DL manuals
3Com
Switch
3CRWX120695A
Configuration Manual

3Com 3CRWX120695A Configuration Manual

Other manuals for 3CRWX120695A: User Manual, User Manual, Command Reference Manual, Installation And Basic Configuration Manual, Command Reference Manual, Reference Manual, Hardware Installation Manual, Reference manual, Command Reference Manual

Manual is about: Wireless LAN Mobility System Wireless LAN Switch and Controller

Page of 728

Download

Print this page

Bookmark us

http://www.3Com.com/

Part No. 10015909

Published June 2007

Wireless LAN Mobility System

Wireless LAN Switch and Controller

Configuration Guide

WX4400

3CRWX440095A

WX2200

3CRWX220095A

WX1200

3CRWX120695A

WXR100

3CRWXR10095A

1 2 3 4 5 6 7 Next › »

Summary of 3CRWX120695A

Page 1
Http://www.3com.Com/ part no. 10015909 published june 2007 wireless lan mobility system wireless lan switch and controller configuration guide wx4400 3crwx440095a wx2200 3crwx220095a wx1200 3crwx120695a wxr100 3crwxr10095a.
Page 2
3com corporation 350 campus drive marlborough, ma usa 01752-3064 copyright © 2007, 3com corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without writt...
Page 3: Ontents
C ontents a bout t his g uide conventions 23 documentation 24 documentation comments 25 1 u sing the c ommand -l ine i nterface overview 27 cli conventions 27 command prompts 28 syntax notation 28 text entry conventions and allowed characters 28 user globs, mac address globs, and vlan globs 30 port ...
Page 4: Aaa
Web quick start parameters 40 web quick start requirements 41 accessing the web quick start 41 cli quickstart command 44 quickstart example 46 remote wx configuration 49 opening the quickstart network plan in 3com wireless switch manager 49 3 c onfiguring aaa for a dministrative and l ocal a ccess o...
Page 5: Vlan
Setting the maximum number of login attempts 67 specifying minimum password length 68 configuring password expiration time 69 restoring access to a locked-out user 70 displaying password information 70 5 c onfiguring and m anaging p orts and vlan s configuring and managing ports 71 setting the port ...
Page 6
Configuring the system ip address 108 designating the system ip address 108 displaying the system ip address 108 clearing the system ip address 108 configuring and managing ip routes 108 displaying ip routes 110 adding a static route 111 removing a static route 112 managing the management services 1...
Page 7: Snmp
Adding an arp entry 131 changing the aging timeout 131 pinging another device 132 logging in to a remote device 132 tracing a route 133 ip interfaces and services configuration scenario 135 7 c onfiguring snmp overview 139 configuring snmp 139 setting the system location and contact strings 140 enab...
Page 8: Map A
Configuring wx-wx security 158 monitoring the vlans and tunnels in a mobility domain 159 displaying roaming stations 159 displaying roaming vlans and their affinities 160 displaying tunnel information 160 understanding the sessions of roaming users 161 requirements for roaming to succeed 161 effects...
Page 9: Rf L
Configuring maps 213 specifying the country of operation 213 configuring an auto-ap profile for automatic map configuration 218 configuring map port parameters 224 configuring map-wx security 229 configuring a service profile 233 configuring a radio profile 240 configuring radio-specific parameters ...
Page 10: Wlan M
Setting strictness for rf load balancing 270 exempting an ssid from rf load balancing 271 displaying rf load balancing information 271 12 c onfiguring wlan m esh s ervices wlan mesh services overview 273 configuring wlan mesh services 274 configuring the mesh ap 275 configuring the service profile f...
Page 11: Rf A
Enabling dynamic wep in a wpa network 304 configuring encryption for mac clients 306 14 c onfiguring rf a uto -t uning overview 311 initial channel and power assignment 311 channel and power tuning 312 rf auto-tuning parameters 314 changing rf auto-tuning settings 316 selecting available channels on...
Page 12
Enabling u-apsd support 342 configuring call admission control 343 configuring static cos 343 changing cos mappings 344 using the client’s dscp value to classify qos level 344 enabling broadcast control 345 displaying qos information 345 displaying a radio profile’s qos settings 345 displaying a ser...
Page 13: Igmp S
18 c onfiguring and m anaging igmp s nooping overview 369 disabling or reenabling igmp snooping 369 disabling or reenabling proxy reporting 370 enabling the pseudo-querier 370 changing igmp timers 370 changing the query interval 371 changing the other-querier- present interval 371 changing the query...
Page 14
Mapping security acls 390 mapping user-based security acls 390 mapping security acls to ports, vlans, virtual ports, or distributed maps 392 modifying a security acl 394 adding another ace to a security acl 394 placing one ace before another 395 modifying an existing security acl 396 clearing securi...
Page 15: Aaa
Key and certificate configuration scenarios 427 creating self-signed certificates 427 installing ca-signed certificates from pkcs #12 object files 429 installing ca-signed certificates using a pkcs #10 object file (csr) and a pkcs #7 object file 431 21 c onfiguring aaa for n etwork u sers about aaa ...
Page 16
Configuring last-resort access for wired authentication ports 481 configuring aaa for users of third-party aps 482 authentication process for users of a third-party ap 482 requirements 483 configuring authentication for 802.1x users of a third-party ap with tagged ssids 484 configuring authenticatio...
Page 17: Radius
22 c onfiguring c ommunication with radius radius overview 519 before you begin 521 configuring radius servers 521 configuring global radius defaults 522 setting the system ip address as the source address 523 configuring individual radius servers 523 deleting radius servers 524 configuring radius s...
Page 18: Soda E
24 c onfiguring soda e ndpoint s ecurity for a wx s witch about soda endpoint security 543 soda endpoint security support on wx switches 544 how soda functionality works on wx switches 545 configuring soda functionality 546 configuring web portal webaaa for the service profile 547 creating the soda ...
Page 19
26 r ogue d etection and c ountermeasures overview 567 about rogues and rf detection 567 rogue access points and clients 567 rf detection scans 571 countermeasures 572 mobility domain requirement 572 summary of rogue detection features 573 configuring rogue detection lists 574 configuring a permitte...
Page 20: Wx S
27 m anaging s ystem f iles about system files 599 displaying software version information 599 displaying boot information 601 working with files 602 displaying a list of files 602 copying a file 604 using an image file’s md5 checksum to verify its integrity 606 deleting a file 607 creating a subdir...
Page 21
Displaying a trace 632 stopping a trace 632 about trace results 633 displaying trace results 633 copying trace results to a server 634 clearing the trace log 634 list of trace areas 634 using display commands 635 viewing vlan interfaces 635 viewing aaa session statistics 635 viewing fdb information ...
Page 22: Radius A
C s upported radius a ttributes attributes 651 supported standard and extended attributes 652 3com vendor-specific attributes 659 d t raffic p orts u sed by mss e dhcp s erver how the mss dhcp server works 664 configuring the dhcp server 665 displaying dhcp server information 666 f o btaining s uppo...
Page 23: Bout
A bout t his g uide this guide describes the configuration commands for the 3com wireless lan switch wxr100, wx1200, or 3com wireless lan controller wx4400, wx2200. This guide is intended for system integrators who are configuring the wxr100, wx1200, wx4400, or wx2200. If release notes are shipped w...
Page 24
24 a bout t his g uide this manual uses the following text and syntax conventions: documentation the mss documentation set includes the following documents. Wireless switch manager (3wxm) release notes these notes provide information about the 3wxm software release, including new features and bug fi...
Page 25
Documentation comments 25 wireless switch manager reference manual this manual shows you how to plan, configure, deploy, and manage a mobility system wireless lan (wlan) using the 3com wireless switch manager (3wxm). Wireless switch manager user’s guide this manual shows you how to plan, configure, ...
Page 26
26 a bout t his g uide please note that we can only respond to comments and questions about 3com product documentation at this e-mail address. Questions related to technical support or sales should be directed in the first instance to your network supplier..
Page 27: Sing
1 u sing the c ommand -l ine i nterface mobility system software (mss) operates a 3com mobility system wireless lan (wlan) consisting of 3com wireless switch manager software, wireless lan switches (wx1200 or wxr100), wireless lan controllers (wx4400 or wx2200), and managed access points (maps). Mss...
Page 28
28 c hapter 1: u sing the c ommand -l ine i nterface command prompts by default, the mss cli provides the following prompt for restricted users. The mmmm portion shows the wx model number (for example, 1200) and the nnnnnn portion shows the last 6 digits of the wx media access control (mac) address....
Page 29
Cli conventions 29 the cli has specific notation requirements for mac addresses, ip addresses, and masks, and allows you to group usernames, mac addresses, virtual lan (vlan) names, and ports in a single command. 3com recommends that you do not use the same name with different capitalizations for vl...
Page 30
30 c hapter 1: u sing the c ommand -l ine i nterface wildcard masks security access control lists (acls) use source and destination ip addresses and wildcard masks to determine whether the wx filters or forwards ip packets. Matching packets are either permitted or denied network access. The acl chec...
Page 31
Cli conventions 31 mac address globs a media access control (mac) address glob is a similar method for matching some authentication, authorization, and accounting (aaa) and forwarding database (fdb) commands to one or more 6-byte mac addresses. In a mac address glob, you can use a single asterisk (*...
Page 32
32 c hapter 1: u sing the c ommand -l ine i nterface to match all vlans, use the double-asterisk (**) wildcard characters with no delimiters. To match any number of characters up to, but not including, a delimiter character in the glob, use the single-asterisk (*) wildcard. Valid vlan glob delimiter...
Page 33
Command-line editing 33 virtual lan identification the names of virtual lans (vlans), which are used in mobility domain™ communications, are set by you and can be changed. In contrast, vlan id numbers, which the wx switch uses locally, are determined when the vlan is first configured and cannot be c...
Page 34
34 c hapter 1: u sing the c ommand -l ine i nterface history buffer the history buffer stores the last 63 commands you entered during a terminal session. You can use the up arrow and down arrow keys to select a command that you want to repeat from the history buffer. Tabs the mss cli uses the tab ke...
Page 35
Using cli help 35 rollback remove changes to the edited acl table save save the running configuration to persistent storage set set, use 'set help' for more information telnet telnet ip address [server port] traceroute print the route packets take to network host for more information on help, see th...
Page 36
36 c hapter 1: u sing the c ommand -l ine i nterface understanding command descriptions each command description in the wireless lan switch and controller command reference contains the following elements: a command name, which shows the keywords but not the variables. For example, the following com...
Page 37: Wx S
2 wx s etup m ethods this chapter describes the methods you can use to configure a wx switch, and refers you to information for each method. Depending on your configuration needs, you can use one or a combination of these methods. For easy installation, use one of the quick-start methods described i...
Page 38
38 c hapter 2: wx s etup m ethods 3com wireless switch manager you can use 3com wireless switch manager to remotely configure a switch using one of the following techniques: drop ship—on model wxr100 only, you can press the factory reset switch during power on until the right led above port 1 flashe...
Page 39
How a wx switch gets its configuration 39 how a wx switch gets its configuration figure 1 shows how a wx switch gets a configuration when you power it on. Figure 1 wx switch startup algorithm switch is powered on. Yes no no does switch have is auto-config a configuration? Switch boots yes model wxr1...
Page 40
Web quick start (wxr100, wx1200 and wx2200 only) 40 web quick start (wxr100, wx1200 and wx2200 only) you can use the web quick start to configure the switch to provide wireless access to up to ten network users. To access the web quick start, attach a pc directly to port 1 or port 2 on the switch an...
Page 41
Web quick start (wxr100, wx1200 and wx2200 only) 41 web quick start requirements to use the web quick start, you need the following: ac power source for the switch pc with an ethernet port that you can connect directly to the switch category 5 (cat 5) or higher ethernet cable if the pc is connected ...
Page 42
42 c hapter 2: wx s etup m ethods this is a temporary, well-known address assigned to the unconfigured switch when you power it on. The web quick start enables you to change this address. The first page of the quick start wizard appears. 6 click start to begin. The wizard screens guide you through t...
Page 43
Web quick start (wxr100, wx1200 and wx2200 only) 43 here is an example: 8 review the configuration settings, then click finish to save the changes or click back to change settings. If you want to quit for now and start over later, click cancel. If you click finish, the wizard saves the configuration...
Page 44
44 c hapter 2: wx s etup m ethods cli quickstart command the quickstart command runs a script that interactively helps you configure the following items: system name country code (regulatory domain) system ip address default route 802.1q tagging for ports in the default vlan administrative users and...
Page 45
Cli quickstart command 45 the command automatically places all ports that are not used for directly connected maps into the default vlan (vlan 1). The quickstart command prompts you for an administrative username and password for managing the switch over the network. The command automatically config...
Page 46
46 c hapter 2: wx s etup m ethods quickstart example this example configures the following parameters: system name: wx1200-corp country code (regulatory domain): us system ip address: 172.16.0.21, on ip interface 172.16.0.21 255.255.255.0 the quickstart script asks for an ip address and subnet mask ...
Page 47
Cli quickstart command 47 if you configure time and date parameters, you will be required to enter a name for the timezone, and then enter the value of the timezone (the offset from utc) separately. You can use a string of up to 32 alphabetic characters as the timezone name. Figure 2 shows an exampl...
Page 48
48 c hapter 2: wx s etup m ethods specify the port number that needs to be tagged [1-2, ends config]: admin username [admin]: wxadmin admin password [optional]: letmein enable password [optional]: enable do you wish to set the time? [y]: y enter the date (dd/mm/yy) []: 31/03/07 is daylight saving ti...
Page 49
Remote wx configuration 49 8 save the configuration changes. Wxr100-aabbcc# save config remote wx configuration you can use 3com wireless switch manager services running in your corporate network to configure wx switches in remote offices. The following remote configuration scenarios are supported: ...
Page 50
50 c hapter 2: wx s etup m ethods to open the network plan: 1 install 3wxm, if not already installed. (see the “getting started” chapter of the wireless switch manager user’s guide or the “installing 3wxm” chapter of the wireless switch manager reference manual .) 2 start 3wxm by doing one of the fo...
Page 51: Onfiguring
3 c onfiguring aaa for a dministrative and l ocal a ccess 3com mobility system software (mss) supports authentication, authorization, and accounting (aaa) for secure network connections. As administrator, you must establish administrative access for yourself and optionally other local users before y...
Page 52
52 c hapter 3: c onfiguring aaa for a dministrative and l ocal a ccess 5 customized authentication. You can require authentication for all users or for only a subset of users. Username globbing (see “user globs, mac address globs, and vlan globs” on page 30) allows different users or classes of user...
Page 53
Overview 53 figure 3 typical 3com mobility system wx switch core router layer 2 switches wx switches b uilding 1 d ata center f loor 3 f loor 2 layer 2 or layer 3 switches radius or aaa servers f loor 1 wx switches map map map map map map.
Page 54
54 c hapter 3: c onfiguring aaa for a dministrative and l ocal a ccess before you start before reading more of this chapter, read the wireless lan switch and controller quick start guide to set up a wx switch and the attached maps for basic service. About administrative access the authentication, au...
Page 55
First-time configuration via the console 55 first-time configuration via the console administrators must initially configure the wx switch with a computer or terminal connected to the wx console port through a serial cable. Telnet access is not initially enabled. To configure a previously unconfigur...
Page 56
56 c hapter 3: c onfiguring aaa for a dministrative and l ocal a ccess setting the wx switch enable password there is one enable password for the entire wx switch. You can optionally change the enablepassword from the default. 3com recommends that you change the enable password from the default (no ...
Page 57
First-time configuration via the console 57 3wxm enable password if you use 3wxm to continue configuring the switch, you will need to enter the switch’s enable password when you upload the switch’s configuration into 3wxm. (for 3wxm information, see the wireless switch manager reference manual .) au...
Page 58
58 c hapter 3: c onfiguring aaa for a dministrative and l ocal a ccess the authentication method none you can specify for administrative access is different from the fallthru authentication type none, which applies only to network access. The authentication method none allows access to the wx switch...
Page 59
Configuring accounting for administrative users 59 although mss allows you to configure a user password for the special “last-resort” guest user, the password has no effect. Last-resort users can never access a wx in administrative mode and never require a password. Adding and clearing local users f...
Page 60
60 c hapter 3: c onfiguring aaa for a dministrative and l ocal a ccess you can select either start-stop or stop-only accounting modes. The stop-only mode sends only stop records, whereas start-stop sends both start and stop records, effectively doubling the number of accounting records. In most case...
Page 61
Displaying the aaa configuration 61 displaying the aaa configuration to display your aaa configuration, type the following command: wx1200# display aaa default values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null) radius servers server addr po...
Page 62
62 c hapter 3: c onfiguring aaa for a dministrative and l ocal a ccess administrative aaa configuration scenarios the following scenarios illustrate typical configurations for administrative and local authentication. For all scenarios, the administrator is natasha with the password m@jor. (for radiu...
Page 63
Administrative aaa configuration scenarios 63 natasha also adds the radius server (r1) to the radius server group sg1, and configures telnet administrative users for authentication through the group. She types the following commands in this order: wx1200# set server group sg1 members r1 success: cha...
Page 64
64 c hapter 3: c onfiguring aaa for a dministrative and l ocal a ccess local override and backup local authentication this scenario illustrates how to enable local override authentication for console users. Local override means that mss attempts authentication first via the local database. If it fin...
Page 65: Anaging
4 m anaging u ser p asswords this chapter describes how to manage user passwords, configure user passwords, and how to display password information. Overview 3com recommends that all users create passwords that are memorable to themselves, difficult for others to guess, and not subject to a dictiona...
Page 66
