp settings on a wx switch, type the following command: wx1200# display snmp configuration snmp agent is enabled system name: wx1200 system location: system contact: trap name enabled ---------------------------------- ------- linkdowntr...
Page 129
Display summertime 129 see also ■ “set ip snmp server” on page 142 ■ “set port trap” on page 81 ■ “set snmp community” on page 149 ■ “set snmp trap” on page 150 ■ “set snmp trap receiver” on page 153 ■ “set system contact” on page 51 ■ “set system location” on page 54 ■ “set system name” on page 55 ...
Page 130
130 c hapter 6: ip s ervices c ommands examples — to display the summertime setting on a wx switch, type the following command: wx1200# display summertime summertime is enabled, and set to 'pdt'. Start : sun apr 04 2004, 02:00:00 end : sun oct 31 2004, 02:00:00 offset : 60 minutes recurring : yes, s...
Page 131
Display timezone 131 ■ “display summertime” on page 129 ■ “display timezone” on page 131 ■ “set summertime” on page 153 ■ “set timedate” on page 156 ■ “set timezone” on page 157 display timezone shows the time offset for the real-time clock from utc on a wireless lan switch. Syntax — display timezon...
Page 133
Set arp 133 examples — the following command pings a wx switch that has ip address 10.1.1.1: wx1200# ping 10.1.1.1 ping 10.1.1.1 (10.1.1.1) from 10.9.4.34 : 56(84) bytes of data. 64 bytes from 10.1.1.1: icmp_seq=1 ttl=255 time=0.769 ms 64 bytes from 10.1.1.1: icmp_seq=2 ttl=255 time=0.628 ms 64 byte...
Page 134
134 c hapter 6: ip s ervices c ommands examples — the following command adds a static arp entry that maps ip address 10.10.10.1 to mac address 00:bb:cc:dd:ee:ff: wx1200# set arp static 10.10.10.1 00:bb:cc:dd:ee:ff success: added arp 10.10.10.1 at 00:bb:cc:dd:ee:ff on vlan 1 see also ■ “set arp aging...
Page 137
Set ip dns 137 access — enabled. History— introduced in mss version 3.0. Examples — the following command configures the alias hr1 for ip address 192.168.1.2: wx4400# set ip alias hr1 192.168.1.2 success: change accepted. See also ■ “clear ip alias” on page 110 ■ “display ip alias” on page 119 set i...
Page 138
138 c hapter 6: ip s ervices c ommands set ip dns domain configures a default domain name for dns queries. The wireless lan switch appends the default domain name to domain names or hostnames you enter in commands. Syntax — set ip dns domain name ■ name — domain name of between 1 and 64 alphanumeric...
Page 141
Set ip route 141 defaults — the https server is enabled by default. Access — enabled. Usage — mss can use a static route only if a direct route in the route table resolves the static route. Mss adds routes with next-hop types local and direct when you add an ip interface to a vlan, if the vlan is up...
Page 142
142 c hapter 6: ip s ervices c ommands the following command adds an explicit route from a wx switch to any host on the 192.168.4.X subnet through the local router 10.5.4.2, and gives the route a cost of 1: wx4400# set ip route 192.168.4.0 255.255.255.0 10.5.4.2 1 success: change accepted. The follo...
Page 143
Set ip ssh 143 ■ “set snmp trap” on page 150 ■ “set snmp trap receiver” on page 153 set ip ssh changes the tcp port number on which a wireless lan switch listens for secure shell (ssh) management traffic. Caution: if you change the ssh port number from an ssh session, mss immediately ends the sessio...
Page 144
144 c hapter 6: ip s ervices c ommands default — the absolute timeout is disabled by default. 3com recommends using the idle timeout instead to close unused sessions. Access — enabled. History — introduced in mss version 3.0. Usage — if the idle timeout is disabled, mss changes the default absolute ...
Page 145
Set ip ssh server 145 examples — the following command changes the idle timeout value to 20 minutes: wx4400# set ip ssh idle-timeout 20 success: idle timeout set to 20 minutes see also ■ “set ip ssh” on page 143 ■ “set ip ssh absolute-timeout” on page 143 ■ “set ip ssh server” on page 145 set ip ssh...
Page 146
146 c hapter 6: ip s ervices c ommands set ip telnet changes the tcp port number on which a wireless lan switch listens for telnet management traffic. Caution: f you change the telnet port number from a telnet session, mss immediately ends the session. To open a new management session, you must teln...
Page 147
Set ntp 147 access — enabled. Usage — the maximum number of telnet sessions supported on a wx switch is eight. If ssh is also enabled, the wx switch can have up to eight telnet or ssh sessions, in any combination, and one console session. Examples — the following command enables the telnet server on...
Page 148
148 c hapter 6: ip s ervices c ommands see also ■ “clear ntp server” on page 113 ■ “clear ntp update-interval” on page 113 ■ “display ntp” on page 125 ■ “set ntp server” on page 148 ■ “set ntp update-interval” on page 149 set ntp server configures a wireless lan switch to use an ntp server. Syntax —...
Page 149
Set ntp update-interval 149 set ntp update-interval changes how often mss sends queries to the ntp servers for updates. Syntax — set ntp update-interval seconds ■ seconds — number of seconds between queries. You can specify from 16 through 1,024 seconds. Default — the default ntp update interval is ...
Page 150
150 c hapter 6: ip s ervices c ommands access — enabled. History — introduced in mss version 3.0. Usage — snmp community strings are passed as clear text. 3com recommends that you use strings that cannot easily be guessed by unauthorized users. Examples — the following command configures the read-wr...
Page 151
Set snmp trap 151 table 35 snmp trap names name description authentraps generated when the wx switch’s snmp agent receives a bad community string. Autotuneradiochannelchangetraps generated when the autotune feature changes the channel on a radio. Autotuneradiopowerchangetraps generated when the auto...
Page 152
152 c hapter 6: ip s ervices c ommands default — all traps are disabled by default. Access — enabled. History — introduced in mss version 3.0. Usage — you can enable or disable the linkup and linkdown traps on an individual port basis with the set port trap command. The individual port setting overr...
Page 153
Set snmp trap receiver 153 ■ “set ip snmp server” on page 142 ■ “set snmp community” on page 149 ■ “set snmp trap receiver” on page 153 set snmp trap receiver adds an ip address to the snmp trap receiver table. Syntax — set snmp trap receiver ip-addr ■ ip-addr — ip address of the trap receiver, in d...
Page 154
154 c hapter 6: ip s ervices c ommands ■ start — start of the time change period. ■ week — week of the month to start or end the time change. Valid values are first, second, third, fourth, or last. ■ weekday — day of the week to start or end the time change. Valid values are sun, mon, tue, wed, thu,...
Page 155
Set system ip-address 155 ■ “display summertime” on page 129 ■ “display timedate” on page 130 ■ “display timezone” on page 131 ■ “set timedate” on page 156 ■ “set timezone” on page 157 set system ip-address configures the system ip address. The system ip address determines the interface or source ip...
Page 156
156 c hapter 6: ip s ervices c ommands see also ■ “clear system ip-address” on page 115 ■ “display system” on page 42 ■ “set interface” on page 135 set timedate sets the time of day and date on the wireless lan switch. Syntax — set timedate {date mmm dd yyyy [time hh:mm:ss]} ■ date mmm dd yyyy — sys...
Page 157
Set timezone 157 ■ “display summertime” on page 129 ■ “display timedate” on page 130 ■ “display timezone” on page 131 ■ “set summertime” on page 153 ■ “set timezone” on page 157 set timezone sets the number of hours, and optionally the number of minutes, that the wireless lan switch’s real-time cloc...
Page 159
Traceroute 159 wx1200-remote> display vlan admin vlan tunl port vlan name status state affin port tag state ---- ---------------- ------ ----- ----- ---------------- ----- ----- 1 default up up 5 3 none up 3 red up up 5 10 backbone up up 5 1 none up 2 none up when the administrator presses ctrl+t to...
Page 160
160 c hapter 6: ip s ervices c ommands ■ ttl hops — maximum number of hops, which can be from 1 through 255. ■ wait ms — probe wait in milliseconds. You can specify from 1 through 100,000. Defaults ■ dnf — disabled ■ no-dns — disabled ■ port — 33434 ■ queries — 3 ■ size — 38 ■ ttl — 30 ■ wait — 5000...
Page 161
Traceroute 161 hop count of 0 or 1. This can occur if the destination uses the maximum hop count value from the arriving packet as the maximum hop count in its icmp reply. The reply does not arrive at the source until the destination receives a traceroute packet with a maximum hop count equal to the...
Page 162
162 c hapter 6: ip s ervices c ommands.
Page 163: Aaa C
7 aaa c ommands use authentication, authorization, and accounting (aaa) commands to provide a secure network connection and a record of user activity. Location policy commands override any virtual lan (vlan) or security acl assignment by aaa or the local wx database to help you control access locall...
Page 164
164 c hapter 7: aaa c ommands local authorization for password users “set user” on page 217 “clear user” on page 176 “set user attr” on page 218 “clear user attr” on page 177 “set usergroup” on page 219 “clear usergroup” on page 178 “set user group” on page 219 “clear user group” on page 177 “clear ...
Page 166
166 c hapter 7: aaa c ommands specify a username, use the double-asterisk wildcard character (**) to specify all usernames, or use the single-asterisk wildcard character (*) to specify a set of usernames up to or following the first delimiter character, either an at sign (@) or a period (.). (for de...
Page 167
Clear authentication dot1x 167 defaults — none. Access — enabled. History — introduced in mss version 3.0. The syntax descriptions for the clear authentication commands have been separated for clarity. However, the options and behavior for the clear authentication console command are the same as in ...
Page 168
168 c hapter 7: aaa c ommands to specify a set of usernames up to or following the first delimiter character, either an at sign (@) or a period (.). (for details, see “user globs” on page 24.) defaults — none. Access — enabled. History — introduced in mss version 3.0. Examples — the following comman...
Page 169
Clear authentication mac 169 history — introduced in mss version 3.0. Examples — the following command removes a last-resort authentication rule for wired-authentication access: wx4400# clear authentication last-resort wired see also ■ “clear authentication admin” on page 165 ■ “clear authentication...
Page 170
170 c hapter 7: aaa c ommands examples — the following command removes a mac authentication rule for access to ssid thatcorp by mac addresses beginning with aa:bb:cc: wx4400# clear authentication mac ssid thatcorp aa:bb:cc:* see also ■ “clear authentication admin” on page 165 ■ “clear authentication...
Page 171
Clear location policy 171 examples — the following command removes web aaa for ssid research and userglob temp*@thiscorp.Com: wx4400# clear authentication web ssid research temp*@thiscorp.Com see also ■ “clear authentication admin” on page 165 ■ “clear authentication console” on page 166 ■ “clear au...
Page 172
172 c hapter 7: aaa c ommands see also ■ “display location policy” on page 184 ■ “set location policy” on page 203 clear mac-user removes a user profile from the local database on the wx switch, for a user who is authenticated by a mac address. (to remove a user profile in radius, see the documentat...
Page 173
Clear mac-user group 173 (to remove an authorization attribute in radius, see the documentation for your radius server.) syntax — clear mac-user mac-addr attr attribute-name ■ mac-addr — mac address of the user, in hexadecimal numbers separated by colons (:). You can omit leading zeros. ■ attribute-...