66 c hapter 4: m anaging u ser p asswords only one unsuccessful login attempt is allowed in a 10-second period for a user or session. All administrative logins, logouts, logouts due to idle timeout, and disconnects are logged. The audit log file on the wx switch (command_audit.Cur) cannot be deleted...
Page 68
68 c hapter 4: m anaging u ser p asswords you can specify a number between 0 – 2147483647. Specifying 0 causes the number of allowable login attempts to reset to the default values. If a user is locked out of the system, you can restore the user’s access with the clear user lockout command. (see “re...
Page 69
Configuring passwords 69 configuring password expiration time to specify how long a user’s password is valid before it must be reset, use the following command: set user usernameexpire-password-in time to specify how long the passwords are valid for users in a user group, use the following command: ...
Page 70
70 c hapter 4: m anaging u ser p asswords restoring access to a locked-out user if a user’s password has expired, or the user is unable to log in within the configured limit for login attempts, then the user is locked out of the system, and cannot gain access without the intervention of an administr...
Page 71: Onfiguring
5 c onfiguring and m anaging p orts and vlan s this chapter describes how to configure and manage ports and vlans. Configuring and managing ports you can configure and display information for the following port parameters: port type name speed and autonegotiation port state power over ethernet (poe)...
Page 72
72 c hapter 5: c onfiguring and m anaging p orts and vlan s all wx switch ports are network ports by default. You must set the port type for ports directly connected to map access ports and to wired user stations that must be authenticated to access the network. When you change port type, mss applie...
Page 73
Configuring and managing ports 73 setting a port for a directly connected map before configuring a port as a map access port, you must use the set system countrycode command to set the ieee 802.11 country-specific regulations on the wx switch. (see “specifying the country of operation” on page 213.)...
Page 74
74 c hapter 5: c onfiguring and m anaging p orts and vlan s you cannot configure any gigabit ethernet port, or port 7 or 8 on a wx1200 switch, or port 1 on a wxr100, as a map port. To manage a map on a switch model that does not have 10/100 ethernet ports, configure a distributed map connection on t...
Page 75
Configuring and managing ports 75 for the serial-id parameter, specify the serial id of the map. The serial id is listed on the map case. To display the serial id using the cli, use the display version details command. The model and radiotype parameters have the same options as they do with the set ...
Page 76
76 c hapter 5: c onfiguring and m anaging p orts and vlan s this command configures port 7 as a wired authentication port supporting one interface and one simultaneous user session. For 802.1x clients, wired authentication works only if the clients are directly attached to the wired authentication p...
Page 77
Configuring and managing ports 77 a cleared port is not placed in any vlans, not even the default vlan (vlan 1). To clear a port, use the following command: clear port type port-list for example, to clear the port-related settings from port 5 and reset the port as a network port, type the following ...
Page 78
78 c hapter 5: c onfiguring and m anaging p orts and vlan s configuring interface preference on a dual-interface gigabit ethernet port (wx4400 only) the gigabit ethernet ports on a wx4400 have two physical interfaces: a 1000base-tx copper interface and a 1000base-sx or 1000base-lx fiber interface. T...
Page 79
Configuring and managing ports 79 configuring port operating parameters autonegotiation is enabled by default on a wx switch’s 10/100 ethernet ports and gigabit ethernet ports. You can configure the following port operating parameters: speed autonegotiation port state poe state all ports on the wx44...
Page 80
80 c hapter 5: c onfiguring and m anaging p orts and vlan s to set the port speed on ports 1 and 3 through 5 to 10 mbps, type the following command: wx1200# set port speed 1,3-5 10 gigabit ports — autonegotiation and flow control wx gigabit ports use autonegotiation by default to determine capabilit...
Page 81
Configuring and managing ports 81 resetting a port you can reset a port by toggling its link state and poe state. Mss disables the port’s link and poe (if applicable) for at least one second, then reenables them. This feature is useful for forcing a map that is connected to two wx switches to reboot...
Page 82
82 c hapter 5: c onfiguring and m anaging p orts and vlan s displaying poe state to display the poe state of a port, use the following command: display port poe [port-list] to display poe information for ports 1 and 3, type the following command: wx1200# display port poe 1,3 link port poe poe port n...
Page 83
Configuring and managing ports 83 clearing statistics counters to clear all port statistics counters, use the following command: clear port counters the counters begin incrementing again, starting from 0. Monitoring port statistics you can display port statistics in a format that continually updates...
Page 84
84 c hapter 5: c onfiguring and m anaging p orts and vlan s use the keys listed in table 8 to control the monitor display. To monitor port statistics beginning with octet statistics (the default), type the following command: wx1200# monitor port counters as soon as you press enter, mss clears the wi...
Page 85
Configuring and managing ports 85 configuring load-sharing port groups a port group is a set of physical ports that function together as a single link and provide load sharing and link redundancy. Only network ports can participate in a port group. You can configure up to 8 ports in a port group, in...
Page 86
86 c hapter 5: c onfiguring and m anaging p orts and vlan s to configure a port group named server1 containing ports 1 through 5 and enable the link, type the following command: wx1200# set port-group name server1 1-5 mode on success: change accepted. After you configure a port group, you can use th...
Page 87
Configuring and managing vlans 87 displaying port group information to display port group information, use the following command: display port-group [name group-name] to display the configuration and status of port group server2, type the following command: wx1200# display port-group name server2 po...
Page 88
88 c hapter 5: c onfiguring and m anaging p orts and vlan s vlans are not configured on map access ports or wired authentication ports, because the vlan membership of these types of ports is determined dynamically through the authentication and authorization process. Users who require authentication...
Page 89
Configuring and managing vlans 89 you assign a user to a vlan by setting one of the following attributes on the radius servers or in the local user database: tunnel-private-group-id — this attribute is described in rfc 2868, radius attributes for tunnel protocol support. Vlan-name — this attribute i...
Page 90
90 c hapter 5: c onfiguring and m anaging p orts and vlan s because the default vlan (vlan 1) might not be in the same subnet on each switch, 3com recommends that you do not rename the default vlan or use it for user traffic. Instead, configure other vlans for user traffic. Traffic forwarding a wx s...
Page 91
Configuring and managing vlans 91 if the wx switch that is not in the user’s vlan has a choice of more than one other wx switch through which to tunnel the user’s traffic, the switch selects the other switch based on an affinity value. This is a numeric value that each wx switch within a mobility do...
Page 92
92 c hapter 5: c onfiguring and m anaging p orts and vlan s you must assign a name to a vlan before you can add ports to the vlan. You can configure the name and add ports with a single set vlan command or separate set vlan commands. Once you assign a vlan number to a vlan, you cannot change the num...
Page 93
Configuring and managing vlans 93 removing an entire vlan or a vlan port to remove an entire vlan or a specific port and tag value from a vlan, use the following command: clear vlan vlan-id [port port-list [tag tag-value]] caution: when you remove a vlan, mss completely removes the vlan from the con...
Page 94
94 c hapter 5: c onfiguring and m anaging p orts and vlan s restricting layer 2 forwarding among clients by default, clients within a vlan are able to communicate with one another directly at layer 2. You can enhance network security by restricting layer 2 forwarding among clients in the same vlan. ...
Page 95
Configuring and managing vlans 95 the following commands restrict layer 2 forwarding of client data in vlan abc_air to the default routers with mac address aa:bb:cc:dd:ee:ff and 11:22:33:44:55:66, and display restriction information and statistics: wx1200# set security l2-restrict vlan abc_air mode ...
Page 96
96 c hapter 5: c onfiguring and m anaging p orts and vlan s managing the layer 2 forwarding database a wx switch uses a layer 2 forwarding database (fdb) to forward traffic within a vlan. The entries in the forwarding database map mac addresses to the physical or virtual ports connected to those mac...
Page 97
Managing the layer 2 forwarding database 97 displaying forwarding database information you can display the forwarding database size and the entries contained in the database. Displaying the size of the forwarding database to display the number of entries contained in the forwarding database, use the...
Page 98
98 c hapter 5: c onfiguring and m anaging p orts and vlan s to display all entries that begin with 00, type the following command: wx1200# display fdb 00:* * = static entry. + = permanent entry. # = system entry. Vlan tag dest mac/route des [cos] destination ports [protocol type] ---- ---- ---------...
Page 99
Managing the layer 2 forwarding database 99 configuring the aging timeout period the aging timeout period specifies how long a dynamic entry can remain unused before the software removes the entry from the database. You can change the aging timeout period on an individual vlan basis. You can change ...
Page 100
100 c hapter 5: c onfiguring and m anaging p orts and vlan s port and vlan configuration scenario this scenario assigns names to ports, and configures map access ports, wired authentication ports, a load-sharing port group, and vlans. 1 assign names to ports to identify their functions, and verify t...
Page 101
Port and vlan configuration scenario 101 =============================================================================== boot time: 2000-03-18 22:59:19 uptime: 0 days 00:13:45 =============================================================================== fan status: fan1 ok fan2 ok fan3 ok temperat...
Page 102
102 c hapter 5: c onfiguring and m anaging p orts and vlan s 4 configure ports 5 and 6 as wired authentication ports and verify the configuration change. Type the following commands: wx1200# set port type wired-auth 5,6 success: change accepted wx1200# display port status port name admin oper config...
Page 103: Onfiguring
6 c onfiguring and m anaging ip i nterfaces and s ervices this chapter describes how to configure ip interfaces and services. Mtu support mobility system software (mss) supports standard maximum transmission units (mtus) of 1514 bytes for standard ethernet packets and 1518 bytes for ethernet packets...
Page 104
104 c hapter 6: c onfiguring and m anaging ip i nterfaces and s ervices configuring and managing ip interfaces many features, including the following, require an ip interface on the wx switch: management access through telnet access by 3com wireless switch manager exchanging information and user dat...
Page 105
Configuring and managing ip interfaces 105 the dhcp client is enabled by default on an unconfigured wxr100 when the factory reset switch is pressed and held during power on. The dhcp client is disabled by default on all other switch models, and is disabled on a wxr100 if the switch is already config...
Page 106
106 c hapter 6: c onfiguring and m anaging ip i nterfaces and s ervices if the switch is powered down or restarted, mss does not retain the values received from the dhcp server. However, if the ip interface goes down but mss is still running, mss attempts to reuse the address when the interface come...
Page 107
Configuring and managing ip interfaces 107 displaying dhcp client information to display dhcp client information, type the following command: wx1200# display dhcp-client interface: corpvlan(4) configuration status: enabled dhcp state: if_up lease allocation: 65535 seconds lease remaining: 65532 seco...
Page 108
108 c hapter 6: c onfiguring and m anaging ip i nterfaces and s ervices configuring the system ip address you can designate one of the ip addresses configured on a wx switch to be the system ip address of the switch. The system ip address determines the interface or source ip address mss uses for sy...
Page 109
Configuring and managing ip routes 109 a destination can be a subnet or network. If two static routes specify a destination, the more specific route is always chosen (longest prefix match). For example, if you have a static route with a destination of 10.10.1.0/24, and another static route with a de...
Page 110
110 c hapter 6: c onfiguring and m anaging ip i nterfaces and s ervices displaying ip routes to display ip routes, use the following command: display ip route [destination] the destination parameter specifies a destination ip address. To display the ip route table, type the following command: wx1200...
Page 111
Configuring and managing ip routes 111 if a vlan is administratively disabled or all of the links in the vlan go down or are disabled, mss removes the vlan’s routes from the route table. If the direct route required by a static route goes down, mss changes the static route state to down. If the rout...
Page 112
112 c hapter 6: c onfiguring and m anaging ip i nterfaces and s ervices to add two default routes and configure mss to always use the route through 10.2.4.69 when the wx interface to that default router is up, type the following commands: wx1200# set ip route default 10.2.4.69 1 success: change acce...
Page 113
Managing the management services 113 managing the management services mss provides the following services for managing a wx switch over the network: secure shell (ssh) — ssh provides a secure connection to the cli through tcp port 22. Telnet — telnet provides a nonsecure connection to the cli throug...
Page 114
114 c hapter 6: c onfiguring and m anaging ip i nterfaces and s ervices ssh requires an ssh authentication key. You can generate one or allow mss to generate one. The first time an ssh client attempts to access the ssh server on a wx switch, the switch automatically generates a 1024-byte ssh key. If...
Page 115
Managing the management services 115 to add administrative user wxadmin with password letmein, and use radius server group sg1 to authenticate the user, type the following commands: wx1200# set user wxadmin password letmein success: user wxadmin created wx1200# set authentication admin wxadmin sg1 s...
Page 117
Managing the management services 117 displaying telnet status to display the status of the telnet server, use the following command: display ip telnet to display the telnet server status and the tcp port number on which a wx switch listens for telnet traffic, type the following command: wx1200> disp...
Page 118
118 c hapter 6: c onfiguring and m anaging ip i nterfaces and s ervices to display the telnet server sessions on a wx switch, type the following command: wx1200# display sessions admin tty username time (s) type ------- -------------------- -------- ---- tty0 3644 console tty2 tech 6 telnet tty3 ssh...
Page 119
Managing the management services 119 the command lists the tcp port number on which the switch listens for https connections. The command also lists the last 10 devices to establish https connections with the switch and when the connections were established. If a browser connects to a wx switch from...
Page 120
120 c hapter 6: c onfiguring and m anaging ip i nterfaces and s ervices setting a message of the day (motd) banner you can configure the wx switch to display a message of the day (motd) banner, which is a string of text that is displayed before the beginning of the login prompt for a user’s cli sess...
Page 121
Configuring and managing dns 121 after these commands are entered, when the user logs on, the motd banner is displayed, followed by the text do you agree? If the user enters y, then the login proceeds; if not, then the user is disconnected. Configuring and managing dns you can configure a wx switch ...
Page 122
122 c hapter 6: c onfiguring and m anaging ip i nterfaces and s ervices configuring a default domain name you can configure a single default domain name for dns queries. The wx switch appends the default domain name to hostnames you enter in commands. For example, you can configure the wx switch to ...
Page 123
Configuring and managing aliases 123 configuring and managing aliases an alias is a string that represents an ip address. You can use aliases as shortcuts in cli commands. For example, you can configure alias pubs1 for ip address 10.10.10.20, and enter ping pubs1 as a shortcut for ping 10.10.10.20. ...
Page 124
124 c hapter 6: c onfiguring and m anaging ip i nterfaces and s ervices configuring and managing time parameters you can configure the system time and date statically or by using network time protocol (ntp) servers. In each case, you can specify the offset from coordinated universal time (utc) by se...
Page 125
Configuring and managing time parameters 125 setting the time zone the time zone parameter adjusts the system date, and optionally the time, by applying an offset to utc. To set the time zone, use the following command: set timezone zone-name {-hours [minutes]} the zone name can be up to 32 alphanum...
Page 126
126 c hapter 6: c onfiguring and m anaging ip i nterfaces and s ervices the summer-name can be up to 32 alphanumeric characters long, with no spaces. The start and end dates and times are optional. If you do not specify a start and end time, mss implements the time change starting at 2:00 a.M. On th...
Page 127
Configuring and managing time parameters 127 statically configuring the system time and date to statically configure the system time and date, use the following command: set timedate {date mmm dd yyyy [time hh:mm:ss]} the day of week is automatically calculated from the day you set. To set the date ...
Page 128
128 c hapter 6: c onfiguring and m anaging ip i nterfaces and s ervices mss adjusts the ntp reply according to the following time parameters configured on the wx switch: offset from utc (configured with the timezone command; see “setting the time zone” on page 125) daylight savings time (configured ...
Page 129
Configuring and managing time parameters 129 resetting the update interval to the default to reset the update interval to the default value, use the following command: clear ntp update-interval enabling the ntp client the ntp client is disabled by default. To enable the ntp client, use the following...
Page 130
130 c hapter 6: c onfiguring and m anaging ip i nterfaces and s ervices managing the arp table the address resolution protocol (arp) table maps ip addresses to mac addresses. An arp entry enters the table in one of the following ways: added automatically by the wx switch. A switch adds an entry for ...
Page 131
Managing the arp table 131 adding an arp entry mss automatically adds a local entry for a wx switch and dynamic entries for addresses learned from traffic received by the switch. You can add the following types of entries: dynamic — ages out based on the aging timeout. Static — does not age out but ...
Page 132
132 c hapter 6: c onfiguring and m anaging ip i nterfaces and s ervices pinging another device to verify that another device in the network can receive ip packets sent by the wx switch, use the following command: ping host [count num-packets] [dnf] [flood] [interval time] [size size] [source-ip ip-a...
Page 133
Tracing a route 133 when you press ctrl+t or type exit to end the client session, the management session returns to the local wx prompt: wx1200-remote> session 0 pty tty2.D terminated tt name tty2.D wx1200# use the following commands to manage telnet client sessions: display sessions telnet client c...
Page 134
134 c hapter 6: c onfiguring and m anaging ip i nterfaces and s ervices to identify the next hop, traceroute again sends a udp packet, but this time with a ttl value of 2. The first router decrements the ttl field by 1 and sends the datagram to the next router. The second router sees a ttl value of ...
Page 135