Page 174
174 c hapter 7: aaa c ommands usage — removing a mac user from a mac user group removes the group name from the user’s profile, but does not delete the user group from the local wx database. To remove the group, use clear mac-usergroup. Examples — the following command deletes the user profile for a...
Page 175
Clear mac-usergroup attr 175 see also ■ “clear mac-usergroup attr” on page 175 ■ “display aaa” on page 180 ■ “set mac-usergroup attr” on page 213 clear mac-usergroup attr removes an authorization attribute from a mac user group in the local database on the wx switch, for a group of users who are aut...
Page 176
176 c hapter 7: aaa c ommands clear mobility-profile removes a mobility profile entirely. Syntax — clear mobility-profile name ■ name — name of an existing mobility profile. Defaults — none. Access — enabled. History — introduced in mss version 3.0. Examples — the following command removes the mobil...
Page 177
Clear user attr 177 examples — the following command deletes the user profile for user nin: wx4400# clear user nin success: change accepted. See also ■ “display aaa” on page 180 ■ “set user” on page 217 clear user attr removes an authorization attribute from the user profile in the local database on...
Page 178
178 c hapter 7: aaa c ommands (to remove a user from a user group in radius, see the documentation for your radius server.) syntax — clear user username group ■ username — username of a user with a password. Defaults — none. Access — enabled. History — introduced in mss version 3.0. Usage — removing...
Page 179
Clear usergroup attr 179 history — introduced in mss version 3.0. Usage — removing a user group from the local wx database does not remove the user profiles of the group’s members from the database. Examples — the following command deletes the cardiology user group from the local database: wx4400# c...
Page 180
180 c hapter 7: aaa c ommands see also ■ “clear usergroup” on page 178 ■ “display aaa” on page 180 ■ “set usergroup” on page 219 display aaa displays all current aaa settings. Syntax — display aaa defaults — none. Access — enabled. History — introduced in mss version 3.0. Examples — to display all c...
Page 181
Display aaa 181 user nin password = 082c6c64060b (encrypted) filter-id = acl-999.In filter-id = acl-999.Out user last-resort-guestssid vlan-name = k2 user last-resort-any vlan-name = foo mac-user 01:02:03:04:05:06 usergroup eastcoasters session-timeout = 99 table 38 describes the fields that can app...
Page 183
Display accounting statistics 183 defaults — none. Access — enabled. History — introduced in mss version 3.0. Examples — to display the locally stored accounting records, type the following command: wx4400# display accounting statistics sep 26 11:01:48 acct-status-type=start acct-authentic=2 user-na...
Page 185
Display mobility-profile 185 examples — the following command displays the list of location policy rules in the location policy on an wx switch: wx4400 display location policy id clauses ---------------------------------------------------------------- 1) deny if user eq *.Theirfirm.Com 2) permit vla...
Page 188
188 c hapter 7: aaa c ommands specify a username, use the double-asterisk wildcard character (**) to specify all usernames, or use the single-asterisk wildcard character (*) to specify a set of usernames up to or following the first delimiter character — either an at sign (@) or a period (.). (for d...
Page 189
Set authentication admin 189 examples — the following command issues stop-only records to the radius server group sg2 for network user nin, who is authenticated by 802.1x: wx4400# set accounting dot1x nin stop-only sg2 success: change accepted. See also ■ “clear accounting” on page 165 ■ “display ac...
Page 190
190 c hapter 7: aaa c ommands the authentication method none you can specify for administrative access is different from the fallthru authentication type none, which applies only to network access. The authentication method none allows access to the wx switch by an administrator. The fallthru authen...
Page 191
Set authentication console 191 examples — the following command configures administrator jose, who connects via telnet, for authentication on radius server group sg3: wx4400# set authentication admin jose sg3 success: change accepted. See also ■ “clear authentication admin” on page 165 ■ “display aa...
Page 192
192 c hapter 7: aaa c ommands ■ none — for users with administrative access only, mss performs no authentication, but prompts for a username and password and accepts any combination of entries, including blanks. The authentication method none you can specify for administrative access is different fr...
Page 193
Set authentication dot1x 193 examples — to set the console port so that it does not enforce username-password authentication for administrators, type the following command: wx4400# set authentication console * none success: change accepted. See also ■ “clear authentication console” on page 166 ■ “di...
Page 194
194 c hapter 7: aaa c ommands ■ protocol — protocol used for authentication. Specify one of the following: ■ eap-md5 — extensible authentication protocol (eap) with message-digest algorithm 5. For wired authentication clients: uses challenge-response to compare hashes provides no encryption or integ...
Page 195
Set authentication dot1x 195 ■ local — uses the local database of usernames and user groups on the wx switch for authentication. ■ server-group-name — uses the defined group of radius servers for authentication. You can enter up to four names of existing radius server groups as methods. Radius serve...
Page 196
196 c hapter 7: aaa c ommands however, if local appears first, followed by a radius server group, mss overrides any failed searches in the local wx database and sends an authentication request to the server group. If the user does not support 802.1x, mss attempts to perform mac authentication for th...
Page 198
198 c hapter 7: aaa c ommands wireless access to an ssid, specify the ssid name or specify any to match on all ssid names. If the rule is for wired access, specify wired instead of an ssid name. If you specify multiple authentication methods in the set authentication last-resort command, mss applies...
Page 199
Set authentication mac 199 see also ■ “clear authentication last-resort” on page 168 ■ “display aaa” on page 180 ■ “set authentication admin” on page 189 ■ “set authentication console” on page 191 ■ “set authentication dot1x” on page 193 ■ “set authentication mac” on page 199 ■ “set authentication w...
Page 200
200 c hapter 7: aaa c ommands defaults — by default, authentication is deactivated for all mac users, which means mac address authentication fails by default. When using radius for authentication, a mac user’s mac address is also used as the authorization password for that user, and no global author...
Page 201
Set authentication web 201 see also ■ “clear authentication mac” on page 169 ■ “display aaa” on page 180 ■ “set authentication admin” on page 189 ■ “set authentication console” on page 191 ■ “set authentication dot1x” on page 193 ■ “set authentication last-resort” on page 197 ■ “set authentication w...
Page 202
202 c hapter 7: aaa c ommands ■ server-group-name — uses the defined group of radius servers for authentication. You can enter up to four names of existing radius server groups as methods. Radius servers cannot be used with the eap-tls protocol. For more information, see “usage.” defaults — by defau...
Page 203
Set location policy 203 the fallthru method is web. (for a wireless authentication rule, the fallthru method is specified by the set service-profile auth-fallthru command. For a wired authentication rule, the fallthru method is specified by the auth-fall-thru option of the set port type wired-auth c...
Page 204
204 c hapter 7: aaa c ommands ■ permit — allows access to the network or to a specified vlan, and/or assigns a particular security acl to users with characteristics that match the location policy rule. ■ vlan vlan-name — name of an existing vlan to assign to users with characteristics that match the...
Page 205
Set location policy 205 ■ before rule-number — inserts the new location policy rule in front of another rule in the location policy. Specify the number of the existing location policy rule. (to determine the number, use the display location policy command.) ■ modify rule-number — replaces the rule i...
Page 206
206 c hapter 7: aaa c ommands use outacl outacl-name to filter traffic sent from the switch to users via an map access port or wired authentication port, or from the network via a network port. You can optionally add the suffixes .In and .Out to inacl-name and outacl-name so that they match the name...
Page 207
Set mac-user attr 207 (to configure a mac user profile in radius, see the documentation for your radius server.) syntax — set mac-user mac-addr [group group-name] ■ mac-addr — mac address of the user, in hexadecimal numbers separated by colons (:). You can omit leading zeros. ■ group-name — name of ...
Page 208
208 c hapter 7: aaa c ommands ■ attribute-name value — name and value of an attribute you are using to authorize the mac user for a particular service or session characteristic. For a list of authorization attributes and values that you can assign to local users, see table 40..
Page 209
Set mac-user attr 209 table 40 authentication attributes for local users attribute description valid value(s) encryption-type type of encryption required for access by the client. Clients who attempt to use an unauthorized encryption method are rejected. One of the following numbers that identifies ...
Page 210
210 c hapter 7: aaa c ommands filter-id inbound or outbound acl to apply to the user. If configured in the wx switch’s local database, this attribute can be an access control list (acl) to filter outbound or inbound traffic. Use the following format: filter-id inboundacl.In or filter-id outboundacl....
Page 211
Set mac-user attr 211 service-type type of access the user is requesting. One of the following numbers: 2—framed; for network user access 6—administrative; for administrative access to the wx switch, with authorization to access the enabled (configuration) mode. The user must enter the enable comman...
Page 212
212 c hapter 7: aaa c ommands defaults — none. Time-of-day (network access mode only) day(s) and time(s) during which the user is permitted to log into the network. After authorization, the user’s session can last until either the time-of-day range or the session-timeout duration (if set) expires, w...
Page 213
Set mac-usergroup attr 213 access — enabled. History — introduced in mss version 3.0. Usage — to change the value of an attribute, enter set mac-user attr with the new value. To delete an attribute, use clear mac-user attr. You cannot set the filter-id attribute in the local database. Examples — the...
Page 214
214 c hapter 7: aaa c ommands or session characteristic. (for a list of authorization attributes, see table 40 on page 209.) defaults — none. Access — enabled. History — introduced in mss version 3.0. Usage — to change the value of an attribute, enter set mac-usergroup attr with the new value. To de...
Page 215
Set mobility-profile 215 ■ dap-num — list of distributed map connections through which any user assigned this profile is allowed access. The same distributed map can be used in multiple mobility profile port lists. Defaults — no default mobility profile exists on the wx switch. If you do not assign ...
Page 216
216 c hapter 7: aaa c ommands the following command adds port 3 to the magnolia mobility profile (which is already assigned to port 2): wx1200# set mobility-profile name magnolia port 3 success: change accepted. See also ■ “clear mobility-profile” on page 176 ■ “display mobility-profile” on page 185...
Page 217
Set user 217 see also ■ “clear mobility-profile” on page 176 ■ “display mobility-profile” on page 185 ■ “set mobility-profile” on page 214 set user configures a user profile in the local database on the wx switch for a user with a password. (to configure a user profile in radius, see the documentati...
Page 218
218 c hapter 7: aaa c ommands see also ■ “clear user” on page 176 ■ “display aaa” on page 180 set user attr configures an authorization attribute in the local database on the wx switch for a user with a password. (to assign authorization attributes in radius, see the documentation for your radius se...
Page 219
Set user group 219 set user group adds a user to a user group. The user must have a password and a profile that exists in the local database on the wx switch. (to configure a user in radius, see the documentation for your radius server.) syntax — set user username group group-name ■ username — usern...
Page 220
220 c hapter 7: aaa c ommands ■ attribute-name value — name and value of an attribute you are using to authorize all users in the group for a particular service or session characteristic. For a list of authorization attributes and values that you can assign to users, see table 40 on page 209. Defaul...
Page 221
Set web-aaa 221 usage — this command disables or reenables support for web aaa. However, to provide web aaa services to users when web aaa support is enabled, the following items must be configured: users must be configured on radius servers or locally in the local database (using the set user comma...
Page 222
222 c hapter 7: aaa c ommands.
Page 223: Obility
8 m obility d omain c ommands use mobility domain commands to configure and manage mobility domain groups. A mobility domain is a system of wx switches and map access points working together to support a roaming user (client). One wx switch acts as a seed switch, which maintains and distributes a li...
Page 224
224 c hapter 8: m obility d omain c ommands syntax — clear mobility-domain defaults — none. Access — enabled. History — introduced in mss version 3.0. Usage — this command has no effect if the wx switch is not configured as part of a mobility domain. Examples — to clear a mobility domain from a wx s...
Page 225
Display mobility-domain config 225 examples — the following command clears a mobility domain member with the ip address 192.168.0.1: wx1200# clear mobility-domain member 192.168.0.1 see also ■ “set mobility-domain member” on page 226 display mobility-domain config displays the configuration of the m...
Page 226
226 c hapter 8: m obility d omain c ommands examples — to display mobility domain status, type the following command: wx4400# display mobility-domain status mobility domain name: pleasanton member state status --------------- ------------- -------------- 192.168.253.11 state_up member 192.168.253.12...
Page 227
Set mobility-domain mode member seed-ip 227 defaults — none. Access — enabled. History — introduced in mss version 3.0. Usage — this command must be entered from the seed wx switch. Examples — the following commands add three wx switches with the ip addresses 192.168.1.8, 192.168.1.9, and 192.168.1....
Page 228
228 c hapter 8: m obility d omain c ommands wx4400# set mobility-domain mode member seed-ip 192.168.1.8 mode is: member seed ip is: 192.168.1.8 see also ■ “clear mobility-domain” on page 223 ■ “display mobility-domain config” on page 225 set mobility-domain mode seed domain-name creates a mobility d...
Page 229: Anaged
9 m anaged a ccess p oint c ommands use map access point commands to configure and manage map access points. Be sure to do the following before using the commands: ■ define the country-specific ieee 802.11 regulations on the wx switch. (see “set system countrycode” on page 51.) ■ install the map acc...
Page 230
230 c hapter 9: m anaged a ccess p oint c ommands “set service-profile ssid-type” on page 307 “set service-profile beacon” on page 299 radio properties “set radio-profile 11g-only” on page 275 “set radio-profile beacon-interval” on page 282 “set radio-profile rts-threshold” on page 290 “set radio-pr...
Page 233
Clear radio-profile 233 ■ removes the radio from its radio profile and places the radio in the default radio profile. This command does not affect the poe setting. Examples — the following command disables and resets radio 2 on the map access point connected to port 3: wx1200# clear ap 3 radio 2 see...
Page 234
234 c hapter 9: m anaged a ccess p oint c ommands history — introduced in mss version 3.0. Usage — if you specify a parameter, the setting for the parameter is reset to its default value. The settings of the other parameters are unchanged and the radio profile remains in the configuration. If you do...
Page 236
236 c hapter 9: m anaged a ccess p oint c ommands ap model map access point model number. Poe poe state on the wx port: ■ enable ■ disable bias bias of the wx connection to the map: ■ high ■ low name map access point name. Boot-download- enable state of the firmware upgrade option: ■ yes (automatic ...
Page 244
244 c hapter 9: m anaged a ccess p oint c ommands examples — the following command displays the status of a distributed map: wx4400# display dap status 1 dap: 1, ip-addr: 10.2.34.56 (vlan 'default'), map model: ap2750, manufacturer: 3com, name: dap1 ==================================================...
Page 247
Display auto-tune attributes 247 ■ radio 2 —shows rf attribute information for radio 2. (this option does not apply to single-radio models.) ■ radio all —shows rf attribute information for both radios. Defaults — none. Access — enabled. History — introduced in mss version 3.0. Examples — the followi...
Page 249
Display auto-tune neighbors 249 information is displayed for a radio if the radio sends beacon frames or responds to probe requests. Even if a radio’s ssids are unadvertised, 3com radios detect the empty beacon frames (beacon frames without ssids) sent by the radio, and include the radio in the neig...
Page 251
Display dap global 251 the following command displays connection information specifically for a distributed map with serial id m9de48b6ead00: wx1200# display dap connection serial-id m9de48b6ead00 total number of entries: 1 dap serial id dap ip address wx ip address --- ----------- --------------- -...
Page 252
252 c hapter 9: m anaged a ccess p oint c ommands usage — to show information only for distributed maps that have active connections, use the display dap connection command. Examples — the following command displays configuration information for all distributed maps configured on wx switches in the ...
Page 255
Display radio-profile 255 short retry limit: 5 long retry limit: 5 long preamble: no allow 802.11g clients only: no tune channel: no tune power: no tune channel interval: 3600 tune power interval: 600 client backoff timer: 10 channel holddown: 300 service profiles: default-dot1x, default-clear table...
Page 256
256 c hapter 9: m anaged a ccess p oint c ommands allow 802.11g clients only indicates whether the 802.11b/g radios in the radio profile restrict associations to 802.11g clients only: ■ no — 802.11b/g radios allow associations with both 802.11b and 802.11g clients. ■ no — 802.11b/g radios allow asso...
Page 257
Display service-profile 257 see also ■ “set radio-profile 11g-only” on page 275 ■ “set radio-profile auto-tune channel-config” on page 276 ■ “set radio-profile auto-tune channel-holddown” on page 277 ■ “set radio-profile auto-tune channel-interval” on page 278 ■ “set radio-profile auto-tune power-ba...
Page 258
258 c hapter 9: m anaged a ccess p oint c ommands wx4400# display service-profile wpa_clients ssid-name: private ssid-type: crypto beacon: yes auth-fallthru: web-auth wep key 1 value: wep key 2 value: wep key 3 value: wep key 4 value: wep unicast index: 1 wep multicast index: 1 shared key auth: no w...
Page 259
Display service-profile 259 wep key 1 value state of static wep key number 1. Radios can use this key to encrypt traffic with static wired-equivalent privacy (wep): ■ none —t he key is not configured. ■ preset — the key is configured. Note: the wep parameters apply to traffic only on the encrypted s...
Page 260
260 c hapter 9: m anaged a ccess p oint c ommands see also ■ “set service-profile auth-dot1x” on page 295 ■ “set service-profile auth-fallthru” on page 296 ■ “set service-profile auth-psk” on page 298 ■ “set service-profile beacon” on page 299 ■ “set service-profile cipher-ccmp” on page 299 ■ “set s...
Page 262
262 c hapter 9: m anaged a ccess p oint c ommands if the bias for all connections is the same, the map selects the switch that has the greatest capacity to add more active maps. For example, if a map is dual homed to two wx4400 wireless lan switches, and one of the switches has 50 active maps while ...
Page 264
264 c hapter 9: m anaged a ccess p oint c ommands examples — the following command configures an map access point group named loadbalance1 that contains the map access points on ports 1, 3, and 5: wx1200# set ap 1,3,5 group loadbalance1 success: change accepted. The following command removes the map...
Page 268
268 c hapter 9: m anaged a ccess p oint c ommands the interval is 1000 packets. If more than the specified percentage of packets within a group of 1000 packets received by the radio are retransmissions, the radio increases power. When the percentage of retransmissions exceeds the max-retransmissions...
Page 272
272 c hapter 9: m anaged a ccess p oint c ommands access — enabled. History — introduced in mss version 3.0. Usage — to enable or disable one or more radios to which a profile is assigned, use the set ap radio radio-profile command. To enable or disable all radios that use a specific radio profile, ...
Page 274
274 c hapter 9: m anaged a ccess p oint c ommands ■ tx-power power-level — number of decibels in relation to 1 milliwatt (dbm). The valid values depend on the country of operation. The maximum transmit power you can configure on any 3com radio is the maximum allowed for the country in which you plan...
Page 276
276 c hapter 9: m anaged a ccess p oint c ommands ■ disable —configures radios to allow associations with 802.11g clients and 802.11b clients. Defaults — the default setting is disable. 3com 802.11b/g radios allow associations with 802.11g and 802.11b clients by default. Access — enabled. History — ...
Page 278
278 c hapter 9: m anaged a ccess p oint c ommands syntax — set radio-profile name auto-tune channel-holddown holddown ■ name — radio profile name. ■ holddown — minimum number of seconds a radio must remain on its current channel setting before rf auto-tuning is allowed to change the channel. You can...
Page 279
Set radio-profile auto-tune power-backoff- timer 279 access — enabled. History — introduced in mss version 3.0. Usage — 3com recommends that you use an interval of at least 300 seconds (5 minutes). Rf auto-tuning can change a radio’s channel before the channel interval expires in response to rf anom...
Page 280
280 c hapter 9: m anaged a ccess p oint c ommands history — introduced in mss version 3.0. A radio can increase power again if required to preserve the minimum data rate for an associated client. Examples — the following command changes the power-backoff interval for radios in radio profile rp2 to 1...
Page 281
Set radio-profile auto-tune power-interval 281 when rf auto-tuning for power is enabled, mss does not allow you to manually change the power level. Examples — the following command enables dynamic power tuning for radios in the rp2 radio profile: wx4400# set radio-profile rp2 auto-tune power-config ...
Page 283
Set radio-profile dtim-interval 283 set radio-profile dtim-interval changes the number of times after every beacon that each map radio in a radio profile sends a delivery traffic indication map (dtim). An map access point sends the multicast and broadcast frames stored in its buffers to clients who ...
Page 284
284 c hapter 9: m anaged a ccess p oint c ommands syntax — set radio-profile name frag-threshold threshold ■ name — radio profile name. ■ threshold — maximum frame length, in bytes. You can enter a value from 256 through 2346. Defaults — the default fragmentation threshold for map radios is 2346 byt...
Page 285
Set radio-profile max-rx-lifetime 285 access — enabled. History — introduced in mss version 3.0. Usage — you must disable all radios that are using a radio profile before you can change parameters in the profile. Use the set radio-profile mode command. Examples — the following command changes the lo...
Page 286
286 c hapter 9: m anaged a ccess p oint c ommands examples — the following command changes the maximum receive threshold for radio profile rp1 to 4000 ms: wx4400# set radio-profile rp1 max-rx-lifetime 4000 success: change accepted. See also ■ “set radio-profile mode” on page 287 ■ “set radio-profile...
Page 287
Set radio-profile mode 287 see also ■ “display radio-profile” on page 254 ■ “set radio-profile mode” on page 287 ■ “set radio-profile max-rx-lifetime” on page 285 set radio-profile mode creates a new radio profile, or disables or reenables all map radios that are using a specific profile. Syntax — s...
Page 288
288 c hapter 9: m anaged a ccess p oint c ommands access — enabled. History — introduced in mss version 3.0. Usage — if the radio profile does not already exist, mss creates a new radio profile. Use the enable or disable option to enable or disable all the radios using a profile. To assign the profi...
Page 289
Set radio-profile preamble-length 289 the following command enables the radios that use radio profile rp1: wx4400# set radio-profile rp1 mode enable the following commands disable the radios that use radio profile rp1, change the beacon interval, then reenable the radios: wx4400# set radio-profile r...
Page 290
290 c hapter 9: m anaged a ccess p oint c ommands or long), an 802.11b/g radio accepts and can generate 802.11b/g frames with either short or long preambles. If a client associated with an 802.11b/g radio uses long preambles for unicast traffic, the map access point still accepts frames with short p...
Page 291
Set radio-profile service-profile 291 usage — you must disable all radios that are using a radio profile before you can change parameters in the profile. Use the set radio-profile mode command. Examples — the following command changes the rts threshold for radio profile rp1 to 1500 bytes: wx4400# se...