Ip interfaces and services configuration scenario 135 ip interfaces and services configuration scenario this scenario configures ip interfaces, assigns one of the interfaces to be the system ip address, and configures a default route, dns parameters, and time and date parameters. 1 configure ip inte...
Page 136
136 c hapter 6: c onfiguring and m anaging ip i nterfaces and s ervices 3 configure a default route through a default router attached to the wx switch and verify the configuration change. Type the following commands: wx1200# set ip route default 10.20.10.1 1 success: change accepted. Wx1200# display...
Page 137
Ip interfaces and services configuration scenario 137 wx1200# display summertime summertime is enabled, and set to 'pdt'. Start : sun apr 04 2004, 02:00:00 end : sun oct 31 2004, 02:00:00 offset : 60 minutes recurring : yes, starting at 2:00 am of first sunday of april and ending at 2:00 am on last ...
Page 138
138 c hapter 6: c onfiguring and m anaging ip i nterfaces and s ervices.
Page 139: Onfiguring
7 c onfiguring snmp mss supports simple network management protocol (snmp) versions 1, 2c, and 3. Overview the mss snmp engine (also called the snmp server or agent) can run any combination of the following snmp versions: snmpv1—snmpv1 is the simplest and least secure snmp version. Community strings...
Page 140
140 c hapter 7: c onfiguring snmp set the minimum level of security allowed for snmp message exchanges. Configure a notification profile or modify the default one, to enable sending of notifications to notification targets. By default, notifications of all types are dropped (not sent). Configure not...
Page 141
Configuring snmp 141 the comm-string can be up to 32 alphanumeric characters long, with no spaces. You can configure up to 10 community strings. The access level specifies the read-write privileges of the community string: read-only—an snmp management application using the string can get (read) obje...
Page 142
142 c hapter 7: c onfiguring snmp the usm-username can be up to 32 alphanumeric characters long, with no spaces. You can configure up to 20 snmpv3 users. The snmp-engine-id option specifies a unique identifier for an instance of an snmp engine. To send informs, you must specify the engine id of the ...
Page 143
Configuring snmp 143 3des—triple des encryption is used. Aes—advanced encryption standard (aes) encryption is used. If the encryption type is des, 3des, or aes, you can specify a passphrase or a hexadecimal key. To specify a passphrase, use the encrypt-pass-phrase string option. The string can be fr...
Page 145
Configuring snmp 145 the profile-name can be up to 32 alphanumeric characters long, with no spaces. To modify the default notification profile, specify default. The notification-type can be one of the following: apboottraps—generated when a map boots. Apnonoperstatustraps—generated to indicate a map...
Page 146
146 c hapter 7: c onfiguring snmp dapconnectwarningtraps—generated when a distributed map whose fingerprint has not been configured in mss establishes a management session with the switch. Devicefailtraps—generated when an event with an alert severity occurs. Deviceokaytraps—generated when a device ...
Page 147
Configuring snmp 147 rfdetectinterferingroguedisappeartraps—generated when an interfering device is no longer detected. Rfdetectspoofedmacaptraps—generated when mss detects a wireless packet with the source mac address of a 3com map, but without the spoofed map’s signature (fingerprint). Rfdetectspo...
Page 148
148 c hapter 7: c onfiguring snmp wx1200# set snmp notify profile snmpprof_rfdetect send rfdetectinterferingrogueaptraps success: change accepted. Wx1200# set snmp notify profile snmpprof_rfdetect send rfdetectinterferingroguedisappeartraps success: change accepted. Wx1200# set snmp notify profile s...
Page 150
150 c hapter 7: c onfiguring snmp the inform or trap option specifies whether the mss snmp engine expects the target to acknowledge notifications sent to the target by the wx switch. Use inform if you want acknowledgements. Use trap if you do not want acknowledgements. The inform option is applicabl...
Page 151
151 c hapter 7: c onfiguring snmp this command configures target 1 at ip address 10.10.40.9. The target’s snmp engine id is based on its address. The mss snmp engine will send notifications based on the default profile, and will require the target to acknowledge receiving them. The following command...
Page 152
152 c hapter 7: c onfiguring snmp displaying notification profiles to display notification profiles, use the following command: display snmp notify profile the command lists settings separately for each notification profile. The use count indicates how many notification targets use the profile. For ...
Page 153: Onfiguring
8 c onfiguring and m anaging m obility d omain r oaming a mobility domain is a system of wx switches and managed access points (maps) working together to support roaming wireless users (clients). Tunnels and virtual ports between the wx switches in a mobility domain allow users to roam without any d...
Page 154
154 c hapter 8: c onfiguring and m anaging m obility d omain r oaming configuring a mobility domain the wx switches in a mobility domain use their system ip address for mobility domain communication. To support the services of the mobility domain, the system ip address of every wx switch requires ba...
Page 155
Configuring a mobility domain 155 optionally, you can configure a redundant seed wx switch, which takes over seed duties if the primary seed becomes unavailable. See “configuring mobility domain seed redundancy” on page 156. Configuring member wx switches on the seed to configure the list of members...
Page 156
156 c hapter 8: c onfiguring and m anaging m obility d omain r oaming configuring mobility domain seed redundancy you can optionally specify a secondary seed in a mobility domain. The secondary seed provides redundancy for the primary seed switch in the mobility domain. If the primary seed becomes u...
Page 157
Configuring a mobility domain 157 displaying mobility domain status to view the status of the mobility domain for the wx switch, use the display mobility-domain command. For example: wx# display mobility-domain mobility domain name: pleasanton member state type (*:active) model version -------------...
Page 158
158 c hapter 8: c onfiguring and m anaging m obility d omain r oaming configuring wx-wx security you can enhance security on your network by enabling wx-wx security. Wx-wx security encrypts management traffic exchanged by wx switches in a mobility domain. When wx-wx security is enabled, management t...
Page 159
Monitoring the vlans and tunnels in a mobility domain 159 monitoring the vlans and tunnels in a mobility domain tunnels connect wx switches. Tunnels are formed automatically in a mobility domain to extend a vlan to the wx switch that a roaming station is associated with. A single tunnel can carry tr...
Page 160
160 c hapter 8: c onfiguring and m anaging m obility d omain r oaming displaying roaming vlans and their affinities the command display roaming vlan displays all vlans in the mobility domain, the wx switches servicing the vlans, and their tunnel affinity values configured on each switch for the vlan...
Page 161
Understanding the sessions of roaming users 161 understanding the sessions of roaming users when a wireless client successfully roams from one map to another, its sessions are affected in the following ways: the wx treats this client session as a roaming session and not a new session. Radius account...
Page 162
162 c hapter 8: c onfiguring and m anaging m obility d omain r oaming effects of timers on roaming an unsuccessful roaming attempt might be caused by the following timers. You cannot configure either timer. Grace period — a disassociated session has a grace period of 5 seconds during which mss can r...
Page 163
Mobility domain scenario 163 mobility domain scenario the following scenario illustrates how to create a mobility domain named sunflower consisting of three members from a seed wx switch at 192.168.253.21: 1 make the current wx switch the mobility domain seed. Type the following command: wx1200# set...
Page 164
164 c hapter 8: c onfiguring and m anaging m obility d omain r oaming vlan-wep 192.168.12.7 5 vlan-wep 192.168.15.5 5 7 to display active roaming tunnels, type the following command: wx1200# display tunnel vlan local address remote address state port lvid rvid -------------- --------------- --------...
Page 165: Onfiguring
9 c onfiguring n etwork d omains a network domain is a group of geographically dispersed mobility domains that share information over a wan link. This shared information allows a user configured in one mobility domain to establish connectivity on a wx switch in a remote mobility domain. The wx switc...
Page 166
166 c hapter 9: c onfiguring n etwork d omains figure 4 network domain in a network domain, one or more wx switches acts as a seed device. A network domain seed stores information about all of the vlans on the network domain members. The network domain seeds share this information among themselves, ...
Page 167
About the network domain feature 167 figure 5 illustrates how user bob, who is based at sales office c gets connectivity and is placed in a vlan when he visits the corporate office. Figure 5 how a user connects to a remote vlan in a network domain in this example, bob establishes connectivity as fol...
Page 168
168 c hapter 9: c onfiguring n etwork d omains 4 a vlan tunnel is created between the wx switch at the corporate office and the wx switch at sales office c. 5 bob establishes connectivity on the network at the corporate office and is placed in vlan red. Network domain seed affinity when there are mu...
Page 169
Configuring a network domain 169 in the previous example, a wx switch in the mobility domain at the corporate office is configured as a member of a network domain that has a local seed, as well as seeds at the two branch offices and the three sales offices. The wx switch has an affinity value of 10 ...
Page 170
170 c hapter 9: c onfiguring n etwork d omains for example, the following command sets the current wx switch as a seed with the network domain california: wx1200# set network-domain mode seed domain-name california success: change accepted. If the seed in a network domain is also intended to be a me...
Page 171
Configuring a network domain 171 for example, the following command sets the current wx switch as a peer of the network domain seed with ip address 192.168.9.254: wx1200# set network-domain peer 192.168.9.254 success: change accepted. This command is valid on network domain seeds only. Configuring n...
Page 172
172 c hapter 9: c onfiguring n etwork d omains to specify 10.8.107.1 as an additional network domain seed for the wx switch to connect to if the 192.168.9.254 seed is unavailable, enter the following command: wx1200# set network-domain mode member seed-ip 10.8.107.1 affinity 2 success: change accept...
Page 173
Configuring a network domain 173 clearing network domain configuration from a wx switch you can clear all network domain configuration from a wx switch, regardless of whether the wx switch is a seed or a member of a network domain. You may want to do this in order to change a wx switch from one netw...
Page 174
174 c hapter 9: c onfiguring n etwork d omains network domain scenario the following scenario illustrates how to create a network domain named globaldom consisting of three mobility domains at two geographically separated sites. Figure 7 below illustrates this scenario. Figure 7 network domain scena...
Page 175
Network domain scenario 175 the following is the network domain configuration for this scenario: 1 make the wx switch with ip address 10.10.10.1 a seed of a network domain called globaldom and establish a peer relationship with the wx switch with ip address 20.20.20.1. Type the following commands: w...
Page 176
176 c hapter 9: c onfiguring n etwork d omains 20.20.20.1 up seed 20.20.20.2 up member 20.20.20.3 up member 30.30.30.1 up member 30.30.30.2 up member member network domain name: globaldom member state mode --------------- ------------- ------ --------------- 10.10.10.1 up seed 10.10.10.2 up member 1...
Page 177: Onfiguring
10 c onfiguring map a ccess p oints maps contain radios that provide networking between your wired network and ieee 802.11 wireless users. A map connects to the wired network through a 10/100 ethernet link and connects to wireless users through radio signals. Map overview figure 8 shows an example o...
Page 178
178 c hapter 10: c onfiguring map a ccess p oints figure 8 example 3com network to configure maps, perform the following tasks, in this order: specify the country of operation. Configure map access ports, distributed ap connections, and dual homing. If required, configure radio-specific parameters, ...
Page 179
Map overview 179 you do not need to set channels and power if you use rf auto-tuning to set these values. You do not need to specify an external antenna type unless a radio uses an external antenna. However, if you do install an external antenna, you must ensure that the external antenna model param...
Page 180
180 c hapter 10: c onfiguring map a ccess p oints similar to ports configured for directly connected maps, distributed map configurations are numbered and can reference a particular map. These numbered configurations do not, however, reference any physical port. Distributed map network requirements ...
Page 181
Map overview 181 if only 3comwx is defined in dns, the map contacts the wx with an ip address returned for 3comwx. Distributed maps and stp a distributed map is a leaf device. You do not need to enable stp on the port that is directly connected to the map. If spanning tree protocol (stp) is enabled ...
Page 182
182 c hapter 10: c onfiguring map a ccess p oints distributed maps and dhcp option 43 the option 43 field in a dhcp offer message can provide a simple and effective way for maps to find wx switches across an intermediate layer 3 network, and is especially useful in networks that are geographically d...
Page 183
Map overview 183 map parameters table 9 summarizes parameters that apply to individual maps, including dual-homing parameters. (for information about parameters for individual radios, see “configuring a radio profile” on page 240 and “configuring radio-specific parameters” on page 246.) table 9 glob...
Page 184
184 c hapter 10: c onfiguring map a ccess p oints resiliency and dual-homing options for maps maps can support a wide variety of resiliency options. Redundancy for data link connections and for wx services can be provided to the map. Poe redundancy—on map models that have two ethernet ports, you can...
Page 185
Map overview 185 dual-homed configuration examples the following sections show examples of dual-homed configurations. You can use any of these configurations to dual home a map model that has two ethernet ports. Map models with one ethernet port support only the dual-homing configuration in “dual-ho...
Page 186
186 c hapter 10: c onfiguring map a ccess p oints dual-homed direct and distributed connections to wx switches figure 11 shows an example of a dual-homed configuration in which one map connection is direct and the other is distributed over the network. Figure 11 dual-homed direct and distributed con...
Page 187
Map overview 187 dual-homed distributed connections to wx switches on both map ports figure 12 shows an example of a dual-homed configuration in which both map connections are distributed over the network. Figure 12 dual-homed distributed connections to wx switches on both map ports in this configur...
Page 188
188 c hapter 10: c onfiguring map a ccess p oints dual-homed distributed connections to wx switches on one map port figure 13 shows an example of a map with a single physical link to a network containing three wx switches. Figure 13 single-homed connection to multiple wx switches on one map port in ...
Page 189
Map overview 189 boot process for distributed maps when a distributed map boots on the network, it uses the process described in this section. Note that this process applies only to distributed maps; it does not apply to a directly connected map. The boot process for a directly connected map occurs ...
Page 190
190 c hapter 10: c onfiguring map a ccess p oints static ip address configuration for distributed maps in cases where dhcp is not available, you can manually assign ip address information to a distributed map. This information is configured through the cli. You can configure the following informatio...
Page 191
Map overview 191 if no wx switches reply, the map repeatedly resends the find wx messages. If no wx switches reply, the process continues with step 3. 2 if no ip addresses or hostnames were specified in the option 43 field of the dhcp offer message, the map sends a find wx message to udp port 5000 o...
Page 192
192 c hapter 10: c onfiguring map a ccess p oints if only wlan-switch is defined in dns, the map sends a unicast find wx message to the wx switch whose ip address is returned for wlan-switch. If both 3com and wlan-switch are defined in dns, the map sends a unicast find wx message to the wx switch wh...
Page 193
Map overview 193 how a distributed map contacts a wx switch (statically configured address) when configuring a distributed map with static ip information, you can specify the following information: a ip address, subnet mask, default gateway router, and whether the configured static ip address inform...
Page 194
194 c hapter 10: c onfiguring map a ccess p oints if there is no response to the broadcast find wx message, the wx continues broadcasting the find wx message for a period of time. If still no response is received, then the process skips to step 4 on page 191. 3 if items a and c are specified, the ma...
Page 195
Map overview 195 loading and activating an operational image a map’s operational image is the software that allows it to function on the network as a wireless access point. As part of the map boot process, an operational image is loaded into the map’s ram and activated. The map stores copies of its ...
Page 196
196 c hapter 10: c onfiguring map a ccess p oints figure 15 on page 198 shows an example of the boot process for a map connected through a layer 3 network. Figure 16 on page 200 shows an example of the boot process for a dual-homed map that has one direct connection to a wx switch and an indirect co...
Page 197
Map overview 197 1 the map sends a dhcp discover message from the map port 1. 2 dhcp server receives the discover message (through a relay agent) and replies with a dhcp offer message containing ip address for the map, the router ip address for the map ip subnet, the dns server address, and the doma...
Page 198
198 c hapter 10: c onfiguring map a ccess p oints example map boot over layer 3 network figure 15 shows an example of the boot process for a map connected through a layer 3 network. Figure 15 map booting over layer 3 network 1 the map sends dhcp discover message from the map’s port 1. 2 the dhcp ser...
Page 199
Map overview 199 5 the dns server sends the system ip address of the wx switch mapped to 3com.Example.Com. In this example, the address is for wx1. 6 the map sends a unicast find wx message to wx1. 7 wx1 receives the find wx message and compares the bias settings on each wx for the map. More than on...
Page 200
200 c hapter 10: c onfiguring map a ccess p oints example boot of dual-homed map figure 16 shows an example of the boot process for a map that is dual homed with a direct connection to wx1 and an indirect connection to wx2 and wx3. In this configuration, since the map is directly connected to a wx s...
Page 201
Map overview 201 1 map sends a dhcp discover message from the map’s port 1. 2 because wx1 is configured for direct attachment, wx1 responds privately to the map and provides the map with its operational image (or indicates that the map should use a locally stored image) and configuration from wx1. O...
Page 202
202 c hapter 10: c onfiguring map a ccess p oints after the map is configured with the above information, the next time the map boots, the following takes place: 1 the map sends an arp request for its own address, to ensure it is not in use elsewhere in the network. 2 the dns server resolves the ful...
Page 203
Map overview 203 auth-fallthru web-auth uses webaaa for users who do not match an 802.1x or mac authentication rule for the ssid requested by the user. Auth-psk disable does not support using a preshared key (psk) to authenticate wpa clients. Beacon enable sends beacons to advertise the ssid managed...
Page 204
204 c hapter 10: c onfiguring map a ccess p oints keep-initial-vlan disable reassigns the user to a vlan after roaming, instead of leaving the roamed user on the vlan assigned by the switch where the user logged on. Note: enabling this option does not retain the user’s initial vlan assignment in all...
Page 205
Map overview 205 tkip-mc-time 60000 uses michael countermeasures for 60,000 ms (60 seconds) following detection of a second mic failure within 60 seconds. Transmit-rates 802.11a: mandatory: 6.0,12.0,24.0 beacon-rate: 6.0 multicast-rate: auto disabled: none 802.11b: mandatory: 1.0,2.0 beacon-rate: 2....
Page 206
206 c hapter 10: c onfiguring map a ccess p oints (to configure a service profile, see “configuring a service profile” on page 233.) web-portal-acl portalacl note: this is the default only if the fallthru type on the service profile has been set to web-portal. Otherwise, the value is unconfigured. I...
Page 207
Map overview 207 public and private ssids each radio can support the following types of ssids: encrypted ssid — clients using this ssid must use encryption. Use the encrypted ssid for secured access to your enterprise network. Clear ssid — clients using this ssid do not use encryption. Use the clear...
Page 208
208 c hapter 10: c onfiguring map a ccess p oints radios and ssids ap2750 the radio mac address equals the map base mac address. The bssids for the ssids configured on the radio end in even numbers. The first bssid is equal to the map’s base mac address. The next bssid is equal to the map’s base mac...
Page 209
Map overview 209 encryption encrypted ssids can use the following encryption methods: wi-fi protected access (wpa) non-wpa dynamic wired equivalent privacy (wep) non-wpa static wep dynamic wep is enabled by default. (for more information, including configuration instructions, see chapter 13, “config...
Page 210
210 c hapter 10: c onfiguring map a ccess p oints (to configure a radio profile, see “configuring a radio profile” on page 240.) frag-threshold 2346 uses the short-retry-count for frames shorter than 2346 bytes and uses the long-retry-count for frames that are 2346 bytes or longer. Max-rx-lifetime 2...
Page 211
Map overview 211 rf auto-tuning the rf auto-tuning feature dynamically assigns channel and power settings to map radios, and adjusts those settings when needed. Rf auto-tuning can perform the following tasks: assign initial channel and power settings when a map radio is started. Periodically assess ...
Page 212
212 c hapter 10: c onfiguring map a ccess p oints although these parameters have default values, 3com recommends that you change the values for each radio for optimal performance. For example, leaving the channel number on each radio set to its default value can result in high interference among the...
Page 213
Configuring maps 213 configuring maps to configure maps, perform the following tasks, in this order: specify the country of operation. (see “specifying the country of operation” on page 213.) configure an auto-ap profile for automatic configuration of distributed maps. (see “configuring an auto-ap p...
Page 214
214 c hapter 10: c onfiguring map a ccess p oints table 14 country codes country code algeria dz argentina ar australia au austria at bahrain bh belgium be belize bz bolivia bo boznia and herzegovina ba brazil br bulgaria bg canada ca chile cl china cn colombia co costa rica cr cote d’ivoire ci croa...
Page 215
Configuring maps 215 honduras hn hong kong hk hungary hu iceland is india in indonesia id ireland ie israel il italy it jamaica jm japan jp jordan jo kazakhstan kz kenya ke kuwait kw latvia lv lebanon lb liechtenstein li lithuania lt luxembourg lu macedonia, former yugoslav republic of mk malaysia m...
Page 216
216 c hapter 10: c onfiguring map a ccess p oints oman om pakistan pk panama pa paraguay py peru pe philippines ph poland pl portugal pt puerto rico pr qatar qa romania ro russia ru saudi arabia sa serbia cs singapore sg slovakia sk slovenia si south africa za south korea kr spain es sri lanka lk sw...
Page 217
Configuring maps 217 the current software version might not support all of the countries listed here. To verify the configuration change, use the following command: display system the following commands set the country code to us (united states) and verify the setting: wx1200# set system countrycode...
Page 218
218 c hapter 10: c onfiguring map a ccess p oints configuring an auto-ap profile for automatic map configuration you can use an auto-ap profile to deploy unconfigured distributed maps. A distributed map that does not have a configuration on a wx switch can receive its configuration from the auto-ap ...
Page 219
Configuring maps 219 for example, suppose the mobility domain has two wx switches, with the capacities and loads listed in table 15. For wx1200 a: the number of maps that can be configured on the switch, minus the number that are configured, is 30 - 25 = 5. The number of maps that can be active on t...
Page 220
220 c hapter 10: c onfiguring map a ccess p oints the disconnected map can then begin the boot process again to find another wx switch that has an auto-ap profile. When the map is disconnected, the map clients experience a service disruption, and will attempt to associate with another map if availab...
Page 221
Configuring maps 221 maps that receive their configurations from the auto-ap profile also receive the radio settings from the radio profile used by the auto-ap profile. Likewise, the ssids and encryption settings come from the service profiles mapped to the radio profile. To use a radio profile othe...
Page 223
Configuring maps 223 displaying status information for maps configured by the auto-ap profile to display status information for maps configured by the auto-ap profile, type the following command: wx# display ap status auto ap: 7, ap model: ap3750, manufacturer 3com, name: map07 =====================...
Page 224
224 c hapter 10: c onfiguring map a ccess p oints the map continues to operate without interruption after you enter the set ap auto persistent command. The next time the map is restarted, the auto-ap profile is not used to configure the map. Instead, the persistent configuration is used. (use the sa...
Page 225
Configuring maps 225 to configure a map model mp-372 with serial-id 0322199999, type the following command: wx# set ap 1 serial-id 0322199999 model mp-372 success: change accepted. (to specify the external antenna type, use the set ap radio antennatype command. See “configuring the external antenna ...
Page 227
Configuring maps 227 the following command configures distributed map 1 to use vlan tag 100: wx1200# set ap 1 boot-vlan vlan-tag 100 mode enable success: change accepted. Clearing a map from the configuration to clear map settings from a port, use the following command: when you clear a map, mss end...
Page 228
228 c hapter 10: c onfiguring map a ccess p oints the default bias is high. To change the bias for a distributed map to low, type the following command: wx# set ap 1 bias low success: change accepted. Disabling or reenabling automatic firmware upgrades a map can automatically upgrade its boot firmwa...
Page 229
Configuring maps 229 the map loads its local image only if the wx is running mss version 5.0 or later and does not have a newer map image than the one in the map’s local storage. If the switch is not running mss version 5.0 or later, or the wx has a newer version of the map image than the version in...
Page 230
230 c hapter 10: c onfiguring map a ccess p oints the maximum transmission unit (mtu) for encrypted map management traffic is 1498 bytes, whereas the mtu for unencrypted management traffic is 1474 bytes. Make sure the devices in the intermediate network between the wx switch and distributed map can ...
Page 231
Configuring maps 231 table 18 lists the map security options and whether a map can establish a management session with a wx based on the option settings. Verifying a map fingerprint on a wx switch to verify a map fingerprint, find the fingerprint and use the set ap fingerprint command to enter the f...
Page 232
232 c hapter 10: c onfiguring map a ccess p oints bssid2: 00:0b:0e:0a:60:02, ssid: 3com radio 2 type: 802.11a, state: configure succeed [enabled] operational channel: 48 operational power: 11 base mac: 00:0b:0e:0a:60:01 bssid1: 00:0b:0e:0a:60:01, ssid: public bssid2: 00:0b:0e:0a:60:03, ssid: 3com th...
Page 233
Configuring maps 233 fingerprint log message if map encryption is optional, and a map whose fingerprint has not been verified in mss establishes a management session with the wx, mss generates a log message such as the following: ap-hs:(secure optional)configure ap m9de48b012f00 with fingerprint c6:...
Page 234
234 c hapter 10: c onfiguring map a ccess p oints you can include blank spaces in the name, if you delimit the name with single or double quotation marks. You must use the same type of quotation mark (either single or double) on both ends of the string. The following command configures a service pro...
Page 235
Configuring maps 235 ssids are beaconed by default. A map radio responds to an 802.11 probe any request only for a beaconed ssid. A client that sends a probe any request receives a separate response for each of the beaconed ssids supported by a radio. For a nonbeaconed ssid, radios respond only to d...
Page 236
236 c hapter 10: c onfiguring map a ccess p oints table 19 transmit rates parameter default value description mandatory 11a— 6.0,12.0,24.0 11b—1.0,2.0 11g—1.0,2.0,5.5,11.0 set of data transmission rates that clients are required to support in order to associate with an ssid on a map radio. A client ...
Page 238
238 c hapter 10: c onfiguring map a ccess p oints data rate enforcement is useful if you want to completely prevent clients from transmitting at disabled data rates. For example, you can disable slower data rates so that clients transmitting at these rates do not consume bandwidth on the channel at ...
Page 239
Configuring maps 239 responding to keepalive messages requires power use by a client. If you need to conserve power on the client (for example, on a voip handset), you can disable idle-client probing. To disable or reenable idle-client probing, use the following command: set service-profile name idl...
Page 240
240 c hapter 10: c onfiguring map a ccess p oints to change the short retry threshold for service profile sp1 to 3, type the following command: wx1200# set service-profile sp1 short-retry 3 success: change accepted. Changing the long retry threshold the long retry threshold specifies the number of t...
Page 242
242 c hapter 10: c onfiguring map a ccess p oints changing the dtim interval the dtim interval specifies the number of times after every beacon that a radio sends a delivery traffic indication map (dtim). A map sends the multicast and broadcast frames stored in its buffers to clients who request the...
Page 243
Configuring maps 243 to change the rts threshold, use the following command: set radio-profile name rts-threshold threshold the threshold can be a value from 256 bytes through 3000 bytes. The default is 2346. To change the rts threshold for radio profile rp1 to 1500 bytes, type the following command...
Page 244
244 c hapter 10: c onfiguring map a ccess p oints changing the maximum transmit threshold the maximum transmission threshold specifies the number of milliseconds a frame scheduled to be transmitted by a radio can remain in buffer memory. To change the maximum transmit lifetime, use the following com...
Page 246
246 c hapter 10: c onfiguring map a ccess p oints you must disable all radios that are using a radio profile before you can remove the profile. (see “disabling or reenabling all radios using a profile” on page 250.) to disable the radios that are using radio profile rptest and remove the profile, ty...
Page 247
Configuring maps 247 the maximum transmit power you can configure on any 3com radio is the highest setting allowed for the country of operation or the highest setting supported on the hardware, whichever is lower. To configure the 802.11b radio on port 1 for channel 1 with a transmit power of 10 dbm...
Page 248
248 c hapter 10: c onfiguring map a ccess p oints table 21 lists the external antenna models you can use with these maps. Table 22 lists the external antenna models you can use with the mp-620. Specifying the external antenna model to specify the external antenna model, use the following command: se...
Page 249
Configuring maps 249 to configure antenna model ant1060 for an mp-262 on map 1, type the following command: wx1200# set ap 1 radio 1 antennatype ant1060 success: change accepted. Specifying the external antenna location in some cases, the set of valid channels for a radio differs depending on whethe...
Page 250
250 c hapter 10: c onfiguring map a ccess p oints to disable radio 1 on port 6 without disabling the other radios using radio profile rp1, type the following command: wx1200# set ap 6 radio 1 radio-profile rp1 mode disable (to disable or reenable all radios that are using a radio profile, see “disab...
Page 252
252 c hapter 10: c onfiguring map a ccess p oints configuring local packet switching on maps maps can be configured to perform local packet switching. Local packet switching allows packets to be switched directly from the map to the wired network, instead of passing through an intermediate wx switch...
Page 253
Configuring local packet switching on maps 253 configuring local switching configuring a map to perform local switching consists of the following tasks: configuring a vlan profile for the map, which specifies the vlans that are to be locally switched enabling local switching on the map applying the ...
Page 254
254 c hapter 10: c onfiguring map a ccess p oints to enable local switching for map 7, type the following command: wx# set ap 7 local-switching mode enable success: change accepted. Applying a vlan profile to a map to apply a vlan profile to a map to use with local switching, use the following comma...
Page 255
Configuring local packet switching on maps 255 to clear the vlan profile that had been applied to map 7, type the following command: wx# clear ap 7 local-switching vlan-profile success: change accepted. Removing a vlan profile from the wx switch to remove a vlan profile or individual entries from a ...
Page 256
256 c hapter 10: c onfiguring map a ccess p oints displaying map information you can display the following map information: map and radio-specific configuration settings connection information for distributed maps configured on a wx list of distributed maps that are not configured on a wx connection...
Page 257
Displaying map information 257 force-rebalance: no, radio 2: type: 802.11a, mode: disabled, channel: dynamic tx pwr: 17, profile: default auto-tune max-power: default, load-balance-group: , load-balance-enable: yes, force-rebalance: no, local-switching: enabled, vlan-profile: locals (for information...
Page 258
258 c hapter 10: c onfiguring map a ccess p oints this command indicates that the mobility domain contains four distributed maps, with serial ids m9de48b012f00, m9de48b123400, m9de48b123600, and m9de48b123700. Each map is configured on two wx switches, with system ip addresses 10.3.8.111 and 10.4.3....
Page 259
Displaying map information 259 the wx does not need to be the one that booted the map, but it must have the map in its configuration. Also, the wx that booted the map must be in the same mobility domain as the wx where you use the command. Displaying service profile information to display service pr...
Page 261
Displaying map information 261 the following command displays the status of a distributed map: wx# display ap status 1 ap: 7, ap model: ap3750, manufacturer 3com, name: map07 ==================================================== state: operational (not encrypt) cpu info: ibm:ppc speed=266666664 hz ve...
Page 262
262 c hapter 10: c onfiguring map a ccess p oints dns ip: mesh ssid: mesh psk: for information about the fields in the output, see the wireless lan switch and controller command reference .) displaying map statistics counters to display map statistics counters, use the following commands: display ap...
Page 263
Displaying map information 263 (for information about the fields in the output, see the wireless lan switch and controller command reference .) to display statistics counters and other information for individual user sessions, use the display sessions network command. (for information, see chapter 2...
Page 264
264 c hapter 10: c onfiguring map a ccess p oints (for information about the fields in the output, see the wireless lan switch and controller command reference .) displaying the forwarding database for a map to display the entries in a specified map forwarding database, use the following command: di...
Page 265
Displaying map information 265 4 green local 1 4 radio_1 23 5 yellow tunnel wx_tun 5 radio_1 24 (for information about the fields in the output, see the wireless lan switch and controller command reference .) displaying acl information for a map when a map is configured to perform local switching, y...
Page 266
266 c hapter 10: c onfiguring map a ccess p oints to display a summary of the security acls mapped on map 7, type the following command: wx# display ap acl map 7 acl type class mapping ---------------------------- ---- ------ ------- acl_123 ip static in acl_133 ip static in acl_124 ip static (for i...
Page 267: Onfiguring
11 c onfiguring rf l oad b alancing for map s this section describes the following configuration tasks: disabling or re-enabling rf load balancing assigning radios to load balancing groups specifying band preference for rf load balancing setting strictness for rf load balancing exempting an ssid fro...
Page 268
268 c hapter 11: c onfiguring rf l oad b alancing for map s mss balances the client load by adjusting how maps are perceived by clients. As the relative capacity of a map handling new clients falls relative to other maps in the area, mss makes the map more difficult for potential new clients to dete...
Page 269
Configuring rf load balancing 269 assigning radios to load balancing groups assigning radios to specific load balancing groups is optional. When you do this, mss considers them to have exactly overlapping coverage areas, rather than using signal strength calculations to determine their overlapping c...
Page 270
270 c hapter 11: c onfiguring rf l oad b alancing for map s setting strictness for rf load balancing to perform rf load balancing, mss makes map radios with heavy client loads less visible to new clients, causing them to associate with map radios that have a lighter load. You can optionally specify ...
Page 271
Displaying rf load balancing information 271 exempting an ssid from rf load balancing by default, rf load balancing is applied to client sessions for all ssids. To specifically exempt an ssid from load balancing, use the following command: set service-profile service-profile-name load-balancing-exem...
Page 272
272 c hapter 11: c onfiguring rf l oad b alancing for map s.
Page 273: Onfiguring
12 c onfiguring wlan m esh s ervices this section describes how to configure the wlan mesh services. Wlan mesh services overview wlan mesh services allow a map to provide wireless services to clients without having a wired interface on the map. Instead of a wired interface, there is a radio link to ...
Page 274
274 c hapter 12: c onfiguring wlan m esh s ervices in the illustration, a client is associated with a mesh ap, which is a map without a wired interface to the network. The mesh ap is configured to communicate with a mesh portal ap, a map with wired connectivity to a wx switch. Communication between ...
Page 275
Configuring wlan mesh services 275 configuring the mesh ap before a mesh ap can be installed in a location untethered from the network, it must be preconfigured for mesh services, including the mesh services ssid, and the pre-shared key that is used for establishing the connection between the mesh a...
Page 276
276 c hapter 12: c onfiguring wlan m esh s ervices configuring the service profile for mesh services you configure the mesh portal ap to beacon the mesh services ssid. To do this, create a service profile and enable mesh services using the following commands: set service-profile mesh-service-profile...
Page 277
Configuring wlan mesh services 277 enabling link calibration packets on the mesh portal map a mesh portal map can be configured to emit link calibration packets to assist with positioning the mesh ap. A link calibration packet is an unencrypted 802.11 management packet of type action. When enabled o...
Page 278
278 c hapter 12: c onfiguring wlan m esh s ervices configuring wireless bridging you can use wlan mesh services in a wireless bridge configuration, implementing maps as bridge endpoints in a transparent layer 2 bridge. Configuring a wireless bridge to connect two sites provides an alternative to ins...
Page 279