Page 292
292 c hapter 9: m anaged a ccess p oint c ommands auth-psk disable does not support using a preshared key (psk) to authenticate wpa clients. Beacon enable sends beacons to advertise the ssid managed by the service profile. Cipher-ccmp disable does not use counter with cipher block chaining message a...
Page 293
Set radio-profile service-profile 293 access — enabled. History — introduced in mss version 3.0. Usage — you must configure the service profile before you can map it to a radio profile. You can map the same service profile to more than one radio profile. You must disable all radios that use a radio ...
Page 294
294 c hapter 9: m anaged a ccess p oint c ommands ■ “set service-profile cipher-wep104” on page 301 ■ “set service-profile cipher-wep40” on page 302 ■ “set service-profile psk-phrase” on page 303 ■ “set service-profile psk-raw” on page 304 ■ “set service-profile rsn-ie” on page 305 ■ “set service-pr...
Page 295
Set service-profile auth-dot1x 295 examples — the following command changes the short retry threshold for radio profile rp1 to 3: wx4400# set radio-profile rp1 short-retry 3 success: change accepted. See also ■ “display radio-profile” on page 254 ■ “set radio-profile mode” on page 287 ■ “set radio-p...
Page 296
296 c hapter 9: m anaged a ccess p oint c ommands authentication. To use this, you must enable psk support and configure a passphrase or key. Examples — the following command disables 802.1x authentication for wpa clients that use service profile wpa_clients: wx4400# set service-profile wpa_clients ...
Page 297
Set service-profile auth-fallthru 297 ■ web-auth — serves the user a web page from the wx switch’s nonvolatile storage for login to the ssid. Defaults — the default fallthru authentication type is web-auth. If a username does not match a userglob in an authentication rule for the ssid requested by t...
Page 298
298 c hapter 9: m anaged a ccess p oint c ommands see also ■ “display service-profile” on page 257 ■ “set web-aaa” on page 220 ■ “set service-profile web-aaa-form” on page 308 set service-profile auth-psk enables preshared key (psk) authentication of wi-fi protected access (wpa) clients by map radio...
Page 299
Set service-profile beacon 299 set service-profile beacon disables or reenables beaconing of the ssid managed by the service profile. A map radio responds to an 802.11 probe any request with only the beaconed ssid(s). For a nonbeaconed ssid, radios respond only to directed 802.11 probe requests that...
Page 300
300 c hapter 9: m anaged a ccess p oint c ommands ■ enable —enables ccmp encryption for wpa clients. ■ disable —disables ccmp encryption for wpa clients. Defaults — ccmp encryption is disabled by default. Access — enabled. History — introduced in mss version 3.0. Usage — to use ccmp, you must also e...
Page 301
Set service-profile cipher-wep104 301 examples — the following command disables tkip encryption in service profile sp2: wx4400# set service-profile sp2 cipher-tkip disable success: change accepted. See also ■ “set service-profile cipher-ccmp” on page 299 ■ “set service-profile cipher-wep104” on page...
Page 302
302 c hapter 9: m anaged a ccess p oint c ommands microsoft windows xp does not support wep with wpa. To configure a service profile to provide dynamic wep for xp clients, leave wpa disabled and use the set service-profile wep commands. To support non-wpa clients that use static wep, you must config...
Page 303
Set service-profile psk-phrase 303 when 40-bit wep in wpa is enabled in the service profile, radios managed by a radio profile that is mapped to the service profile can also support non-wpa clients that use dynamic wep. To support wpa clients that use 104-bit dynamic wep, you must enable wep with 10...
Page 304
304 c hapter 9: m anaged a ccess p oint c ommands access — enabled. History — introduced in mss version 3.0. Usage — mss converts the passphrase into a 256-bit binary number for system use and a raw hexadecimal key to store in the wx switch's configuration. Neither the binary number nor the passphra...
Page 305
Set service-profile rsn-ie 305 history — introduced in mss version 3.0. Usage — mss converts the hexadecimal number into a 256-bit binary number for system use. Mss also stores the hexadecimal key in the wx switch's configuration. The binary number is never displayed in the configuration. To use psk...
Page 306
306 c hapter 9: m anaged a ccess p oint c ommands examples — the following command enables the rsn ie in service profile sprsn: wx4400# set service-profile sprsn rsn-ie enable success: change accepted. See also ■ “set service-profile cipher-ccmp” on page 299 set service-profile shared-key-auth enabl...
Page 307
Set service-profile ssid-name 307 set service-profile ssid-name configures the ssid name in a service profile. Syntax — set service-profile name ssid-name ssid-name ■ name — service profile name. ■ ssid-name — name of up to 32 alphanumeric characters, with no spaces. Defaults — the default ssid name...
Page 308
308 c hapter 9: m anaged a ccess p oint c ommands see also ■ “set service-profile ssid-name” on page 307 set service-profile tkip-mc-time changes the length of time that map radios use countermeasures if two message integrity code (mic) failures occur within 60 seconds. When countermeasures are in e...
Page 309
Set service-profile web-aaa-form 309 syntax — set service-profile name web-aaa-form url ■ name — service profile name. ■ url — wx subdirectory name and html page name of the login page. Specify the full path. For example, corpa-ssid/corpa.Html. Defaults — the 3com web login page is served by default...
Page 310
310 c hapter 9: m anaged a ccess p oint c ommands see also ■ “copy” on page 464 ■ “dir” on page 467 ■ “display service-profile” on page 257 ■ “mkdir” on page 475 ■ “set port type wired-auth” on page 86 ■ “set service-profile auth-fallthru” on page 296 ■ “set web-aaa” on page 220 set service-profile ...
Page 311
Set service-profile wep active-unicast- index 311 set service-profile wep active-unicast- index specifies the static wired-equivalent privacy (wep) key (one of four) to use for encrypting unicast frames. Syntax — set service-profile name wep active-unicast-index num ■ name — service profile name. ■ ...
Page 312
312 c hapter 9: m anaged a ccess p oint c ommands number. You can use numbers or letters. Ascii characters in the following ranges are supported: ■ 0 to 9 ■ a to f ■ a to f defaults — by default, no static wep keys are defined. Access — enabled. History — introduced in mss version 3.0. Usage — mss a...
Page 313
Set service-profile wpa-ie 313 access — enabled. History — introduced in mss version 3.0. Usage — when the wpa ie is enabled, the default authentication method is 802.1x. There is no default cipher suite. You must enable the cipher suites you want the radios to support. Examples — the following comm...
Page 314
314 c hapter 9: m anaged a ccess p oint c ommands.
Page 315: Stp C
10 stp c ommands use spanning tree protocol (stp) commands to configure and manage spanning trees on the virtual lans (vlans) configured on a wireless lan switch or controller, to maintain a loop-free network. Stp commands by usage this chapter presents stp commands alphabetically. Use the following...
Page 316
316 c hapter 10: stp c ommands clear spantree portcost resets to the default value the cost of a network port or ports on paths to the stp root bridge in all vlans on a wx switch. Syntax — clear spantree portcost port-list ■ port-list — list of ports. The port cost is reset on the specified ports. D...
Page 317
Clear spantree portpri 317 clear spantree portpri resets to the default value the priority of a network port or ports for selection as part of the path to the stp root bridge in all vlans on a wireless lan switch or controller. Syntax — clear spantree portpri port-list ■ port-list — list of ports. T...
Page 318
318 c hapter 10: stp c ommands ■ vlan vlan-id — vlan name or number. Mss resets the cost for only the specified vlan. Defaults — none. Access — enabled. History — introduced in mss version 3.0. Usage — mss does not change a port’s cost for vlans other than the one(s) you specify. Examples — the foll...
Page 319
Clear spantree statistics 319 history — introduced in mss version 3.0. Usage — mss does not change a port’s priority for vlans other than the one(s) you specify. Examples — the following command resets the stp priority for port 2 in vlan avocado: wx4400# clear spantree portvlanpri 2 vlan avocado suc...
Page 321
Display spantree 321 7 1 disabled 19 128 disabled 8 1 disabled 19 128 disabled table 60 describes the fields in this display. Table 60 output for display spantree field description vlan vlan number. Spanning tree mode in the current software version, the mode is always pvst+, which means per vlan sp...
Page 322
322 c hapter 10: stp c ommands see also ■ “display spantree blockedports” on page 323 display spantree backbonefast indicates whether the stp backbone fast convergence feature is enabled or disabled. Syntax — display spantree backbonefast defaults — none. Access — all. History — introduced in mss ve...
Page 323
Display spantree blockedports 323 examples — the following example shows the command output on a wx switch with backbone fast convergence enabled: wx4400# display spantree backbonefast backbonefast is enabled see also ■ “set spantree backbonefast” on page 333 display spantree blockedports lists info...
Page 324
324 c hapter 10: stp c ommands display spantree portfast displays stp uplink fast convergence information for all network ports or for one or more network ports. Syntax — display spantree portfast [port-list] ■ port-list — list of ports. If you do not specify any ports, mss displays uplink fast conv...
Page 325
Display spantree portvlancost 325 display spantree portvlancost shows the cost of a port on a path to the stp root bridge, for each of the port’s vlans. Syntax — display spantree portvlancost port-list ■ port-list — list of ports. Defaults — none. Access — all. History — introduced in mss version 3....
Page 326
326 c hapter 10: stp c ommands usage — the command displays statistics separately for each port. Examples — the following command shows stp statistics for port 1: wx4400# display spantree statistics 1 bpdu related parameters port 1 vlan 1 spanning tree enabled for vlan = 1 port spanning tree enabled...
Page 327
Display spantree statistics 327 topology change timer value 0 hold timer inactive hold timer value 0 delay root port timer inactive delay root port timer value 0 delay root port timer restarted is false vlan based information & statistics spanning tree type ieee spanning tree multicast address 01-00...
Page 328
328 c hapter 10: stp c ommands table 62 output for display spantree statistics field description port port number. Vlan vlan id. Spanning tree enabled for vlan state of the stp feature on the vlan. Port spanning tree state of the stp feature on the port. State stp state of the port: ■ blocking — the...
Page 329
Display spantree statistics 329 config_pending indicates whether a configured bpdu is to be transmitted on expiration of the hold timer for the port. Port_inconsistency indicates whether the port is in an inconsistent state. Config bpdu’s xmitted number of bpdus transmitted from the port. A number i...
Page 330
330 c hapter 10: stp c ommands hold timer status of the hold timer. This timer ensures that configured bpdus are not transmitted too frequently through any bridge port. Hold timer value current value of the hold timer, in seconds. Delay root port timer status of the delay root port timer, which enab...
Page 331
Display spantree uplinkfast 331 see also ■ “clear spantree statistics” on page 319 display spantree uplinkfast shows uplink fast convergence information for one vlan or all vlans. Syntax — display spantree uplinkfast [vlan vlan-id] ■ vlan vlan-id — vlan name or number. If you do not specify a vlan, ...
Page 332
332 c hapter 10: stp c ommands examples — the following command shows uplink fast convergence information for all vlans: wx4400# display spantree uplinkfast vlan port list ------------------------------------------------------------------------ 1 1(fwd),2,3 table 63 describes the fields in this disp...
Page 333
Set spantree backbonefast 333 examples — the following command enables stp on all vlans configured on a wx switch: wx4400# set spantree enable success: change accepted. The following command disables stp on vlan burgundy: wx4400# set spantree disable vlan burgundy success: change accepted. See also ...
Page 334
334 c hapter 10: stp c ommands see also ■ “display spantree backbonefast” on page 322 set spantree fwddelay changes the period of time after a topology change that a wx switch which is not the root bridge waits to begin forwarding layer 2 traffic on one or all of its configured vlans. (the root brid...
Page 335
Set spantree maxage 335 ■ vlan vlan-id — vlan name or number. Mss changes the interval on only the specified vlan. Defaults — the default hello timer interval is 2 seconds. Access — enabled. History — introduced in mss version 3.0. Examples — the following command changes the hello interval for all ...
Page 336
336 c hapter 10: stp c ommands examples — the following command changes the maximum acceptable age for root bridge hello packets on all vlans to 15 seconds: wx4400# set spantree maxage 15 all success: change accepted. See also ■ “display spantree” on page 320 set spantree portcost changes the cost t...
Page 337
Set spantree portfast 337 see also ■ “clear spantree portcost” on page 316 ■ “clear spantree portvlancost” on page 317 ■ “display spantree” on page 320 ■ “display spantree portvlancost” on page 325 ■ “set spantree portvlancost” on page 338 set spantree portfast enables or disables stp port fast conv...
Page 338
338 c hapter 10: stp c ommands syntax — set spantree portpri port-list priority value ■ port-list — list of ports. Mss changes the priority on the specified ports. ■ priority value — priority value. You can specify a value from 0 (highest priority) through 255 (lowest priority). Defaults — the defau...
Page 339
Set spantree portvlanpri 339 ■ vlan vlan-id — vlan name or number. Mss changes the cost on only the specified vlan. Defaults — the default port cost depends on the port speed: ■ 10mbps — the default is 100. ■ 100mbps — the default is 19. ■ 1000mbps — the default is 4. Access — enabled. History — int...
Page 340
340 c hapter 10: stp c ommands defaults — the default stp priority for all network ports is 128. Access — enabled. History — introduced in mss version 3.0. Examples — the following command sets the priority of ports 3 and 4 to 48 on vlan mauve: wx1200# set spantree portvlanpri 3-4 priority 48 vlan m...
Page 341
Set spantree uplinkfast 341 see also ■ “display spantree” on page 320 set spantree uplinkfast enables or disables stp uplink fast convergence on a wireless lan switch. This feature enables a wx switch with redundant links to the network backbone to immediately switch to the backup link to the root b...
Page 342
342 c hapter 10: stp c ommands.
Page 343: Igmp S
11 igmp s nooping c ommands use internet group management protocol (igmp) snooping commands to configure and manage multicast traffic reduction on a wx. Commands by usage this chapter presents igmp snooping commands alphabetically. Use the table 64 to locate commands in this chapter based on their u...
Page 344
344 c hapter 11: igmp s nooping c ommands clear igmp statistics clears igmp statistics counters on one vlan or all vlans on a wireless lan switch and resets them to 0. Syntax — clear igmp statistics [vlan vlan-id] ■ vlan vlan-id — vlan name or number. If you do not specify a vlan, igmp statistics ar...
Page 345
Display igmp 345 router information: port mrouter-ipaddr mrouter-mac type ttl ---- --------------- ----------------- ----- ----- 1 192.28.7.5 00:01:02:03:04:05 dvmrp 17 group port receiver-ip receiver-mac ttl --------------- ---- --------------- ----------------- ----- 224.0.0.2 none none none undef...
Page 346
346 c hapter 11: igmp s nooping c ommands table 65 output for display igmp field description vlan vlan name. Mss displays information separately for each vlan. Igmp is enabled (disabled) igmp state. Proxy reporting proxy reporting state. Mrouter solicitation multicast router solicitation state. Quer...
Page 347
Display igmp 347 ttl number of seconds before this entry ages out if not refreshed. For static multicast router entries, the time-to-live (ttl) value is undef. Static multicast router entries do not age out. Group ip address of a multicast group. The display igmp receiver-table command shows the sam...
Page 348
348 c hapter 11: igmp s nooping c ommands see also ■ “display igmp mrouter” on page 348 ■ “display igmp querier” on page 349 ■ “display igmp receiver-table” on page 351 ■ “display igmp statistics” on page 352 display igmp mrouter displays the multicast routers in a wx’s subnet, on one vlan or all vl...
Page 349
Display igmp querier 349 see also ■ “display igmp mrouter” on page 348 ■ “set igmp mrouter” on page 356 display igmp querier shows information about the active multicast querier, on one vlan or all vlans. Queriers are listed separately for each vlan. Each vlan can have only one querier. Syntax — dis...
Page 350
350 c hapter 11: igmp s nooping c ommands history — introduced in mss version 3.0. Examples — the following command displays querier information for vlan orange: wx1200# display igmp querier vlan orange querier for vlan orange port querier-ip querier-mac ttl ---- --------------- ----------------- --...
Page 351
Display igmp receiver-table 351 see also ■ “set igmp querier” on page 362 display igmp receiver-table displays the receivers to which a wx forwards multicast traffic. You can display receivers for all vlans, a single vlan, or a group or groups identified by group address and network mask. Syntax — d...
Page 352
352 c hapter 11: igmp s nooping c ommands the following command lists all receivers for multicast groups 237.255.255.1 through 237.255.255.255, in all vlans: wx1200# display igmp receiver-table group 237.255.255.0/24 vlan: red session port receiver-ip receiver-mac ttl --------------- ---- ----------...
Page 353
Display igmp statistics 353 defaults — none. Access — all. History — introduced in mss version 3.0. Examples — the following command displays igmp statistics for vlan orange: wx1200# display igmp statistics vlan orange igmp statistics for vlan orange: igmp message type received transmitted dropped -...
Page 354
354 c hapter 11: igmp s nooping c ommands table 69 output of display igmp statistics field description igmp statistics for vlan vlan name. Statistics are listed separately for each vlan. Igmp message type type of igmp message: ■ general-queries — general group membership queries sent by the multicas...
Page 356
356 c hapter 11: igmp s nooping c ommands set igmp lmqi changes the igmp last member query interval timer on one vlan or all vlans on a wireless lan switch. Syntax — set igmp lmqi tenth-seconds[vlan vlan-id] ■ lmqi tenth-seconds —amount of time (in tenths of a second) that the wx waits for a respons...
Page 357
Set igmp mrsol 357 ■ enable —adds the port to the list of static multicast router ports. ■ disable —removes the port from the list of static multicast router ports. Defaults — by default, no ports are static multicast router ports. Access — enabled. History — introduced in mss version 3.0. Usage — y...
Page 358
358 c hapter 11: igmp s nooping c ommands history — introduced in mss version 3.0. Examples — the following command enables multicast router solicitation on vlan orange: wx1200# set igmp mrsol enable vlan orange success: change accepted see also ■ “set igmp mrsol mrsi” on page 358 set igmp mrsol mrs...
Page 359
Set igmp oqi 359 set igmp oqi changes the igmp other-querier-present interval timer on one vlan or all vlans on a wx. Syntax — set igmp oqi seconds[vlan vlan-id] ■ oqi seconds —number of seconds that the wx waits for a general query to arrive before electing itself the querier. You can specify a val...
Page 361
Set igmp qri 361 access — enabled. History — introduced in mss version 3.0. Usage — the query interval is applicable only when the wx is querier for the subnet. For the wx switch to become the querier, the pseudo-querier feature must be enabled on the wx and the wx must have the lowest ip address am...
Page 362
362 c hapter 11: igmp s nooping c ommands history — introduced in mss version 3.0. Usage — the query response interval is applicable only when the wx is querier for the subnet. For the wx to become the querier, the pseudo-querier feature must be enabled on the wx and the wx must have the lowest ip a...
Page 363
Set igmp receiver 363 examples — the following example enables the pseudo-querier on the orange vlan: wx1200# set igmp querier enable vlan orange success: change accepted. See also ■ “display igmp querier” on page 349 set igmp receiver adds or removes a network port in the list of ports on which a w...
Page 364
364 c hapter 11: igmp s nooping c ommands see also ■ “display igmp receiver-table” on page 351 set igmp rv changes the robustness value for one vlan or all vlans on a wx. Robustness adjusts the igmp timers to the amount of traffic loss that occurs on the network. Syntax — set igmp rv num[vlan vlan-i...
Page 365: Ecurity
12 s ecurity acl c ommands use security acl commands to configure and monitor security access control lists (acls). Security acls filter packets to restrict or permit network usage by certain users or traffic types, and can assign to packets a class of service (cos) to define the priority of treatme...
Page 366
366 c hapter 12: s ecurity acl c ommands clear security acl clears a specified security acl, an access control entry (ace), or all security acls, from the edit buffer. When used with the command commit security acl, clears the ace from the running configuration. Syntax — clear security acl {acl-name...
Page 367
Clear security acl map 367 running configuration, and redisplay the acl configuration to display that it no longer contains acl_133: wx4400# display security acl info all acl information for all set security acl ip acl_133 (hits #1 0) --------------------------------------------------------- 1. Deny...
Page 369
Commit security acl 369 to clear all physical ports, virtual ports, and vlans on a wx switch of the acls mapped for incoming and outgoing traffic, type the following command: wx4400# clear security acl map all success: change accepted. See also ■ “clear security acl” on page 366 ■ “display security ...
Page 370
370 c hapter 12: s ecurity acl c ommands examples — the following commands commit all the security acls in the edit buffer to the configuration, display a summary of the committed acls, and show that the edit buffer has been cleared: wx4400# commit security acl all configuration accepted wx4400# dis...
Page 371
Display security acl hits 371 examples — to display a summary of the committed security acls on a wx switch, type the following command: wx4400# display security acl acl table acl type class mapping ---------------------------- ---- ------ ------- acl_123 ip static port 2 in acl_133 ip static port 4...
Page 372
372 c hapter 12: s ecurity acl c ommands examples — to display the security acl hits on a wx switch, type the following command: wx4400# display security acl hits acl hit-counters index counter acl-name ----- -------------------- -------- 1 0 acl_2 2 0 acl_175 3 916 acl_123 see also ■ “hit-sample-ra...
Page 373
Display security acl map 373 examples — to display the contents of all security acls committed on a wx switch, type the following command: wx4400# display security acl info all acl information for all set security acl ip acl_123 (hits #5 462) ---------------------------------------------------------...
Page 374
374 c hapter 12: s ecurity acl c ommands access — enabled. History — introduced in mss version 3.0. Examples — the following command displays the port to which security acl acl_111 is mapped: wx4400# display security acl map acl_111 acl acl_111 is mapped to: port 4 in see also ■ “clear security acl ...
Page 375
Display security acl resource-usage 375 examples — to display security acl resource usage, type the following command: wx4400# display security acl resource-usage acl resources classifier tree counters ------------------------ number of rules : 2 number of leaf nodes : 1 stored rule count : 2 leaf c...
Page 376
376 c hapter 12: s ecurity acl c ommands table 71 output of display security acl resource-usage field description number of rules number of security aces currently mapped to ports or vlans. Number of leaf nodes number of security acl data entries stored in the rule tree. Stored rule count number of ...
Page 377
Display security acl resource-usage 377 ludef in use number of the lookup definition (ludef) table currently in use for packet handling. Default action pointer memory address used for packet handling, from which default action data is obtained when necessary. L4 global security acl mapping on the wx...
Page 378
378 c hapter 12: s ecurity acl c ommands hit-sample-rate specifies the time interval, in seconds, at which the packet counter for each security acl is sampled for display. The counter counts the number of packets filtered by the security acl — or “hits.” syntax — hit-sample-rate seconds ■ seconds — ...