Displaying wlan mesh services information 279 when wireless bridging is enabled for a service profile, the maps with the applied service profile serve as bridge peers. When a mesh ap associates with a mesh portal ap through this service profile, the mesh portal ap automatically configures the mesh a...
Page 280
280 c hapter 12: c onfiguring wlan m esh s ervices radio 2 type: 802.11a, state: configure succeed [enabled] operational channel: 36 operational power: 17 bssid1: 00:0b:0e:fd:fd:cd, ssid: mesh-ssid (mesh) the display mesh links command displays information about the links a map has to mesh aps and m...
Page 281: Onfiguring
13 c onfiguring u ser e ncryption mobility system software (mss) encrypts wireless user traffic for all users who are successfully authenticated to join an encrypted ssid and who are then authorized to join a vlan. Overview mss supports the following types of encryption for wireless user traffic: 80...
Page 282
282 c hapter 13: c onfiguring u ser e ncryption you can configure an ssid to support any combination of wpa, rsn, and non-wpa clients. For example, a radio can simultaneously use temporal key integrity protocol (tkip) encryption for wpa clients and wep encryption for non-wpa clients. The ssid type m...
Page 283
Overview 283 figure 20 shows the client support when the default encryption settings are used. A radio using the default encryption settings encrypts traffic for non-wpa dynamic wep clients but not for wpa clients or static wep clients. The radio disassociates from these other clients. Figure 20 def...
Page 284
284 c hapter 13: c onfiguring u ser e ncryption configuring wpa wi-fi protected access (wpa) is a security enhancement to the ieee 802.11 wireless standard. Wpa provides enhanced encryption with new cipher suites and provides per-packet message integrity checks. Wpa is based on the 802.11i standard....
Page 285
Configuring wpa 285 figure 21 shows the client support when wpa encryption for tkip only is enabled. A radio using wpa with tkip encrypts traffic only for wpa tkip clients but not for ccmp or wep clients. The radio disassociates from these other clients. Figure 21 wpa encryption with tkip only encry...
Page 286
286 c hapter 13: c onfiguring u ser e ncryption figure 22 shows the client support when both wep encryption and tkip are enabled. A radio using wpa with tkip and wep encrypts traffic for wpa tkip clients, wpa wep clients, and non-wpa dynamic wep clients, but not for ccmp or static wep clients. The r...
Page 287
Configuring wpa 287 tkip countermeasures wpa access points and clients verify the integrity of a wireless frame received on the network by generating a keyed message integrity check (mic). The michael mic used with tkip provides a holddown mechanism to protect the network against tampering. If the r...
Page 288
288 c hapter 13: c onfiguring u ser e ncryption wpa authentication methods you can configure an ssid to support one or both of the following authentication methods for wpa clients: 802.1x — the map and client use an extensible authentication protocol (eap) method to authenticate one another, then us...
Page 289
Configuring wpa 289 probe response (sent by a map radio) — the wpa ie in a probe response frame lists the same wpa information that is contained in the beacon frame. Association request or reassociation (sent by a client) — the wpa ie in an association request lists the authentication method and cip...
Page 290
290 c hapter 13: c onfiguring u ser e ncryption table 24 lists the encryption support for wpa and non-wpa clients. Configuring wpa to configure map radios to support wpa: 1 create a service profile for each ssid that will support wpa clients. 2 enable the wpa ie in the service profile. 3 enable the ...
Page 291
Configuring wpa 291 creating a service profile for wpa encryption parameters apply to all users who use the ssid configured by a service profile. To create a service profile, use the following command: set service-profile name to create a new service profile named wpa, type the following command: wx...
Page 292
292 c hapter 13: c onfiguring u ser e ncryption after you type this command, the service profile supports tkip and 40-bit wep. Microsoft windows xp does not support wep with wpa. To configure a service profile to provide wep for xp clients, leave wpa disabled and see “configuring wep” on page 299. C...
Page 293
Configuring wpa 293 the passphrase must be from 8 to 63 characters long, including blanks. If you use blanks, you must enclose the string in quotation marks. To configure service profile wpa to use passphrase 1234567890123?=+&% the quick brown fox jumps over the lazy sl, type the following command: ...
Page 295
Configuring wpa 295 assigning the service profile to radios and enabling the radios after you configure wpa settings in a service profile, you can map the service profile to a radio profile, assign the radio profile to radios, and enable the radios to activate the settings. To map a service profile ...
Page 296
296 c hapter 13: c onfiguring u ser e ncryption configuring rsn (802.11i) robust security network (rsn) provides 802.11i support. Rsn uses aes encryption. You can configure a service profile to support rsn clients exclusively, or to support rsn with wpa clients, or even rsn, wpa and wep clients. The...
Page 297
Configuring rsn (802.11i) 297 specifying the rsn cipher suites to use rsn, at least one cipher suite must be enabled. You can enable one or more of the following cipher suites: ccmp tkip 40-bit wep 104-bit wep by default, tkip is enabled and the other cipher suites are disabled. To enable or disable...
Page 298
298 c hapter 13: c onfiguring u ser e ncryption changing the tkip countermeasures timer value to change the tkip countermeasures timer, see “changing the tkip countermeasures timer value” on page 298. The procedure is the same for wpa and rsn. Enabling psk authentication to enable psk authentication...
Page 299
Configuring wep 299 configuring wep wired-equivalent privacy (wep) is a security protocol defined in the 802.11 standard. Wep uses the rc4 encryption algorithm to encrypt data. To provide integrity checking, wep access points and clients check the integrity of a frame’s cyclic redundancy check (crc)...
Page 300
300 c hapter 13: c onfiguring u ser e ncryption figure 23 shows an example of a radio configured to provide static and dynamic wep encryption for non-wpa clients. The radio uses dynamically generated keys to encrypt traffic for dynamic wep clients. The radio also encrypts traffic for static wep clie...
Page 301
Configuring wep 301 setting static wep key values mss supports dynamic wep automatically. To enable static wep, configure wep keys and assign them to unicast and multicast traffic. You can set the values of the four static wep keys, then specify which of the keys to use for encrypting multicast fram...
Page 302
302 c hapter 13: c onfiguring u ser e ncryption to configure an ssid that uses service profile wepsrvc4 to use wep key index 4 for encrypting unicast traffic, type the following command: wx1200# set service-profile wepsrvc4 wep active-unicast-index 4 success: change accepted. Encryption configuratio...
Page 303
Encryption configuration scenarios 303 wx1200# display service-profile sp1 ssid-name: mycorp ssid-type: crypto beacon: yes proxy arp: no dhcp restrict: no no broadcast: no short retry limit: 5 long retry limit: 5 auth fallthru: none sygate on-demand (soda): no enforce soda checks: yes soda remediati...
Page 304
304 c hapter 13: c onfiguring u ser e ncryption force-image download: yes radio 1: type: 802.11g, mode: enabled, channel: 6 tx pwr: 1, profile: rp1 auto-tune max-power: default radio 2: type: 802.11a, mode: enabled, channel: 36 tx pwr: 1, profile: rp1 auto-tune max-power: default 8 save the configur...
Page 305
Encryption configuration scenarios 305 tkip is already enabled by default when wpa is enabled. 6 display the service profile wpa-wep to verify the changes. Type the following command: wx1200# display service-profile sp1 ssid-name: mycorp ssid-type: crypto beacon: yes proxy arp: no dhcp restrict: no ...
Page 306
306 c hapter 13: c onfiguring u ser e ncryption auto-tune max-power: default port 6: ap model: mp-252, poe: enable, bias: high, name: map11 boot-download-enable: yes force-image-download: yes radio 1: type: 802.11g, mode: enabled, channel: 6 tx pwr: 1, profile: rp2 auto-tune max-power: default port ...
Page 307
Encryption configuration scenarios 307 4 verify the aaa configuration changes. Type the following command: wx1200# display aaa default values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null) radius servers server addr ports t/o tries dead state ...
Page 308
308 c hapter 13: c onfiguring u ser e ncryption 10 configure a passphrase for the preshared key. Type the following command: wx1200# set service-profile wpa-wep-for-mac psk-phrase "passphrase to convert into a preshared key" success: change accepted. 11 display the wpa configuration changes. Type th...
Page 309
Encryption configuration scenarios 309 wx1200# display ap config port 4: ap model: mp-241, poe: enable, bias: high, name: map04 boot-download-enable: yes force-image-download: yes radio 1: type: 802.11a, mode: enabled, channel: 36 tx pwr: 1, profile: rp3 auto-tune max-power: default port 6: ap model...
Page 310
310 c hapter 13: c onfiguring u ser e ncryption.
Page 311: Onfiguring
14 c onfiguring rf a uto -t uning the rf auto-tuning feature dynamically assigns channel and power settings to map radios, and adjusts those settings when needed. Overview rf auto-tuning can perform the following tasks: assign initial channel and power settings when a map radio is started. Periodica...
Page 312
312 c hapter 14: c onfiguring rf a uto -t uning during radio operation, mss periodically reevaluates the channel and changes it if needed. (see “channel tuning” on page 313.) initial power assignment—the map sets a radio’s initial power level to the maximum value allowed for the country code (regula...
Page 313
Overview 313 power tuning by default, the switch evaluates the scan results for possible power changes every 300 seconds (5 minutes), and raises or lowers the power level if needed. If rf auto-tuning determines that a power change is needed on a radio, mss ramps the power up or down until the new po...
Page 314
314 c hapter 14: c onfiguring rf a uto -t uning a radio also can change its channel before the channel tuning interval expires to respond to rf anomalies. An rf anomaly is a sudden major change in the rf environment, such as sudden major interference on the channel. By default, a radio cannot change...
Page 315
Overview 315 channel-holddown 900 mss maintains the channel setting on a radio for at least 900 seconds regardless of rf changes. Channel-lockdown disabled mss continues to dynamically change channels if needed based on network conditions. Power-config disable mss uses the highest power level allowe...
Page 316
316 c hapter 14: c onfiguring rf a uto -t uning changing rf auto-tuning settings you can change the following rf auto-tuning settings: channel tuning power tuning minimum transport data rate selecting available channels on the 802.11a radio you can configure the 802.11a radio on a map to allow certa...
Page 317
Changing rf auto-tuning settings 317 changing the channel tuning interval the default channel tuning interval is 3600 seconds. You can change the interval to a value from 0 to 65535 seconds. If you set the interval to 0, rf auto-tuning does not reevaluate the channel at regular intervals. However, r...
Page 318
318 c hapter 14: c onfiguring rf a uto -t uning changing the power tuning interval the default power tuning interval is 600 seconds. You can change the interval to a value from 1 to 65535 seconds. To change the power tuning interval, use the following command: set radio-profile name auto-tune power-...
Page 321
Displaying rf auto-tuning information 321 to display neighbor information for radio 1 on the directly connected map on port 2, type the following command: wx1200# display auto-tune neighbors ap 2 radio 1 total number of entries for port 2 radio 1: 5 channel neighbor bss/mac rssi ------- ------------...
Page 322
322 c hapter 14: c onfiguring rf a uto -t uning.
Page 323: Onfiguring
15 c onfiguring map s t o b e a ero s cout l isteners aeroscout rfid tags are wireless transmitters that you can place on assets such as office equipment to track the equipment’s location. Each tag regularly transmits its unique id. Aeroscout listeners detect the transmissions from the rfid tags and...
Page 324
324 c hapter 15: c onfiguring map s t o b e a ero s cout l isteners configuring map radios to listen for aeroscout rfid tags to configure map radios to listen for aeroscout rfid tags: configure a service profile for the aeroscout listeners and set the ssid type to clear (unencrypted). Configure a ra...
Page 325
Locating an rfid tag 325 wx1200# set ap 69 radio 1 channel 7 success: change accepted. Wx1200# set ap 67 radio 1 radio-profile rfid-listeners mode enable success: change accepted. Wx1200# set ap 68 radio 1 radio-profile rfid-listeners mode enable success: change accepted. Wx1200# set ap 69 radio 1 r...
Page 326
326 c hapter 15: c onfiguring map s t o b e a ero s cout l isteners 1 connect to 3com wireless switch manager services (the server) and open the network plan that contains the site information. 2 select the monitor tool bar option (at the top of the main 3com wireless switch manager window). The mon...
Page 327: Onfiguring
16 c onfiguring q uality of s ervice this chapter describes the quality of service (qos) features supported in mss and how to configure and manage them. About qos mss supports layer 2 and layer 3 classification and marking of traffic, and optimized forwarding of wireless traffic for time-sensitive a...
Page 328
328 c hapter 16: c onfiguring q uality of s ervice qos parameters configured in service profiles cac mode call admission control, which regulates addition of new voip sessions on map radios. One of the following modes can be enabled: none (the default) session-based set service-profile cac-mode see ...
Page 329
About qos 329 transmit rates data transmission rates supported by each radio type. The following categories are specified: beacon multicast mandatory (a client must support at least one of these rates to associate) disabled standard (valid rates that are not disabled and are not mandatory) defaults:...
Page 330
330 c hapter 16: c onfiguring q uality of s ervice qos mode mss supports layer 2 and layer 3 classification and marking of traffic, to help provide end-to-end qos throughout the network. The following modes of qos are supported: wi-fi multimedia (wmm)—provides wireless qos for time-sensitive applica...
Page 331
Wmm qos mode 331 the static cos option enables you to easily set cos for all traffic on an ssid by marking all the ssid’s traffic with the same cos value. You can use acls to override cos markings or set cos for non-wmm traffic. The following sections describe each of these options. Wmm qos mode wx ...
Page 332
332 c hapter 16: c onfiguring q uality of s ervice figure 24 qos on wx switches—classification of ingress packets wx receives packet. Yes no (802.1p = 0) 802.1p value set packet cos 1 -> 1 2 -> 2 3 -> 3 4 -> 4 5 -> 5 6 -> 6 7 -> 7 based on 802.1p: that is not 0? Dscp value that is not 0? Look up cos...
Page 333
Wmm qos mode 333 figure 25 qos on wx switches—marking of egress packets wx has classified yes no vlan tag mark 802.1p 1 -> 1 2 -> 2 3 -> 3 4 -> 4 5 -> 5 6 -> 6 7 -> 7 with cos value: yes no ingress packet. Egress interface has 802.1q vlan tag? Egress interface is ip tunnel? Transmit packet. Do not m...
Page 334
334 c hapter 16: c onfiguring q uality of s ervice figure 26 qos on maps—classification and marking of packets from clients to wx map receives packet from client. Set packet cos 1 -> 1 2 -> 2 3 -> 3 4 -> 4 5 -> 5 6 -> 6 7 -> 7 based on 802.11 service type: set tunnel’s ip tos to 802.1p value. Look u...
Page 335
Wmm qos mode 335 figure 27 qos on maps—classification and marking of packets from wx to clients the following sections describe in more detail how the wmm qos mode works on wx switches and maps. Map receives packet from wx. Map cos value to map forwarding 0 or 3 -> background 1 or 2 -> best effort 4...
Page 336
336 c hapter 16: c onfiguring q uality of s ervice wmm qos on the wx switch mss performs classification on ingress to determine a packet’s cos value. This cos value is used to mark the packet at the egress interface. The classification and marking performed by the switch depend on whether the ingres...
Page 337
Wmm qos mode 337 you also can use acls to override marking for specific packets. Configure aces that use the dscp option to match on ingress dscp value, and use the cos option to mark cos. A cos value assigned by an ace overrides the internal cos value. (for information, see “using acls to change co...
Page 338
338 c hapter 16: c onfiguring q uality of s ervice (to display a map’s cos mappings and queue usage statistics, see “displaying map forwarding queue statistics” on page 349.) figure 28 shows an example of end-to-end qos in a 3com network. In this example, voice traffic is prioritized based on wmm. T...
Page 339
Wmm qos mode 339 the map encapsulates the data in an ip tunnel packet, and marks the dscp value in the tunnel header based on the internal cos value. In this example, the map maps internal cos 7 to dscp 56 and marks the ip tunnel header’s dscp field with value 56. The map then sends the packet to th...
Page 340
340 c hapter 16: c onfiguring q uality of s ervice in this example, the map places the packet in the voice forwarding queue. The voice queue has statistically more access to the air than the other queues, so the user’s voice traffic receives priority treatment. Svp qos mode the svp qos mode optimize...
Page 341
Wmm qos mode 341 broadcast control you also can enhance bandwidth availability on an ssid by enabling the following broadcast control features: proxy arp—wx responds on behalf of wireless clients to arp requests for their ip addresses. Dhcp restrict—wx captures and does not forward any traffic excep...
Page 342
342 c hapter 16: c onfiguring q uality of s ervice changing qos settings you can change the settings of the following qos options: qos mode u-apsd support cac state and maximum number of sessions broadcast control static cos state and cos value dscp-cos mappings using client dscp value to classify q...
Page 343
Changing qos settings 343 configuring call admission control to configure cac for an ssid, enable the feature on the ssid’s service profile. When enabled, cac limits the number of active sessions a radio can have to 14 by default. You can change the maximum number of sessions to a value from 0 to 10...
Page 344
344 c hapter 16: c onfiguring q uality of s ervice for example, to configure static cos 7 for service profile sp1, use the following commands: wx1200# set service-profile sp1 static-cos enable success: change accepted. Wx1200# set service-profile sp1 cos 7 success: change accepted. Changing cos mapp...
Page 346
346 c hapter 16: c onfiguring q uality of s ervice tune power interval: 600 channel holddown: 300 power backoff timer: 10 countermeasures: none active-scan: yes qos mode: wmm service profiles: sp1 in this example, the qos mode is wmm. (for more information about this command’s output, see the “map c...
Page 347
Displaying qos information 347 configuration information for some settings appears in other chapters. To configure transmit rates, or the long or short retry, see “configuring a service profile” on page 233. To configure the user-idle timeout and idle-client probing, see “displaying and changing net...
Page 348
348 c hapter 16: c onfiguring q uality of s ervice 40-49 5 5 5 5 5 5 5 5 6 6 50-59 6 6 6 6 6 6 7 7 7 7 60-63 7 7 7 7 egress qos marking map (cos-to-dscp) cos level 0 1 2 3 4 5 6 7 =============================================================================== egress dscp 0 8 16 24 32 40 48 56 egress...
Page 349
Displaying qos information 349 displaying the dscp table to display the standard mappings of dscp, tos, and precedence values, use the following command: wx1200# display qos dscp-table dscp tos precedence tos dec hex dec hex ----------------------------------------------- 0 0x00 0 0x00 0 0 1 0x01 4 ...
Page 350
350 c hapter 16: c onfiguring q uality of s ervice.
Page 351: Onfiguring
17 c onfiguring and m anaging s panning t ree p rotocol the purpose of the spanning tree protocol (stp) is to maintain a loop-free network. A loop-free path is accomplished when a device recognizes a loop in the topology and blocks one or more redundant paths. Overview mobility system software (mss)...
Page 353
Changing standard spanning tree parameters 353 port cost port cost is a numeric value that stp adds to the total cost of a path to the root bridge. When a designated bridge has multiple equal-cost paths to the root bridge, the designated bridge uses the path with the lowest total cost. You can set t...