Page 379
Rollback security acl 379 results show that 916 packets matching security acl_153 were sent since the acl was mapped. Wx4400# hit-sample-rate 15 wx4400# display security acl info acl_153 acl information for acl_153 set security acl ip acl_153 (hits #3 916) -------------------------------------------...
Page 380
380 c hapter 12: s ecurity acl c ommands wx4400# display security acl info all editbuffer acl edit-buffer information for all set security acl ip acl_122 (aces 3, add 3, del 0, modified 0) --------------------------------------------------------- 1. Permit ip source ip 20.0.1.11 0.0.0.255 destinatio...
Page 382
382 c hapter 12: s ecurity acl c ommands ■ 0 or 3—best effort. Packets are queued in map forwarding queue 3. ■ 4 or 5—video. Packets are queued in map forwarding queue 2. Use cos level 4 or 5 for voice over ip (voip) packets other than spectralink voice priority (svp). ■ 6 or 7—voice. Packets are qu...
Page 383
Set security acl 383 (for a complete list of tcp and udp port numbers, see www.Iana.Org/assignments/port-numbers .) ■ destination-ip-addr mask — ip address and wildcard mask of the network or host to which the packet is being sent. Specify both address and mask in dotted decimal notation. For more i...
Page 384
384 c hapter 12: s ecurity acl c ommands ■ before editbuffer-index — inserts the new ace in front of another ace in the security acl. Specify the number of the existing ace in the edit buffer. Index numbers start at 1. (to display the edit buffer, use display security acl editbuffer.) ■ modify editb...
Page 385
Set security acl map 385 the following command adds an ace to acl_123 that denies packets from ip address 192.168.2.11: wx4400# set security acl ip acl_123 deny 192.168.2.11 0.0.0.0 the following command creates acl_125 by defining an ace that denies tcp packets from source ip address 192.168.0.1 to...
Page 387
Set security acl map 387 see also ■ “clear security acl map” on page 367 ■ “commit security acl” on page 369 ■ “set mac-user attr” on page 207 ■ “set mac-usergroup attr” on page 213 ■ “set security acl” on page 380 ■ “set user attr” on page 218 ■ “set usergroup” on page 219 ■ “display security acl m...
Page 388
388 c hapter 12: s ecurity acl c ommands.
Page 389: Ryptography
13 c ryptography c ommands use cryptography commands to configure and manage certificates and public-private key pairs for system authentication. Depending on your network configuration, you must create keys and certificates to authenticate the wx switch to ieee 802.1x wireless clients for which the...
Page 391
Crypto certificate 391 3 when mss prompts you for the pem-formatted certificate, paste the pkcs #7 object file onto the command line. Examples — the following command adds the certificate authority’s certificate to wx certificate and key storage: wx4400# crypto ca-certificate admin enter pem-encoded...
Page 392
392 c hapter 13: c ryptography c ommands usage — to use this command, you must already have generated a certificate request with the crypto generate request command, sent the request to the certificate authority, and obtained a signed copy of the wx switch certificate as a pkcs #7 object file. Then ...
Page 394
394 c hapter 13: c ryptography c ommands after you type the command, you are prompted for the following variables: ■ country name string — (optional) specify the abbreviation for the country in which the wx switch is operating, in 2 alphanumeric characters with no spaces. ■ state name string — (opti...
Page 395
Crypto generate self-signed 395 to the certificate authority. You then send the request to the certificate authority to obtain a signed copy of the wx switch certificate as a pkcs #7 object file. Examples — to request an administrative certificate from a certificate authority, type the following com...
Page 396
396 c hapter 13: c ryptography c ommands ■ webaaa —generates a web aaa certificate to authenticate the wx switch to web aaa clients. After you type the command, you are prompted for the following variables: ■ country name string — (optional) specify the abbreviation for the country in which the wx s...
Page 397
Crypto otp 397 usage — to use this command, you must already have generated a public-private encryption key pair with the crypto generate key command. To generate a self-signed administrative certificate, type the following command: wx4400# crypto generate self-signed admin country name: state name:...
Page 398
398 c hapter 13: c ryptography c ommands ■ admin —creates a one-time password for installing a pkcs #12 object file for an administrative certificate and key pair—and optionally the certificate authority’s own certificate—to authenticate the wx switch to 3wxm or web manager. ■ eap —creates a one-tim...
Page 399
Crypto pkcs12 399 examples — the following command creates the one-time password hap9in#ss for installing an eap certificate and key pair: wx4400# crypto generate otp eap hap9in#ss otp set see also ■ “crypto pkcs12” on page 399 crypto pkcs12 unpacks a pkcs #12 object file into the certificate and ke...
Page 400
400 c hapter 13: c ryptography c ommands you must also have the pkcs #12 object file available. You can download a pkcs #12 object file via tftp from a remote location to the local nonvolatile storage system on the wx switch. Examples — the following commands copy a pkcs #12 object file for an eap c...
Page 401
Display crypto certificate 401 ■ webaaa —displays information about the certificate authority’s certificate that signed the web aaa certificate for the wx switch. The web aaa certificate authenticates the wx switch to web aaa clients. Defaults — none. Access — enabled. History — introduced in mss ve...
Page 402
402 c hapter 13: c ryptography c ommands ■ eap — displays information about the eap certificate that authenticates the wx switch to 802.1x supplicants (clients). ■ webaaa — displays information about the web aaa certificate that authenticates the wx switch to web aaa clients. Defaults — none. Access...
Page 403: Radius
14 radius and s erver g roup c ommands use radius commands to set up communication between an wx switch and groups of up to four radius servers for remote authentication, authorization, and accounting (aaa) of administrators and network users. Commands by usage this chapter presents radius commands ...
Page 405
Clear radius client system-ip 405 see also ■ “set radius” on page 407 ■ “set radius server” on page 409 ■ “display aaa” on page 180 clear radius client system-ip removes the wx switch’s system ip address from use as the permanent source address in radius client requests from the switch to its radius...
Page 406
406 c hapter 14: radius and s erver g roup c ommands defaults — none. Access — enabled. History — introduced in mss version 3.0. Examples — the following command removes the radius server rs42 from a list of remote aaa servers: wx4400# clear radius server rs42 success: change accepted. See also ■ “d...
Page 407
Set radius 407 to disable load balancing in a server group shorebirds, type the following command: wx4400# set server group shorebirds load-balance disable success: change accepted. See also ■ “set server group” on page 411 set radius configures global defaults for radius servers that do not explici...
Page 408
408 c hapter 14: radius and s erver g roup c ommands history — introduced in mss version 3.0. Usage — you can specify only one parameter per command line. Examples — the following commands sets the dead time to 5 minutes, the radius key to goody, the number of retransmissions to 1, and the timeout t...
Page 409
Set radius server 409 examples — the following command sets the wx system ip address as the address of the radius client: wx4400# set radius client system-ip success: change accepted. See also ■ “clear radius client system-ip” on page 405 ■ “set system ip-address” on page 53 set radius server config...
Page 410
410 c hapter 14: radius and s erver g roup c ommands ■ key string — password (shared secret key) the wx switch uses to authenticate to the radius server. You must provide the same password that is defined on the radius server. The password can be 1 to 32 characters long, with no spaces or tabs. ■ au...
Page 411
Set server group 411 timeout interval of 30 seconds, two transmit attempts, 5 minutes of dead time, and a key string of keys4u, type the following command: wx1200# set radius server rs42 address 198.162.1.1 timeout 30 retransmit 2 deadtime 5 key keys4u see also ■ “display aaa” on page 180 ■ “set aut...
Page 412
412 c hapter 14: radius and s erver g roup c ommands do not use the same name for a radius server and a radius server group. Examples — to set server group shorebirds with members heron, egret, and sandpiper, type the following command: wx1200# set server group shorebirds members heron egret sandpip...
Page 413
Set server group load-balance 413 examples — to enable load balancing between the members of server group shorebirds, type the following command: wx1200# set server group shorebirds load-balance enable success: change accepted. To disable load balancing between shorebirds server group members, type ...
Page 414
414 c hapter 14: radius and s erver g roup c ommands.
Page 415: 802.1X M
15 802.1x m anagement c ommands use 802. Ieee x management commands to modify the default settings for ieee 802.1x sessions on an wx switch. For best results, change the settings only if you are aware of a problem with the wx switch’s 802.1x performance. Caution: 802.1x parameter settings are global...
Page 416
416 c hapter 15: 802.1x m anagement c ommands clear dot1x bonded-period disables bonded auth™ (bonded authentication). The bonded period is the number of seconds mss retains session information for an authenticated machine while waiting for an 802.1x client on the machine to start (re)authentication...
Page 417
Clear dot1x max-req 417 see also ■ “display dot1x” on page 421 ■ “set dot1x bonded-period” on page 426 clear dot1x max-req resets to the default setting the number of extensible authentication protocol (eap) requests that the wx switch retransmits to a supplicant (client). Syntax — clear dot1x max-r...
Page 418
418 c hapter 15: 802.1x m anagement c ommands usage — this command is overridden by the set dot1x authcontrol command. The clear dot1x port-control command returns port control to the method configured. This command applies only to wired authentication ports. Examples — type the following command to...
Page 419
Clear dot1x reauth-period 419 access — enabled. History — introduced in mss version 3.0. Examples — type the following command to reset the maximum number of reauthorization attempts to the default: wx4400# clear dot1x reauth-max success: change accepted. See also ■ “display dot1x” on page 421 ■ “se...
Page 420
420 c hapter 15: 802.1x m anagement c ommands access — enabled. History — introduced in mss version 3.0. Examples — to reset the default timeout for requests to an authentication server, type the following command: wx4400# clear dot1x timeout auth-server success: change accepted. See also ■ “display...
Page 421
Display dot1x 421 defaults — the default is 5 seconds. Access — enabled. History — introduced in mss version 3.0. Examples — type the following command to reset the eapol retransmission time: wx4400# clear dot1x tx-period success: change accepted. See also ■ “display dot1x” on page 421 ■ “set dot1x ...
Page 422
422 c hapter 15: 802.1x m anagement c ommands examples — type the following command to display the 802.1x clients: wx4400# display dot1x clients mac address state vlan identity ------------- ------- ------ ---------- 00:20:a6:48:01:1f connecting (unknown) 00:05:3c:07:6d:7c authenticated vlan-it exam...
Page 423
Display dot1x 423 type the following command to display the 802.1x configuration: wx1200# display dot1x config username protocol -------- -------- *@xmple.Com passthru *@sqa.Com passthru nash@sqa.Com ! Passthru example\* peap (mschapv2) dbc-projector\* peap (mschapv2) host/*.Xmple.Com passthru 802.1...
Page 424
424 c hapter 15: 802.1x m anagement c ommands type the following command to display 802.1x statistics: wx4400# display dot1x stats 802.1x statistic value ---------------- ----- enters connecting: 709 logoffs while connecting: 112 enters authenticating: 467 success while authenticating: 0 timeouts wh...
Page 426
426 c hapter 15: 802.1x m anagement c ommands set dot1x bonded-period changes the bonded auth™ (bonded authentication) period, which is the number of seconds mss retains session information for an authenticated machine while waiting for the 802.1x client on the machine to start (re)authentication fo...
Page 429
Set dot1x quiet-period 429 set dot1x quiet-period sets the number of seconds an wx remains quiet and does not respond to a supplicant after a failed authentication. Syntax — set dot1x quiet-period seconds ■ seconds —specify a value between 0 and 65,535. Defaults — the default is 60 seconds. Access —...
Page 430
430 c hapter 15: 802.1x m anagement c ommands see also ■ “display dot1x” on page 421 ■ “set dot1x reauth-max” on page 430 ■ “set dot1x reauth-period” on page 430 set dot1x reauth-max sets the number of reauthentication attempts that the wx switch makes before the supplicant (client) becomes unauthor...
Page 431
Set dot1x timeout auth-server 431 defaults — the default is 3600 seconds (1 hour). Access — enabled. History — introduced in mss version 3.0. Examples — type the following command to set the number of seconds to 100 before reauthentication is attempted: wx4400# set dot1x reauth-period 100 success: d...
Page 432
432 c hapter 15: 802.1x m anagement c ommands syntax — set dot1x timeout supplicant seconds ■ seconds —specify a value between 1 and 65,535. Defaults — the default is 30 seconds. Access — enabled. History — introduced in mss version 3.0. Examples — type the following command to set the number of sec...
Page 434
434 c hapter 15: 802.1x m anagement c ommands history — introduced in mss version 3.0. Examples — type the following command to set the wep-rekey period to 300 seconds: wx4400# set dot1x wep-rekey-period 300 success: dot1x wep-rekey-period set to 300 see also ■ “display dot1x” on page 421 ■ “set dot...
Page 435: Ession
16 s ession m anagement c ommands use session management commands to display and clear administrative and network user sessions. Commands by usage this chapter presents session management commands alphabetically. Use table 78 to locate commands in this chapter based on their use. Clear sessions clea...
Page 437
Clear sessions network 437 character—either an at sign (@) or a period (.). (for details, see “user globs” on page 24.) ■ mac-addr mac-addr-glob —clears all network sessions for a mac address. Specify a mac address in hexadecimal numbers separated by colons (:), or use the wildcard character (*) to ...
Page 438
438 c hapter 16: s ession m anagement c ommands to clear the sessions of users whose name begins with the characters jo, type the following command: wx1200# clear sessions network user jo* to clear the sessions of all users on vlan red, type the following command: wx1200# clear sessions network vlan...
Page 439
Display sessions 439 examples — to view information about sessions of administrative users, type the following command: wx4400> display sessions admin tty username time (s) type ------- -------------------- -------- ---- tty0 3644 console tty2 tech 6 telnet tty3 sshadmin 381 ssh 3 admin sessions to ...
Page 440
440 c hapter 16: s ession m anagement c ommands table 80 describes the fields of the display sessions telnet client display. See also ■ “clear sessions” on page 435 display sessions network displays summary or verbose information about all network sessions, or network sessions for a specified userna...
Page 442
442 c hapter 16: s ession m anagement c ommands usage — mss displays information about network sessions in three types of displays. See the following tables for field descriptions. ■ summary display — see table 81 on page 444. ■ verbose display — see table 82 on page 444. ■ display sessions network ...
Page 443
Display sessions network 443 (table 81 on page 444 describes the summary displays of display sessions network commands.) the following command displays detailed (verbose) session information about user nin@example.Com: wx1200# display sessions network user nin@example.Com verbose user sess ip or mac...
Page 444
444 c hapter 16: s ession m anagement c ommands tag: 1 session timeout: 1800 authentication method: peap, using server 10.10.70.20 session statistics as updated from ap: unicast packets in: 653 unicast bytes in: 46211 unicast packets out: 450 unicast bytes out: 50478 multicast packets in: 317 multic...
Page 445
Display sessions network 445 state status of the session: ■ auth, assoc req — client is being associated by the 802.1x protocol. ■ auth and assoc — client is being associated by the 802.1x protocol, and the user is being authenticated. ■ authorizing — user has been authenticated (for example, by the...
Page 446
446 c hapter 16: s ession m anagement c ommands table 83 display sessions network session-id output field description global id a unique session identifier within the mobility domain. State status of the session: ■ auth, assoc req — client is being associated by the 802.1x protocol. ■ auth and assoc...
Page 447
Display sessions network 447 see also ■ “clear sessions network” on page 436 session timeout assigned session timeout in seconds. Authentication method extensible authentication protocol (eap) type used to authenticate the session user, and the ip address of the authentication server. Session statis...
Page 448
448 c hapter 16: s ession m anagement c ommands.
Page 449: Rf D
17 rf d etection c ommands mss automatically performs rf detection scans on enabled and disabled radios to detect rogue access points. A rogue access point is a bssid (mac address associated with an ssid) that does not belong to a 3com switch and is not a member of the ignore list configured on the ...
Page 451
Clear rfdetect ignore 451 commands, rf detection returns to the default handling of countermeasures. Consequently, the rogue you cleared can still be attacked if it is still in the rogue list. To stop countermeasures against a device, add the device to the known addresses list using the set rfdetect...
Page 452
452 c hapter 17: rf d etection c ommands see also ■ “display rfdetect ignore” on page 455 ■ “set rfdetect ignore” on page 461 display rfdetect countermeasures displays the current status of countermeasures against rogues in the mobility domain. Syntax — display rfdetect countermeasures defaults — no...
Page 453
Display rfdetect data 453 see also ■ “clear rfdetect countermeasures mac” on page 450 ■ “set rf detect countermeasures” on page 459 ■ “set rfdetect countermeasures mac” on page 460 display rfdetect data displays all the bssids detected by an individual wx switch during an rf detection scan. The data...
Page 454
454 c hapter 17: rf d etection c ommands only one mac address is listed for each 3com radio, even if the radio is beaconing multiple ssids. Examples — the following command shows the devices detected by this wx switch during the most recent rf detection scan: wx1200# display rfdetect data total numb...
Page 455
Display rfdetect ignore 455 display rfdetect ignore displays the bssids of third-party devices that mss ignores during rf scans. Mss does not generate log messages or traps for the devices in the ignore list. Syntax — display rfdetect ignore defaults — none. Access — enabled. History — introduced in...
Page 456
456 c hapter 17: rf d etection c ommands examples — the following example displays information about the bssids detected in the mobility domain managed by the seed switch: wx1200# display rfdetect mobility-domain total number of entries: 3 bssid wx-ipaddr port/radio rssi ssid > radio mac /channel --...
Page 457
Display rfdetect visible 457 see also ■ “display rfdetect data” on page 453 ■ “display rfdetect visible” on page 457 display rfdetect visible displays the bssids discovered by a specific 3com radio. The data includes bssids transmitted by other 3com radios as well as by third-party access points. Sy...
Page 458
458 c hapter 17: rf d etection c ommands examples — the following command displays the devices detected by 3com radio 00:0b:0e:00:0a:6a: wx1200# display rfdetect visible 00:0b:0e:00:0a:6a total number of entries: 4 transmit mac chan rss ----------------- -------- ------- 00:0b:0e:00:02:01 56 -74 00:...
Page 460
460 c hapter 17: rf d etection c ommands examples — the following command enables countermeasures for the mobility domain managed by this seed switch: wx1200# set rfdetect countermeasures enable success: countermeasures are now enabled. See also ■ “clear rfdetect countermeasures mac” on page 450 ■ “...
Page 461
Set rfdetect ignore 461 the mobility domain, using the set rfdetect countermeasures enable command. This command does not become part of the configuration file when you save the configuration and therefore is not reloaded if the switch is restarted. Examples — the following command begins countermea...
Page 462
462 c hapter 17: rf d etection c ommands examples — the following command configures mss to ignore bssid aa:bb:cc:11:22:33 during rf scans: wx1200# set rfdetect ignore aa:bb:cc:11:22:33 success: mac aa:bb:cc:11:22:33 is now ignored. See also ■ “clear rfdetect ignore” on page 451 ■ “display rfdetect ...
Page 463: Ile
18 f ile m anagement c ommands use file management commands to manage system files and to display software and boot information. Commands by usage this chapter presents file management commands alphabetically. Use table 89 to locate commands in this chapter based on their use. Clear boot config rese...
Page 464
464 c hapter 18: f ile m anagement c ommands defaults — none. Access — enabled. History — introduced in mss version 3.0. Examples — the following commands back up the configuration file on an wx switch, reset the switch to its factory default configuration, and reboot the switch: wx4400# copy config...
Page 465
Copy 465 the subdirname/ option specifies a subdirectory. ■ destination-url — name of the copy and the location where to place the copy. The url can be one of the following: ■ [subdirname/]filename ■ file:[subdirname/]filename ■ tftp://ip-addr/[subdirname/]filename if you are copying a system image ...
Page 466
466 c hapter 18: f ile m anagement c ommands the following command copies a file called closetwx from a tftp server to nonvolatile storage: wx4400# copy tftp://10.1.1.1/closetwx closetwx sent read request .Done the following command copies system image wxa03001.Rel from a tftp server to boot partiti...
Page 467
Dir 467 syntax — delete url ■ url — filename. Specify between 1 and 128 alphanumeric characters, with no spaces. If the file is in a subdirectory, specify the subdirectory name, followed by a forward slash, in front of the filename. For example: subdir_a/file_a. Defaults — none. Access — enabled. Hi...
Page 468
468 c hapter 18: f ile m anagement c ommands defaults — none. Access — enabled. History — introduced in mss version 3.0. Examples — the following command displays the files in the root directory: wx4400# dir =============================================================================== file: filena...
Page 469
Display boot 469 see also ■ “copy” on page 464 ■ “delete” on page 466 display boot displays the system image and configuration filenames used after the last reboot and configured for use after the next reboot. Syntax — display boot defaults — none. Access — access. History — introduced in mss versio...
Page 470
470 c hapter 18: f ile m anagement c ommands table 91 describes the fields in the display boot output. See also ■ “clear boot config” on page 463 ■ “display version” on page 472 ■ “reset system” on page 476 ■ “set boot configuration-file” on page 479 display config displays the configuration running...
Page 471
Display config 471 ■ ntp ■ portconfig ■ portgroup ■ radio-profile ■ rfdevice ■ service-profile ■ sm ■ snmp ■ spantree ■ system ■ trace ■ vlan ■ vlan-fdb if you do not specify a configuration area, nondefault information for all areas is displayed. ■ all — includes configuration items that are set to...
Page 472
472 c hapter 18: f ile m anagement c ommands see also ■ “load config” on page 474 ■ “save config” on page 478 display version displays software and hardware version information for an wx switch and, optionally, for any attached map access points. Syntax — display version [details] ■ details — includ...
Page 473
Display version 473 the following command displays additional software build information and map access point information: wx1200# display version details mobility system software, version: 3.0.1 copyright (c) 2004 3com corporation. All rights reserved. Build information: (build#168) top 2004-09-23 ...
Page 474
474 c hapter 18: f ile m anagement c ommands see also ■ “display boot” on page 469 load config loads configuration commands from a file and replaces the wx switch’s running configuration with the commands in the loaded file. Caution: this command completely removes the running configuration and repl...
Page 475
Mkdir 475 if you do not specify a filename, mss uses the same configuration filename that was used for the previous configuration load. For example, if the wx switch used configuration for the most recent configuration load, mss uses configuration again unless you specify a different filename. To di...
Page 476
476 c hapter 18: f ile m anagement c ommands access — enabled. History — introduced in mss version 3.0. Examples — the following commands create a subdirectory called corp2 and display the root directory to verify the result: wx4400# mkdir corp2 success: change accepted. Wx4400# dir ================...