Page 354
354 c hapter 17: c onfiguring and m anaging s panning t ree p rotocol to change the bridge priority of vlan pink to 69, type the following command: wx1200# set spantree priority 69 vlan pink success: change accepted. Changing stp port parameters you can change the stp cost and priority of an individ...
Page 355
Changing standard spanning tree parameters 355 the command applies only to the ports you specify. The port cost on other ports remains unchanged. To reset the cost of ports 3 and 4 in the default vlan to the default value, type the following command: wx1200# clear spantree portcost 3-4 success: chan...
Page 357
Changing standard spanning tree parameters 357 the command applies only to the ports you specify. The port cost on other ports remains unchanged. Changing spanning tree timers you can change the following stp timers: hello interval — the interval between configuration messages sent by a wx switch wh...
Page 358
358 c hapter 17: c onfiguring and m anaging s panning t ree p rotocol the all option applies the change to all vlans. Alternatively, specify an individual vlan. To change the forwarding delay on vlan pink to 20 seconds, type the following command: wx1200# set spantree fwddelay 20 vlan pink success: ...
Page 359
Configuring and managing stp fast convergence features 359 backbone fast convergence backbone fast convergence accelerates a port’s recovery following the failure of an indirect link. Normally, when a forwarding link fails, a bridge that is not directly connected to the link does not detect the link...
Page 360
360 c hapter 17: c onfiguring and m anaging s panning t ree p rotocol displaying port fast convergence information to display port fast convergence information, use the following command: display spantree portfast [port-list] to display port fast convergence information for all ports, type the follo...
Page 362
362 c hapter 17: c onfiguring and m anaging s panning t ree p rotocol to list only the ports that are in the active (forwarding) state, enter the active option. To display stp information for vlan mauve, type the following command: wx1200# display spantree vlan mauve vlan 3 spanning tree mode pvst+ ...
Page 363
Displaying spanning tree information 363 displaying blocked stp ports to display information about ports that are in the stp blocking state, use the following command: display spantree blockedports [vlan vlan-id] to display information about blocked ports on a wx switch for the default vlan (vlan 1)...
Page 364
364 c hapter 17: c onfiguring and m anaging s panning t ree p rotocol port based information statistics config bpdu's xmitted(port/vlan) 0 (1) config bpdu's received(port/vlan) 21825 (43649) tcn bpdu's xmitted(port/vlan) 0 (0) tcn bpdu's received(port/vlan) 2 (2) forward transition count (port/vlan)...
Page 365
Spanning tree configuration scenario 365 other port specific info dynamic max age transition 0 port bpdu ok count 21825 msg age expiry count 0 link loading 0 bpdu in processing false num of similar bpdu's to process 0 received_inferior_bpdu false next state 0 src mac count 21807 total src mac count ...
Page 366
366 c hapter 17: c onfiguring and m anaging s panning t ree p rotocol 7 up down auto network 10/100basetx 8 up down auto network 10/100basetx 2 configure a backbone vlan and verify the configuration change. Type the following commands: wx1200# set vlan 10 name backbone port 1-2 success: change accep...
Page 367
Spanning tree configuration scenario 367 4 reconnect or reenable ports 21 and 22 and verify the change. Type the following commands: wx1200# set port enable 1-2 success: set "enable" on port 1-2 wx1200# display port status port name admin oper config actual type media ===============================...
Page 368
368 c hapter 17: c onfiguring and m anaging s panning t ree p rotocol.
Page 369: Onfiguring
18 c onfiguring and m anaging igmp s nooping internet group management protocol (igmp) snooping controls multicast traffic on a wx switch by forwarding packets for a multicast group only on the ports that are connected to members of the group. A multicast group is a set of ip hosts that receive traf...
Page 370
370 c hapter 18: c onfiguring and m anaging igmp s nooping disabling or reenabling proxy reporting proxy reporting reduces multicast overhead by sending only one report for each active group to the multicast routers, instead of sending a separate report from each multicast receiver. For example, if ...
Page 371
Changing igmp timers 371 last member query interval — number of tenths of a second that the wx switch waits for a response to a group-specific query after receiving a leave message for that group, before removing the receiver that sent the leave message from the list of receivers for the group. If t...
Page 372
372 c hapter 18: c onfiguring and m anaging igmp s nooping enabling router solicitation a wx switch can search for multicast routers by sending multicast router solicitation messages. This message invites multicast routers that receive the message and that support router solicitation to immediately ...
Page 374
374 c hapter 18: c onfiguring and m anaging igmp s nooping 237.255.255.255 5 10.10.10.13 00:02:04:06:08:0d 258 237.255.255.255 5 10.10.10.14 00:02:04:06:08:0e 258 237.255.255.255 5 10.10.10.12 00:02:04:06:08:0c 258 237.255.255.255 5 10.10.10.10 00:02:04:06:08:0a 258 querier information: querier for ...
Page 375
Displaying multicast information 375 displaying multicast queriers to display information about the multicast querier only without also displaying all the other multicast information, use the following command: display igmp querier [vlan vlan-id] to display querier information for vlan orange, type ...
Page 376
376 c hapter 18: c onfiguring and m anaging igmp s nooping displaying multicast receivers to display information about the multicast receivers only without also displaying all the other multicast information, use the following command: display igmp receiver-table [vlan vlan-id] [group group-ip-addr/...
Page 377: Onfiguring
19 c onfiguring and m anaging s ecurity acl s a security access control list (acl) filters packets for the purpose of discarding them, permitting them, or permitting them with modification (marking) for class-of-service (cos) priority treatment. A typical use of security acls is to enable users to s...
Page 378
378 c hapter 19: c onfiguring and m anaging s ecurity acl s figure 29 setting security acls security acl filters a security acl filters packets to restrict or permit network traffic. These filters can then be mapped by name to authenticated users, ports, vlans, virtual ports, or distributed maps. Yo...
Page 379
About security access control lists 379 the order in which aces are listed in an acl is important. Mss applies aces that are higher in the list before aces lower in the list. (see “modifying a security acl” on page 394.) an implicit “deny all” rule is always processed as the last ace of an acl. If a...
Page 380
380 c hapter 19: c onfiguring and m anaging s ecurity acl s selection of user acls identity-based acls (acls mapped to users) take precedence over location-based acls (acls mapped to vlans, ports, virtual ports, or distributed maps). Acls can be mapped to a user in the following ways: location polic...
Page 382
382 c hapter 19: c onfiguring and m anaging s ecurity acl s wildcard masks when you specify source and destination ip addresses in an ace, you must also include a mask for each in the form source-ip-addr mask and destination-ip-addr mask. The mask is a wildcard mask. The security acl checks the bits...
Page 383
Creating and committing a security acl 383 map forwarding prioritization occurs automatically for wi-fi multimedia (wmm) traffic. You do not need to configure acls to provide wmm prioritization. For non-wmm devices, you can provide map forwarding prioritization by configuring acls. If you disable wm...
Page 384
384 c hapter 19: c onfiguring and m anaging s ecurity acl s type-of-service level is 12 (minimum delay plus maximum throughput). Precedence is 7 (network control). Wx1200# set security acl ip acl-3 permit icmp 192.168.1.3 0.0.0.0 192.168.1.4 0.0.0.0 type 11 code 0 precedence 7 tos 12 before 1 hits t...
Page 385
Creating and committing a security acl 385 setting tcp and udp acls security acls can filter tcp and udp packets by source and destination ip address, precedence, and tos level. You can apply a tcp acl to established tcp sessions only, not to new tcp sessions. In addition, security acls for tcp and ...
Page 386
386 c hapter 19: c onfiguring and m anaging s ecurity acl s for example, the following command permits packets sent from ip address 192.168.1.5 to 192.168.1.6 with the tcp destination port equal to 524, a precedence of 7, and a type of service of 15, on an established tcp session, and counts the num...
Page 387
Creating and committing a security acl 387 to specify the order of the commands, use the following parameters: before editbuffer-index inserts an ace before a specific location. Modify editbuffer-index changes an existing ace. If the security acl you specify when creating an ace does not exist when ...
Page 388
388 c hapter 19: c onfiguring and m anaging s ecurity acl s acls do not take effect until you map them to something (a user, distributed map, vlan, port, or virtual port). To map an acl, see “mapping security acls” on page 390. To display the mapped acls, use the display security acl command, withou...
Page 389
Creating and committing a security acl 389 you can also view a specific security acl. For example, to view acl-2, type the following command: wx1200# display security acl info acl-2 acl information for acl-2 set security acl ip acl-2 (hits #1 0) ---------------------------------------------------- 1...
Page 390
390 c hapter 19: c onfiguring and m anaging s ecurity acl s clearing security acls the clear security acl command removes the acl from the edit buffer only. To clear a security acl, enter a specific acl name, or enter all to delete all security acls. To remove the security acl from the running confi...
Page 391
Mapping security acls 391 to map a security acl to a user session, follow these steps: 1 create the security acl. For example, to filter packets coming from 192.168.253.1 and going to 192.168.253.12, type the following: wx1200# set security acl ip acl-222 permit ip 192.168.253.1 0.0.0.0 198.168.253....
Page 393
Mapping security acls 393 to display a summary of the security acls mapped on a map (in this example, map 7), type the following command: wx# display ap acl map 7 acl type class mapping ---------------------------- ---- ------ ------- acl_123 ip static in acl_133 ip static in acl_124 ip static clear...
Page 394
394 c hapter 19: c onfiguring and m anaging s ecurity acl s if you no longer need the security acl, delete it from the configuration with the clear security acl and commit security acl commands. (see “clearing security acls” on page 390.) modifying a security acl you can modify a security acl in the...
Page 395
Modifying a security acl 395 2 to add another ace to the end of acl-violet, type the following command: wx1200# set security acl ip acl-violet permit 192.168.123.11 0.0.0.255 hits 3 to commit the updated security acl acl-violet, type the following command: wx1200# commit security acl acl-violet succ...
Page 396
396 c hapter 19: c onfiguring and m anaging s ecurity acl s 3 to view the results, type the following command: wx1200# display security acl info acl information for all set security acl ip acl-111 (hits #4 0) ---------------------------------------------------- 1. Deny ip source ip 192.168.254.12 0....
Page 397
Modifying a security acl 397 3 to view the results, type the following command: wx1200# display security acl info acl information for all set security acl ip acl-111 (hits #4 0) ---------------------------------------------------- 1. Permit ip source ip 192.168.254.12 0.0.0.0 destination ip any 2. P...
Page 398
398 c hapter 19: c onfiguring and m anaging s ecurity acl s 3 to view details about these uncommitted aces, type the following command. Wx1200# display security acl info all editbuffer acl edit-buffer information for all set security acl ip acl-111 (aces 3, add 3, del 0, modified 2) ----------------...
Page 399
Using acls to change cos 399 using acls to change cos for wmm or non-wmm traffic, you can change a packet’s priority by using an acl to change the packet’s cos value. A cos value assigned by an ace overrides the cos value assigned by the switch’s qos map. To change cos values using an acl, you must ...
Page 400
400 c hapter 19: c onfiguring and m anaging s ecurity acl s table 34 lists the cos values to use when reassigning traffic to a different priority. The cos determines the map forwarding queue to use for the traffic when sending it to a wireless client. Using the dscp option the easiest way to filter ...
Page 401
Enabling prioritization for legacy voice over ip 401 the following commands perform the same cos reassignment as the commands in “using the dscp option” on page 400. They remap ip packets from ip address 10.10.50.2 that have dscp value 46 (equivalent to precedence value 5 and tos value 12), to have ...
Page 402
402 c hapter 19: c onfiguring and m anaging s ecurity acl s general guidelines 3com recommends that you follow these guidelines for any wireless voip implementation: ensure end-to-end priority forwarding by making sure none of the devices that will forward voice traffic resets ip tos or diffserv val...
Page 403
Enabling prioritization for legacy voice over ip 403 if you are upgrading a switch running mss version 3.X to mss version 4.X, and the switch uses acls to map voip traffic to cos 4 or 5, and you plan to leave wmm enabled, 3com recommends that you change the acls to map the traffic to cos 6 or 7. You...
Page 404
404 c hapter 19: c onfiguring and m anaging s ecurity acl s 3 commit the acl to the configuration: wx4400# commit security acl voip enabling svp optimization for spectralink phones spectralink’s voice interoperability for enterprise wireless (view) certification program is designed to ensure interop...
Page 405
Enabling prioritization for legacy voice over ip 405 configuring a service profile for rsn (wpa2) to configure a service profile for svp phones that use rsn (wpa2): create the service profile and add the voice ssid to it. Enable the rsn information element (ie). Disable tkip and enable ccmp. Disable...
Page 406
406 c hapter 19: c onfiguring and m anaging s ecurity acl s the following commands configure a service profile called vowlan-wpa2 for rsn: wx4400# set service-profile vowlan-wpa ssid-name phones wx4400# set service-profile vowlan-wpa wpa-ie enable wx4400# set service-profile vowlan-wpa auth-dot1x di...
Page 407
Enabling prioritization for legacy voice over ip 407 configuring a vlan for voice clients mss requires all clients to be authenticated by radius or the local database, and to be authorized for a specific vlan. Mss places the user in the authorized vlan. Configure a vlan for voice clients you can use...
Page 408
408 c hapter 19: c onfiguring and m anaging s ecurity acl s wx1200# set security acl ip svp permit cos 7 119 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 wx1200# set security acl ip svp permit 0.0.0.0 255.255.255.255 wx1200# set security acl map svp vlan v1 in wx1200# set security acl map svp vla...
Page 409
Restricting client-to-client forwarding among ip-only clients 409 setting 802.11b/g radios to 802.11b (for siemens spectralink voip phones only) if you plan to use siemens spectralink voice over ip (voip) phones, you must change the map radios that will support the phones to operate in 802.11b mode ...
Page 410
410 c hapter 19: c onfiguring and m anaging s ecurity acl s 3 configure an ace that denies all ip traffic from any ip address in the 10.10.11.0/24 subnet to any address in the same subnet. Wx1200# set security acl ip c2c deny ip 10.10.11.0 0.0.0.255 10.10.11.0 0.0.0.255 4 configure an ace that permi...
Page 411
Security acl configuration scenario 411 4 to map acl-99 to port 6 to filter incoming packets, type the following command: wx1200# set security acl map acl-99 port 6 in mapping configuration accepted because every security acl includes an implicit rule denying all traffic that is not permitted, port ...
Page 412
412 c hapter 19: c onfiguring and m anaging s ecurity acl s.
Page 413: Anaging
20 m anaging k eys and c ertificates a digital certificate is a form of electronic identification for computers. The wx switch requires digital certificates to authenticate its communications to 3com wireless switch manager and web manager, to webaaa clients, and to extensible authentication protoco...
Page 414
414 c hapter 20: m anaging k eys and c ertificates wireless security through tls in the case of wireless or wired authentication 802.1x users whose authentication is performed by the wx switch, the first stage of any eap transaction is transport layer security (tls) authentication and encryption. 3c...
Page 415
About keys and certificates 415 about keys and certificates public-private key pairs and digital signatures and certificates allow keys to be generated dynamically so that data can be securely encrypted and delivered. You generate the key pairs and certificates on the wx switch or install them on th...
Page 416
416 c hapter 20: m anaging k eys and c ertificates public key infrastructures a public-key infrastructure (pki) is a system of digital certificates and certification authorities that verify and authenticate the validity of each party involved in a transaction through the use of public key cryptograp...
Page 417
About keys and certificates 417 eap certificate—used by the wx switch to authenticate itself to eap clients. Webaaa certificate—used by the wx switch to authenticate itself to webaaa clients, who use a web page served by a wx switch to log onto the network. Certificate authority (ca) certificates—us...
Page 418
418 c hapter 20: m anaging k eys and c ertificates certificates automatically generated by mss the first time you boot a switch with mss version 4.2 or later, mss automatically generates keys and self-signed certificates, in cases where certificates are not already configured or installed. Mss can a...
Page 419
Creating keys and certificates 419 creating keys and certificates public-private key pairs and digital certificates are required for management access with 3com wireless switch manager or web manager, or for network access by 802.1x or webaaa users. The digital certificates can be self-signed or sig...
Page 420
420 c hapter 20: m anaging k eys and c ertificates choosing the appropriate certificate installation method for your network depending on your network environment, you can use any of the following methods to install certificates and their public-private key pairs. The methods differ in terms of simp...
Page 421
Creating keys and certificates 421 creating public-private key pairs to use a self-signed certificate or certificate signing request (csr) certificate for wx switch authentication, you must generate a public-private key pair. To create a public-private key pair, use the following command: crypto gen...
Page 422
422 c hapter 20: m anaging k eys and c ertificates some key lengths apply only to specific key types. For example, 128 applies only to domain keys. Ssh requires an ssh authentication key, but you can allow mss to generate it automatically. The first time an ssh client attempts to access the ssh serv...
Page 423
Creating keys and certificates 423 installing a key pair and certificate from a pkcs #12 object file pkcs object files provide a file format for storing and transferring storing data and cryptographic information. (for more information, see “pkcs #7, pkcs #10, and pkcs #12 object files” on page 417....
Page 424
424 c hapter 20: m anaging k eys and c ertificates creating a csr and installing a certificate from a pkcs #7 object file after creating a public-private key pair, you can obtain a signed certificate of authenticity from a ca by generating a certificate signing request (csr) from the wx switch. A cs...
Page 425
Creating keys and certificates 425 2 use a text editor to open the pkcs #7 file, and copy and paste the entire text block, including the beginning and ending delimiters, into the cli. You must paste the entire block, from the beginning -----begin certificate----- to the end -----end certificate-----...
Page 427
Key and certificate configuration scenarios 427 key and certificate configuration scenarios the first scenario shows how to generate self-signed certificates. The second scenario shows how to install ca-signed certificates using pkcs #12 object files, and the third scenario shows how to install ca-s...
Page 428
428 c hapter 20: m anaging k eys and c ertificates unstructured name: wx in wiring closet 4 self-signed cert for eap is wx1200# crypto generate self-signed web country name: us state name: ca locality name: san francisco organizational name: example organizational unit: it common name: wx 6 email ad...
Page 429
Key and certificate configuration scenarios 429 wx1200# display crypto certificate web certificate: version: 3 serial number: 999 (0x3e7) subject: c=us, st=ca, l=pleas, o=mycorp, ou=sqa, cn=bobadmin/emailaddress=bobadmin, unstructuredname=bob signature algorithm: md5withrsaencryption issuer: c=us, s...
Page 430
430 c hapter 20: m anaging k eys and c ertificates for example: wx1200# crypto otp admin sec%#6@o%c otp set wx1200# crypto otp eap sec%#6@o%d otp set wx1200# crypto otp web sec%#6@o%e otp set 5 unpack the pkcs #12 object files into the certificate and key storage area on the wx switch. Use the follo...
Page 431
Key and certificate configuration scenarios 431 installing ca-signed certificates using a pkcs #10 object file (csr) and a pkcs #7 object file this scenario shows how to use csrs to install public-private key pairs, ca-signed certificates, and ca certifies for administrative access, 802.1x (eap) acc...
Page 432
432 c hapter 20: m anaging k eys and c ertificates 7 to install the administrative certificate on the wx switch, type the following command to display a prompt: wx1200# crypto certificate admin enter pem-encoded certificate 8 paste the signed certificate text block into the wx switch’s cli, below th...
Page 433: Onfiguring
21 c onfiguring aaa for n etwork u sers the following sections describe the mss authentication, authorization, and accounting (aaa) features in detail. About aaa for network users network users include the following types of users: wireless users — users who access the network by associating with an...
Page 434
434 c hapter 21: c onfiguring aaa for n etwork u sers each authentication rule specifies where the user credentials are stored. The location can be a group of radius servers or the switch’s local database. In either case, if mss has an authentication rule that matches on the required parameters, mss...
Page 435
About aaa for network users 435 ssid—if 802.1x or mac authentication do not apply to the ssid (no 802.1x or mac access rules are configured for the ssid), the default authorization attributes set on the ssid are applied to the user and the user is allowed onto the network. Wired authentication port—...
Page 436
436 c hapter 21: c onfiguring aaa for n etwork u sers figure 30 authentication flowchart for network users last-resort? Web? None? Client associates with map radio or requests access from wired authentication port use fallthru authentication yes no yes yes yes yes no yes yes no no no no client reque...
Page 437
About aaa for network users 437 ssid name “any” in authentication rules for wireless access, you can specify the name any for the ssid. This value is a wildcard that matches on any ssid string requested by the user. For 802.1x and webaaa rules that match on ssid any, mss checks the radius servers or...
Page 438
438 c hapter 21: c onfiguring aaa for n etwork u sers for a user to be successfully authenticated based on the mac address of the user device, the mac address must be configured on the radius servers used by the authentication rule or in the wx local database, if the local database is used by the ru...
Page 439
About aaa for network users 439 mss provides the following vsas, which you can assign to users configured in the local database or on a radius server: encryption-type — specifies the type of encryption required for access by the client. Clients who attempt to use an unauthorized encryption method ar...
Page 440
440 c hapter 21: c onfiguring aaa for n etwork u sers in addition to configuring authorization attributes for users on radius servers or the wx local database, you can also configure attributes within a service profile. These authorization attributes are applied to users accessing the ssid managed b...
Page 441
Aaa tools for network users 441 authorization for access control. Authorizationprovides access control by means of such mechanisms as per-user security access control lists (acls), vlan membership, mobility domain assignment, and timeout enforcement. Because authorization is always performed on netw...
Page 442
442 c hapter 21: c onfiguring aaa for n etwork u sers “globs” and groups for network user classification “globbing” lets you classify users by username or mac address for different aaa treatments. A user glob is a string used by aaa and ieee 802.1x or webaaa methods to match a user or set of users. ...
Page 443
Aaa tools for network users 443 you can use the local database or radius servers for mac access as well. If you use radius servers, make sure you configure the password for the mac address user as 3com. (this is the default authorization password. To change it, see “changing the mac authorization pa...
Page 444
444 c hapter 21: c onfiguring aaa for n etwork u sers remote authentication with local backup you can use a combination of authentication methods; for example, peap offload and local authentication. When peap offload is configured, the wx switch offloads all eap processing from server groups; the ra...
Page 445
Aaa tools for network users 445 figure 31 shows the results of this combination of methods. Figure 31 remote authentication with peap offload using local authentication as backup authentication proceeds as follows: 1 when user jose@example.Com attempts authentication, the wx switch sends an authenti...
Page 446
446 c hapter 21: c onfiguring aaa for n etwork u sers if one of the radius servers in the group does respond, but it indicates that the user does not exist on the radius server, or that the user is not permitted on the network, then authentication for the user fails, regardless of any additional met...
Page 447
Aaa tools for network users 447 ways a wx switch can use eap network users with 802.1x support cannot access the network unless they are authenticated. You can configure a wx switch to authenticate users with eap on a group of radius servers and/or in a local user database on the wx, or to offload s...
Page 448
448 c hapter 21: c onfiguring aaa for n etwork u sers effects of authentication type on encryption method wireless users who are authenticated on an encrypted service set identifier (ssid) can have their data traffic encrypted by the following methods: wi-fi protected access (wpa) encryption non-wpa...
Page 449
Configuring 802.1x authentication 449 configuring 802.1x authentication the ieee 802.1x standard is a framework for passing eap protocols over a wired or wireless lan. Within this framework, you can use tls, peap-ttls, or eap-md5. Most eap protocols can be passed through the wx switch to the radius ...
Page 450
450 c hapter 21: c onfiguring aaa for n etwork u sers for example, the following command authenticates all wireless users who request ssid marshes at example.Com by offloading peap processing onto the wx switch, while still performing ms-chap-v2 authentication via the server group shorebirds: wx1200...
Page 451
Configuring 802.1x authentication 451 binding user authentication to machine authentication bonded auth™ (bonded authentication) is a security feature that binds an 802.1x user authentication to authentication of the machine from which the user is attempting to log on. When this feature is enabled, ...
Page 452
452 c hapter 21: c onfiguring aaa for n etwork u sers authentication rule requirements bonded authentication requires an 802.1x authentication rule for the machine itself, and a separate 802.1x authentication rule for the user(s). Use the bonded option in the user authentication rule, but not in the...
Page 453
Configuring 802.1x authentication 453 host/*.Nl.Mycorp.Com (userglob for the machine authentication rule) *.Nl.Mycorp.Com (userglob for the user authentication rule) host/*.De.Mycorp.Com (userglob for the machine authentication rule) *.De.Mycorp.Com (userglob for the user authentication rule) bonded...
Page 454
454 c hapter 21: c onfiguring aaa for n etwork u sers bonded auth configuration example to configure bonded auth: configure separate authentication rules for the machine and for the user(s). Set the bonded auth period. Verify the configuration changes. The following commands configure two 802.1x aut...
Page 455
Configuring 802.1x authentication 455 in the following example, bob.Mycorp.Com uses bonded auth, and the bonded auth period is set to 60 seconds. Wx1200# display dot1x config 802.1x user policy ---------------------- 'host/bob-laptop.Mycorp.Com' on ssid 'mycorp' doing passthru 'bob.Mycorp.Com' on ss...
Page 456
456 c hapter 21: c onfiguring aaa for n etwork u sers configuring authentication and authorization by mac address you must sometimes authenticate users based on the mac addresses of their devices rather than a username-password or certificate. For example, some voice-over-ip (voip) phones and person...
Page 457
Configuring authentication and authorization by mac address 457 for example, type the following command to add mac user 01:0f:03:04:05:06 to group macfans: wx1200# set mac-user 01:0f:03:04:05:06 group macfans success: change accepted. Clearing mac users and groups to clear a mac user from a user gro...
Page 458
458 c hapter 21: c onfiguring aaa for n etwork u sers if the switch’s configuration does not contain a set authentication mac command that matches a non-802.1x client’s mac address, mss tries mac authentication by default. You can also glob mac addresses. For example, the following command locally a...
Page 459
Configuring authentication and authorization by mac address 459 changing the mac authorization password for radius when you enable mac authentication, the client does not supply a regular username or password. The mac address of the user’s device is extracted from frames received from the device. To...
Page 460
460 c hapter 21: c onfiguring aaa for n etwork u sers configuring web portal webaaa webaaa simplifies secure access to unencrypted ssids. When a user requests access to an ssid or attempts to access a web page before logging onto the network, mss serves a login page to the user’s browser. After the ...
Page 461
Configuring web portal webaaa 461 3 the user opens a web browser. The web browser sends a dns request for the ip address of the home page or a url requested by the user. 4 mss does the following: intercepts the dns request, uses the mss dns proxy to obtain the url ip address from the network dns ser...
Page 462
462 c hapter 21: c onfiguring aaa for n etwork u sers if the wx does not receive a reply to a client’s dns request, the wx spoofs a reply to the browser by sending the wx switch’s own ip address as the resolution to the browser’s dns query. The wx also serves the web login page. This behavior simpli...
Page 463
Configuring web portal webaaa 463 here are some examples of common names in the recommended format: webaaa.Login webaaa.Customername.Com portal.Local here are some examples of common names that are not in the recommended format: webaaa 3com_webaaa webportal user vlan—an ip interface must be configur...
Page 464
464 c hapter 21: c onfiguring aaa for n etwork u sers fallthru authentication type—the fallthru authentication type for each ssid and wired authentication port that you want to support webaaa, must be set to web-portal. The default authentication type for wired authentication ports and for ssids is ...
Page 465
Configuring web portal webaaa 465 caution: without the web-portal acl, webaaa users will be placed on the network without any filters. Caution: do not change the deny rule at the bottom of the acl. This rule must be present and the capture option must be used with the rule. If the rule does not have...
Page 466
466 c hapter 21: c onfiguring aaa for n etwork u sers to modify a webaaa user’s access after the user is authenticated and authorized, map an acl to the individual webaaa user. Changes you make to the acl mapped to the web-portal-ssid or web-portal-wired user do not affect user access after authenti...
Page 467
Configuring web portal webaaa 467 configuring web portal webaaa to configure web portal webaaa: 1 configure an ssid or wired authentication port and set the fallthru authentication type to web-portal. The default for ssids and for wired authentication ports is none. 2 configure individual webaaa use...
Page 468
468 c hapter 21: c onfiguring aaa for n etwork u sers wx1200# set service-profile mycorp-srvcprof auth-fallthru web-portal success: change accepted. Wx1200# set service-profile mycorp-srvcprof attr vlan-name mycorp-vlan success: change accepted. Wx1200# set service-profile mycorp-srvcprof rsn-ie ena...
Page 469
Configuring web portal webaaa 469 the rule does not by itself allow access to all usernames. The ** value simply makes all usernames eligible for authentication, in this case by searching the switch’s local database for the matching usernames and passwords. If a username does not match on the access...
Page 471
Configuring web portal webaaa 471 using a custom login page by default, mss serves the 3com login page for web login. To serve a custom page instead, do the following: 1 copy and modify the 3com page, or create a new page. 2 create a subdirectory in the user files area of the wx switch’s nonvolatile...
Page 472
472 c hapter 21: c onfiguring aaa for n etwork u sers mss uses the following process to find the login page to display to a user: if the user is attempting to access an ssid and a custom page is specified in the service profile, mss serves the custom page. If the switch nonvolatile storage has a pag...
Page 473
Configuring web portal webaaa 473 5 save the modified page. Filenames and paths for image source files must be relative to the html page. For example, if login page mycorp-login.Html and image file mylogo.Gif are located in subdirectory mycorp/, specify the image source as mylogo.Gif, not mycorp/myl...
Page 474
474 c hapter 21: c onfiguring aaa for n etwork u sers c change the greeting: d change the warning statement if desired: warning: my corp’s warning text. E do not change the form (delimited by the tags. The form values are required for the page to work properly. 3com recommends using an html editor t...
Page 475
Configuring web portal webaaa 475 for the url, specify the full path; for example, mycorp-webaaa/mycorp-login.Html. If the custom login page includes *.Gif or *.Jpg images, their path names are interpreted relative to the directory from which the page is served. 9 configure webaaa users and rules as...
Page 476
476 c hapter 21: c onfiguring aaa for n etwork u sers when user piltdown is successfully authenticated and authorized, mss redirects the user to the following url: http://myserver.Com/piltdown.Html the following example configures a redirect url that contains a script argument using the literal char...
Page 477
Configuring web portal webaaa 477 5 commit the new acl to the configuration, using the following command: commit security acl 6 change the web-portal acl name set on the service profile, using the following command: set service-profile name web-portal-acl aclname 7 verify the change by displaying th...
Page 478
478 c hapter 21: c onfiguring aaa for n etwork u sers to change the web portal webaaa session timeout period, use the following command: set service-profile name web-portal-session-timeout seconds you can specify from 5 – 2,800 seconds. The default is 5 seconds. Note that the web portal webaaa sessi...
Page 479
Configuring last-resort access 479 the url should be of the form https://host/logout.Html. By default, the logout url uses the ip address of the wx switch as the host part of the url. Th e host can be either an ip address or a hostname. Specifying the logout url is useful if you want to standardize ...
Page 480
480 c hapter 21: c onfiguring aaa for n etwork u sers you do not need to configure an access rule for last-resort access. Last-resort access is automatically enabled on all service profiles and wired authentication ports that have the fallthru authentication type set to last-resort. (the set authent...
Page 481
Configuring last-resort access 481 wep unicast index: 1 wep multicast index: 1 shared key auth: no wpa and rsn enabled: ciphers: cipher-tkip, cipher-ccmp, cipher-wep40 authentication: 802.1x tkip countermeasures time: 60000ms vlan-name = guest-vlan ... Beginning with mss version 5.0, the special use...
Page 482
482 c hapter 21: c onfiguring aaa for n etwork u sers configuring aaa for users of third-party aps a wx switch can provide network access for users associated with a third-party ap that has authenticated the users with radius. You can connect a third-party ap to a wx switch and configure the wx to p...
Page 483
Configuring aaa for users of third-party aps 483 for any users of an ap that sends ssid traffic to the wx on an untagged vlan, the wx does not use 802.1x. The wx sends a radius query for the special username web-portal-wired or last-resort-wired, depending on the fallthru authentication type specifi...
Page 484
484 c hapter 21: c onfiguring aaa for n etwork u sers wx switch requirements the wx port connected to the third-party ap must be configured as a wired authentication port. If ssid traffic from the ap is tagged, the same vlan tag value must be used on the wired authentication port. A mac authenticati...
Page 485
Configuring aaa for users of third-party aps 485 configure a mac authentication rule for the ap. Use the following command: set authentication mac wired mac-addr-glob method1 configure the wx port connected to the ap as a radius proxy for the ssid supported by the ap. If ssid traffic from the ap is ...
Page 486
486 c hapter 21: c onfiguring aaa for n etwork u sers the following command configures a mac authentication rule that matches on the third-party ap’s mac address. Because the ap is connected to the wx switch on a wired authentication port, the wired option is used. Wx4400# set authentication mac wir...
Page 487
Assigning authorization attributes 487 configuring authentication for non-802.1x users of a third-party ap with tagged ssids to configure mss to authenticate non-802.1x users of a third-party ap, use the same commands as those required for 802.1x users. Additionally, when configuring the wired authe...
Page 488
488 c hapter 21: c onfiguring aaa for n etwork u sers table 43 lists the authorization attributes supported by mss. (for brief descriptions of all the radius attributes and 3com vendor-specific attributes supported by mss, as well as the vendor id and types for 3com vsas configured on a radius serve...
Page 489
Assigning authorization attributes 489 end-date date and time after which the user is no longer allowed to be on the network. Date and time, in the following format: yy/mm/dd-hh:mm you can use end-date alone or with start-date. You also can use start-date, end-date, or both in conjunction with time-...
Page 490
490 c hapter 21: c onfiguring aaa for n etwork u sers service-type type of access the user is requesting. One of the following numbers: 2—framed; for network user access 6—administrative; for administrative access to the wx switch, with authorization to access the enabled (configuration) mode. The u...
Page 491
Assigning authorization attributes 491 start-date date and time at which the user becomes eligible to access the network. Mss does not authenticate the user unless the attempt to access the network occurs at or after the specified date and time, but before the end-date (if specified). Date and time,...
Page 492
492 c hapter 21: c onfiguring aaa for n etwork u sers assigning attributes to users and groups you can assign authorization attributes to individual users or groups of users. Use any of the following commands to assign an attribute to a user or group in the local wx database and specify its value: s...
Page 493
Assigning authorization attributes 493 to change the value of an authorization attribute, reenter the command with the new value. To assign an authorization attribute to a user’s configuration on a radius server, see the documentation for your radius server. Assigning ssid default attributes to a se...
Page 494
494 c hapter 21: c onfiguring aaa for n etwork u sers all of the authorization attributes listed in table 40 on page 448 can be specified in a service profile except ssid. Assigning a security acl to a user or a group once a security access control list (acl) is defined and committed, it can be appl...
Page 495
Assigning authorization attributes 495 you can set filters for incoming and outgoing packets: use acl-name.In to filter traffic that enters the wx switch from users via a map access port or wired authentication port, or from the network via a network port. Use acl-name.Out to filter traffic sent fro...