Page 477
Rmdir 477 defaults — none. Access — enabled. History — introduced in mss version 3.0. Usage — if you do not use the force option, the command first compares the running configuration to the configuration file. If the running configuration and configuration file do not match, mss does not restart the...
Page 478
478 c hapter 18: f ile m anagement c ommands history — introduced in mss version 3.0. Usage — mss does not allow the subdirectory to be removed unless it is empty. Delete all files from the subdirectory before attempting to remove it. Examples — the following example removes subdirectory corp2: wx44...
Page 479
Set boot configuration-file 479 example, the filename used during the most recent reboot is configuration. Wx4400# save config configuration saved to configuration. The following command saves the running configuration to a file named testconfig1: wx4400# save config testconfig1 configuration saved ...
Page 481: Race
19 t race c ommands use trace commands to perform diagnostic routines. While mss allows you to run many types of traces, this chapter describes commands for those traces you are most likely to use. For a complete listing of the types of traces mss allows, type the set trace ? Command. Caution: using...
Page 482
482 c hapter 19: t race c ommands access — enabled. History — introduced in mss version 3.0. Examples — to delete the trace log, type the following command: wx4400# clear log trace see also ■ “display log buffer” on page 490 ■ “set log” on page 494 clear trace deletes running trace commands and ends...
Page 483
Display trace 483 see also ■ “display trace” on page 483 ■ “set trace authentication” on page 484 ■ “set trace authorization” on page 485 ■ “set trace dot1x” on page 486 ■ “set trace sm” on page 486 display trace displays information about traces that are currently configured on the wx switch, or al...
Page 484
484 c hapter 19: t race c ommands save trace saves the accumulated trace data for enabled traces to a file in the wx switch’s nonvolatile storage. Syntax — save trace filename ■ filename —name for the trace file. To save the file in a subdirectory, specify the subdirectory name, then a slash. For ex...
Page 485
Set trace authorization 485 examples — the following command starts a trace for information about user jose’s authentication: wx4400# set trace authentication user jose success: change accepted. See also ■ “clear trace” on page 482 ■ “display trace” on page 483 set trace authorization traces authori...
Page 486
486 c hapter 19: t race c ommands see also ■ “clear trace” on page 482 ■ “display trace” on page 483 set trace dot1x traces 802.1x sessions. Syntax — set trace dot1x [ mac-addr mac-address ] [ port port-num ] [ user username ] [ level level ] ■ mac-addr mac-address — traces a mac address. Specify a ...
Page 487
Set trace sm 487 syntax — set trace sm [mac-addr mac-address] [port port-num] [user username] [level level] ■ mac-addr mac-address — traces a mac address. Specify a mac address, using colons to separate the octets (for example, 00:11:22:aa:bb:cc). ■ port port-num — traces on a wx port number. ■ user...
Page 488
488 c hapter 19: t race c ommands.
Page 489: Ystem
20 s ystem l og c ommands use the system log commands to record information for monitoring and troubleshooting. Mss system logs are based on rfc 3164, which defines the log protocol. Commands by usage this chapter present system log commands alphabetically. Use table 94 to locate commands in this ch...
Page 490
490 c hapter 20: s ystem l og c ommands access — enabled. History — introduced in mss version 3.0. Examples — to stop sending system logging messages to a server at 192.168.253.11, type the following command: wx4400# clear log server 192.168.253.11 success: change accepted. Type the following comman...
Page 491
Display log buffer 491 ■ severity severity-level —displays messages at a severity level greater than or equal to the level specified. Specify one of the following: ■ emergency — the wx switch is unusable. ■ alert — action must be taken immediately. ■ critical — you must resolve the critical conditio...
Page 492
492 c hapter 20: s ystem l og c ommands see also ■ “clear log” on page 489 ■ “display log config” on page 492 display log config displays log configuration information. Syntax — display log config defaults — none. Access — enabled. History — introduced in mss version 3.0. Examples — to display how l...
Page 494
494 c hapter 20: s ystem l og c ommands history — introduced in mss version 3.0. Examples — type the following command to see the facilities for which you can view event messages archived in the buffer: wx4400# display log trace facility ? Select one of: kernel, aaa, syslogd, acl, apm, arp, aso, boo...
Page 495
Set log 495 ■ trace — sets log parameters for trace files. ■ severity severity-level —logs events at a severity level greater than or equal to the level specified. Specify one of the following: ■ emergency — the wx switch is unusable. ■ alert — action must be taken immediately. ■ critical — you must...
Page 496
496 c hapter 20: s ystem l og c ommands defaults — the following are defaults for the set log commands. ■ events at the error level and higher are logged to the wx console. ■ events at the error level and higher are logged to the wx system buffer. ■ trace logging is enabled, and debug-level output i...
Page 497
Set log trace mbytes 497 examples — the following command increases the trace buffer size to 4 mb: wx4400# set log trace mbytes 4 success: change accepted. See also ■ “display log config” on page 492.
Page 498
498 c hapter 20: s ystem l og c ommands.
Page 499: Oot
21 b oot p rompt c ommands boot prompt commands enable you to perform basic tasks, including booting a system image file, from the boot prompt (boot>). A cli session enters the boot prompt if mss does not boot successfully or you intentionally interrupt the boot process. To interrupt the boot proces...
Page 501
Boot 501 boot loads and executes a system image file. Syntax — boot [bt=type] [dev=device] [fn=filename] [ha=ip-addr] [fl=num] [opt=option] [opt+=option] ■ bt=type — boot type: ■ c — compact flash. Boots using nonvolatile storage or a flash card. ■ n — network. Boots using a tftp server. ■ dev=devic...
Page 502
502 c hapter 21: b oot p rompt c ommands usage — if you use an optional parameter, the parameter setting overrides the setting of the same parameter in the currently active boot profile. However, the boot profile itself is not changed. To display the currently active boot profile, use the display co...
Page 503
Change 503 change changes parameters in the currently active boot profile. (for information about boot profiles, see “display” on page 507.) syntax — change defaults — the default boot type is c (compact flash). The default filename is default. The default flags setting is 0x00000000 (all flags disa...
Page 504
504 c hapter 21: b oot p rompt c ommands ■ “delete” on page 505 ■ “display” on page 507 ■ “next” on page 511 create creates a new boot profile. (for information about boot profiles, see “display” on page 507.) syntax — create defaults — the new boot profile has the same settings as the currently act...
Page 505
Delete 505 ■ “display” on page 507 ■ “next” on page 511 delete removes the currently active boot profile. (for information about boot profiles, see “display” on page 507.) syntax — delete defaults — none. Access — boot prompt. History — introduced in mss version 3.0. Usage — when you type the delete...
Page 506
506 c hapter 21: b oot p rompt c ommands defaults — the diagnostic mode is disabled by default. Access — boot prompt. History — introduced in mss version 3.0. Usage — access to the diagnostic mode requires a password, which is not user configurable. Use this mode only if advised to do so by 3com. Di...
Page 507
Display 507 see also ■ “fver” on page 508 ■ “version” on page 514 display displays the currently active boot profile. A boot profile is a set of parameters that a wx switch uses to control the boot process. Each boot profile contains the following parameters: ■ boot type — either compact flash (loca...
Page 508
508 c hapter 21: b oot p rompt c ommands table 96 describes the fields in the display. See also ■ “change” on page 503 ■ “create” on page 504 ■ “delete” on page 505 ■ “next” on page 511 fver displays the version of a system image file installed in a specific location on a wx switch. Syntax — fver {c...
Page 509
Help 509 ■ d: — nonvolatile storage area containing boot partition 1 (secondary). ■ e: — primary partition of the flash card in the flash card slot. ■ f: — secondary partition of the flash card in the flash card slot. ■ boot0: — boot partition 0. ■ boot1: — boot partition 1. ■ filename — system imag...
Page 510
510 c hapter 21: b oot p rompt c ommands usage — if you specify a command name, detailed information is displayed for that command. If you do not specify a command name, all the boot prompt commands are listed. Examples — the following command displays detailed information for the fver command: boot...
Page 511
Next 511 examples — to display a list of the commands available at the boot prompt, type the following command: boot> ls ls display a list of all commands and descriptions. Help display help information for each command. Autoboot display the state of, enable, or disable the autoboot option. Boot loa...
Page 512
512 c hapter 21: b oot p rompt c ommands examples — to activate the boot profile in the next slot and display the profile, type the following command: boot> next boot index: 0 boot type: c device: boot1: filename: testcfg flags: 00000000 options: run=nos;boot=0 see also ■ “change” on page 503 ■ “cre...
Page 513
Test 513 3com wx-4400 bootstrap/bootloader version 3.0.2 release compiled on wed sep 22 09:18:47 pdt 2004 by bootstrap 0 version: 3.1 active bootloader 0 version: 3.0.2 active bootstrap 1 version: 3.1 bootloader 1 version: 3.0.1 wx-4400 board revision: 2. Wx-4400 controller revision: 5. Wxa30001.Rel...
Page 514
514 c hapter 21: b oot p rompt c ommands examples — the following command displays the current setting of the poweron test flag: boot> test the diagnostic execution flag is not set. See also ■ “boot” on page 501 version displays version information for a wx switch’s hardware and boot code. Syntax — ...
Page 515
Version 515 see also ■ “dir” on page 506 ■ “fver” on page 508.
Page 516
516 c hapter 21: b oot p rompt c ommands.
Page 517: Btaining
A o btaining s upport for your p roduct register your product warranty and other service benefits start from the date of purchase, so it is important to register your product quickly to ensure you get full use of the warranty and other service benefits available to you. Warranty and other service be...
Page 518
518 a ppendix a: o btaining s upport for your p roduct 3com knowledgebase helps you troubleshoot 3com products. This query-based interactive tool is located at http://knowledgebase.3com.Com and contains thousands of technical solutions written by 3com support engineers. Access software downloads sof...
Page 519
Contact us 519 product is registered and under warranty, you can obtain an rma number online at http://esupport.3com.Com/ . First time users will need to apply for a user name and password. Contact us 3com offers telephone, e-mail and internet access to technical support and repair services. To acce...
Page 520
520 a ppendix a: o btaining s upport for your p roduct latin america telephone technical support and repair antigua argentina aruba bahamas barbados belize bermuda bonaire brazil cayman chile colombia costa rica curacao ecuador dominican republic 1 800 988 2112 0 810 444 3com 1 800 998 2112 1 800 99...
Page 522
522 i ndex clear usergroup attr 179 clear vlan 91 commit security acl 369 copy 464 create 504 crypto certificate 391 crypto certificate admin 391 crypto certificate eap 391 crypto generate key 392 crypto generate request 393 crypto generate request admin 393 crypto generate request eap 393 crypto ge...
Page 524
524 i ndex set ip snmp server 142 set ip ssh 143 set ip ssh absolute-timeout 143 set ip ssh idle-timeout 144 set ip ssh server 145 set ip telnet 146 set ip telnet server 146 set length 48 set license 49 set location policy 203 set log 494 set log buffer 494 set log console 494 set log current 494 se...
Page 525
I ndex 525 set spantree portfast 337 set spantree portpri 337 set spantree portvlancost 338 set spantree portvlanpri 339 set spantree priority 340 set spantree uplinkfast 341 set summertime 153 set system contact 51 set system countrycode 51 set system ip-address 53, 155 set system location 54 set s...
Page 526
526 i ndex.