Page 496
496 c hapter 21: c onfiguring aaa for n etwork u sers assigning encryption types to wireless users when a user turns on a wireless laptop or pda, the device attempts to find an access point and form an association with it. Because maps support the encryption of wireless traffic, clients can choose a...
Page 497
Assigning authorization attributes 497 for example, the following command restricts the mac user group mac-fans to access the network by using only tkip: wx1200# set mac-usergroup mac-fans attr encryption-type 4 success: change accepted. You can also specify a combination of allowed encryption types...
Page 498
498 c hapter 21: c onfiguring aaa for n etwork u sers keeping users on the same vlan even after roaming in some cases, a user can be assigned to a different vlan after roaming to another wx switch. Table 46 lists the ways a vlan can be assigned to a user after roaming from one wx to another. Yes in ...
Page 499
Overriding or adding attributes locally with a location policy 499 ssid means the vlan is set on the roamed-to switch, in the service profile for the ssid the user is associated with. (the vlan-name attribute is set by the set service-profile name attr vlan-name vlan-id command, entered on the roame...
Page 500
500 c hapter 21: c onfiguring aaa for n etwork u sers about the location policy each wx switch can have one location policy. The location policy consists of a set of rules. Each rule contains conditions, and an action to perform if all conditions in the rule match. The location policy can contain up...
Page 502
502 c hapter 21: c onfiguring aaa for n etwork u sers the following command places all users who are authorized for ssid tempvendor_a into vlan kiosk_1: wx1200# set location policy permit vlan kiosk_1 if ssid eq tempvendor_a success: change accepted. Applying security acls in a location policy rule ...
Page 503
Overriding or adding attributes locally with a location policy 503 for example, suppose you have configured the following location policy rules: wx1200 display location policy id clauses ---------------------------------------------------------------- 1) deny if user eq *.Theirfirm.Com 2) permit vla...
Page 504
504 c hapter 21: c onfiguring aaa for n etwork u sers configuring accounting for wireless network users accounting records come in three types: start-stop, stop-only, and update for network users. The records provide information about network resource usage. To set accounting, type the following com...
Page 505
Configuring accounting for wireless network users 505 (for details about display accounting statistics output, see the wireless lan switch and controller command reference . For information about accounting update records, see “viewing roaming accounting records” on page 505. To configure accounting...
Page 506
506 c hapter 21: c onfiguring aaa for n etwork u sers user-name=administrator@example.Com acct-session-time=209 acct-output-octets=1280 acct-input-octets=1920 acct-output-packets=10 acct-input-packets=15 event-timestamp=1053536700 vlan-name=default calling-station-id=00-06-25-09-39-5d nas-port-id=2/...
Page 507
Displaying the aaa configuration 507 displaying the aaa configuration to view the results of the aaa commands you have set and verify their order, type the display aaa command. The order in which the commands appear in the output determines the order in which mss matches them to users. (sometimes th...
Page 508
508 c hapter 21: c onfiguring aaa for n etwork u sers avoiding aaa problems in configuration order this section describes some common aaa configuration issues on the wx switch and how to avoid them. Using the wildcard “any” as the ssid name in authentication rules you can configure an authentication...
Page 509
Avoiding aaa problems in configuration order 509 configuration producing an incorrect processing order for example, suppose you initially set up start-stop accounting as follows for all 802.1x users via radius server group 1: wx1200# set accounting dot1x ssid mycorp * start-stop group1 success: chan...
Page 510
510 c hapter 21: c onfiguring aaa for n etwork u sers the configuration order now shows that all 802.1x users are processed as you intended: wx1200# display aaa ... Set accounting dot1x ssid mycorp example/* start-stop group1 set authentication dot1x ssid mycorp example/* peap-mschapv2 group1 set ac...
Page 511
Configuring a mobility profile 511 you can then assign this mobility profile to one or more users. For example, to assign the mobility profile roses-profile to all users at example\, type the following command: wx1200# set user example\* attr mobility-profile roses-profile success: change accepted. ...
Page 512
512 c hapter 21: c onfiguring aaa for n etwork u sers network user configuration scenarios the following scenarios provide examples of ways in which you use aaa commands to configure access for users: “general use of network user commands” on page 512 “enabling radius pass-through authentication” on...
Page 513
Network user configuration scenarios 513 5 create a mobility profile called tulip by typing the following commands: wx1200# set mobility-profile name tulip port 2,5 success: change accepted. Wx1200# set mobility-profile mode enable success: change accepted. Wx1200# display mobility-profile mobility ...
Page 514
514 c hapter 21: c onfiguring aaa for n etwork u sers 8 save the configuration: wx1200# save config success: configuration saved. Enabling radius pass-through authentication the following example illustrates how to enable radius pass-through authentication for all 802.1x network users: 1 configure t...
Page 515
Network user configuration scenarios 515 3 to assign natasha to a vlan named red, type the following command: wx1200# set user natasha attr vlan-name red 4 to assign natasha a session timeout value of 1200 seconds, type the following command: wx1200# set user natasha attr session-timeout 1200 5 save...
Page 516
516 c hapter 21: c onfiguring aaa for n etwork u sers combining eap offload with pass-through authentication the following example illustrates how to enable peap-ms-chap-v2 offload for the marketing (mktg) group and radius pass-through authentication for members of engineering. This example assumes ...
Page 517
Network user configuration scenarios 517 1 redirect bldga-prof- vlan users to the vlan bldgb-eng: wx1200# set location policy permit vlan bldgb-eng if vlan eq bldga-prof-* 2 allow writing instructors from -techcomm vlans to use the bldgb-eng vlan: wx1200# set location policy permit vlan bldgb-eng if...
Page 518
518 c hapter 21: c onfiguring aaa for n etwork u sers.
Page 519: Onfiguring
22 c onfiguring c ommunication with radius for a list of the standard and extended radius attributes and 3com vendor-specific attributes (vsas) supported by mss, see “supported radius attributes” on page 651. Radius overview remote authentication dial-in user service (radius) is a distributed client...
Page 520
520 c hapter 22: c onfiguring c ommunication with radius figure 33 wireless client, map, wx switch, and radius servers in the example shown in figure 33, the following events occur: 1 the wireless user (client) requests an ieee 802.11 association from the map. 2 after the map creates the association...
Page 521
Before you begin 521 before you begin to ensure that you can contact the radius servers you plan to use for authentication, send the ping command to each one to verify connectivity. Ping ip-address you can then set up communication between the wx switch and each radius server group. Configuring radi...
Page 522
522 c hapter 22: c onfiguring c ommunication with radius during the holddown, it is as if the dead radius server does not exist. Mss skips over any dead radius servers to the next live server, or on to the next method if no more live servers are available, depending on your configuration. For exampl...
Page 523
Configuring radius servers 523 for example, the following command resets the dead-time timer to 0 minutes on all radius servers in the wx configuration: wx1200# clear radius deadtime success: change accepted. Setting the system ip address as the source address by default, radius packets leaving the ...
Page 524
524 c hapter 22: c onfiguring c ommunication with radius you can configure multiple radius servers. When you define server names and keys, case is significant. For example: wx1200# set radius server rs1 address 10.6.7.8 key secret success: change accepted. Wx1200# set radius server rs2 address 10.6....
Page 525
Configuring radius server groups 525 creating server groups to create a server group, you must first configure the radius servers with their addresses and any optional parameters. After configuring radius servers, type the following command: set server group group-name members server-name1 [server-n...
Page 526
526 c hapter 22: c onfiguring c ommunication with radius configuring load balancing you can configure the wx switch to distribute authentication requests across radius servers in a server group, which is called load balancing. Distributing the authentication process across multiple radius servers si...
Page 527
Configuring radius server groups 527 adding members to a server group to add radius servers to a server group, type the following command: set server group group-name members server-name1 [server-name2] [server-name3] [server-name4] the keyword members lists the radius servers contained in the named...
Page 528
528 c hapter 22: c onfiguring c ommunication with radius the members of the group remain configured, although no server groups are shown: wx1200# display aaa default values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null) radius servers server a...
Page 529
Radius and server group configuration scenario 529 6 display the configuration. Type the following command: wx1200# display aaa default values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null) radius servers server addr ports t/o tries dead state...
Page 530
530 c hapter 22: c onfiguring c ommunication with radius.
Page 531: Anaging
23 m anaging 802.1x on the wx s witch certain settings for ieee 802.1x sessions on the wx switch are enabled by default. For best results, change the settings only if you are aware of a problem with the wx switch’s 802.1x performance. For settings that you can reset with a clear command, mss reverts...
Page 532
532 c hapter 23: m anaging 802.1x on the wx s witch the default setting is enable, which permits 802.1x authentication to occur as determined by the set dot1x port-control command for each wired authentication port. The disable setting forces all wired authentication ports to unconditionally authori...
Page 533
Managing 802.1x encryption keys 533 managing 802.1x encryption keys by default, the wx switch sends encryption key information to a wireless supplicant (client) in an extensible authentication protocol over lan (eapol) packet after authentication is successful. You can disable this feature or change...
Page 534
534 c hapter 23: m anaging 802.1x on the wx s witch type the following command to reset the retransmission interval to the 5-second default: wx1200# clear dot1x tx-period success: change accepted. Managing wep keys wired-equivalent privacy (wep) is part of the system security of 802.1x. Mss uses wep...
Page 535
Setting eap retransmission attempts 535 to reenable wep rekeying, type the following command: wx1200# set dot1x wep-rekey enable success: wep rekeying enabled configuring the interval for wep rekeying the following command sets the interval for rotating the wep broadcast and multicast keys: set dot1...
Page 536
536 c hapter 23: m anaging 802.1x on the wx s witch supplicant timeout (configured by the set dot1x timeout supplicant command) radius session-timeout attribute if both of these timeouts are set, mss uses the shorter of the two. If the radius session-timeout attribute is not set, mss uses the timeou...
Page 537
Managing 802.1x client reauthentication 537 the default number of reauthentication attempts is 2. You can specify from 1 to 10 attempts. For example, type the following command to set the number of authentication attempts to 8: wx1200# set dot1x reauth-max 8 success: dot1x max reauth set to 8. Type ...
Page 538
538 c hapter 23: m anaging 802.1x on the wx s witch setting the bonded authentication period the following command changes the bonded auth™ (bonded authentication) period, which is the number of seconds mss retains session information for an authenticated machine while waiting for the 802.1x client ...
Page 539
Managing other timers 539 type the following command to reset the 802.1x quiet period to the default: wx1200# clear dot1x quiet-period success: change accepted. Setting the 802.1x timeout for an authorization server use this command to configure the number of seconds before the wx switch times out a...
Page 541
Displaying 802.1x information 541 802.1x parameter setting ---------------- ------- supplicant timeout 30 auth-server timeout 30 quiet period 5 transmit period 5 reauthentication period 3600 maximum requests 2 key transmission enabled reauthentication enabled authentication control enabled wep rekey...
Page 542
542 c hapter 23: m anaging 802.1x on the wx s witch.
Page 543: Onfiguring
24 c onfiguring soda e ndpoint s ecurity for a wx s witch sygate on-demand (soda) is an endpoint security solution that allows enterprises to enforce security policies on client devices without having to install any special software on the client machines. Mss can be configured to run soda security ...
Page 544
544 c hapter 24: c onfiguring soda e ndpoint s ecurity for a wx s witch malicious code protection – detects and blocks keystroke loggers that capture usernames and passwords, trojans that create back-door user accounts, and screen scrapers that spy on user activity. The malicious code module integra...
Page 545
About soda endpoint security 545 if the security checks fail, the wx switch can deny the client access to the network, or grant the client limited access based on a configured security acl. When the client closes the virtual desktop, the wx switch can optionally disconnect the client from the networ...
Page 546
546 c hapter 24: c onfiguring soda e ndpoint s ecurity for a wx s witch 6 once the soda agent files have been downloaded, one of the following can take place: a if the wx switch is configured to enforce the soda agent security checks (the default), then the soda agent checks are run on the user’s co...
Page 547
Configuring soda functionality 547 7 specify a page for a client to load when the soda agent checks run successfully (optional). See “specifying a soda agent success page” on page 551. 8 specify a page for a client to load when the soda agent checks fail (optional). See “specifying a soda agent fail...
Page 548
548 c hapter 24: c onfiguring soda e ndpoint s ecurity for a wx s witch note the following when creating the soda agent in soda manager: the failure.Html and success.Html pages, when specified as success or failure urls in soda manager, must be of the format: https://hostname/soda/ssid/xxx.Html wher...
Page 549
Configuring soda functionality 549 copying the soda agent to the wx switch after creating the soda agent with soda manager, you copy the .Zip file to the wx switch using tftp. For example, the following command copies the soda.Zip file from a tftp server to the wx switch: wx1200# copy tftp://172.21....
Page 551
Configuring soda functionality 551 specifying a soda agent success page when a client successfully runs the checks performed by the soda agent, by default a dynamically generated page is displayed on the client indicating that the checks succeeded. You can optionally create a custom success page tha...
Page 552
552 c hapter 24: c onfiguring soda e ndpoint s ecurity for a wx s witch to reset the failure page to the default value, use the following command: clear service-profile name soda failure-page the page refers to a file on the wx switch. After this page is loaded, the specified remediation acl takes e...
Page 553
Configuring soda functionality 553 if configured, a remediation acl is applied to a client when the client loads the failure page. A client loads the failure page only if the service profile is set to enforce soda agent checks, and the client fails the soda agent checks. Consequently, in order to ap...
Page 554
554 c hapter 24: c onfiguring soda e ndpoint s ecurity for a wx s witch the following command specifies logout.Html, in the soda-files directory on the wx switch, as the page to load when a client closes the soda virtual desktop: wx# set service-profile sp1 soda logout-page soda-files/logout.Html su...
Page 556
556 c hapter 24: c onfiguring soda e ndpoint s ecurity for a wx s witch (for information about the fields in the output, see the wireless lan switch and controller command reference .).
Page 557: Anaging
25 m anaging s essions about the session manager a session is a related set of communication transactions between an authenticated user (client) and the specific station to which the client is bound. Packets are exchanged during a session. A wx switch supports the following kinds of sessions: admini...
Page 558
558 c hapter 25: m anaging s essions displaying and clearing all administrative sessions to view information about the sessions of all administrative users, type the following command: wx1200> display sessions admin tty username time (s) type ------- -------------------- -------- ---- tty0 3644 cons...
Page 559
Displaying and clearing administrative sessions 559 displaying and clearing administrative telnet sessions to view information about administrative telnet sessions, type the following command: wx1200> display sessions telnet tty username time (s) type ------- -------------------- -------- ---- tty3 ...
Page 561
Displaying and clearing network sessions 561 displaying verbose network session information in the display sessions network commands, you can specify verbose to get more in-depth information. For example, to display detailed information for all network sessions, type the following command: wx1200> d...
Page 562
562 c hapter 25: m anaging s essions displaying and clearing network sessions by username you can view sessions by a username or user glob. (for a definition of user globs and their format, see “user globs” on page 30.) to see all sessions for a specific user or for a group of users, type the follow...
Page 563
Displaying and clearing network sessions 563 displaying and clearing network sessions by mac address you can view sessions by mac address or mac address glob. (for a definition of mac address globs and their format, see “mac address globs” on page 31.) to view session information for a mac address o...
Page 564
564 c hapter 25: m anaging s essions to clear the sessions on a vlan or set of vlans, use the following command: clear sessions network vlan vlan-glob for example, the following command clears the sessions of all users on vlan red: wx1200# clear sessions network vlan red displaying and clearing netw...
Page 565
Displaying and changing network session timers 565 last packet signal strength: -60 dbm last packet data s/n ratio: 35 protocol: 802.11 session cac: disabled (for information about the fields in the output, see the wireless lan switch and controller command reference .) the verbose option is not ava...
Page 566
566 c hapter 25: m anaging s essions mss temporarily keeps session information for disassociated web-portal clients to allow them time to reassociate after roaming. (see “configuring the web portal webaaa session timeout period” on page 477.) disabling keepalive probes to disable or reenable keepali...
Page 567: Ogue
26 r ogue d etection and c ountermeasures map radios automatically scan the rf spectrum for other devices transmitting in the same spectrum. The rf scans discover third-party transmitters in addition to other 3com radios. Mss considers the unknown transmitters to be devices of interest, which are po...
Page 568
568 c hapter 26: r ogue d etection and c ountermeasures rogue classification when mss detects a third-party wireless device that is not allowed on the network, mss classifies the device as one of the following: rogue—the device is in the 3com network but does not belong there. Interfering device—the...
Page 569
About rogues and rf detection 569 rogue detection lists rogue detection lists specify the third-party devices and ssids that mss allows on the network, and the devices mss classifies as rogues. You can configure the following rogue detection lists: permitted ssid list—a list of ssids allowed in the ...
Page 570
570 c hapter 26: r ogue d etection and c ountermeasures figure 34 rogue detection algorithm map radio detects wireless packet. No yes yes source mac in ssid in permitted ignore list? Device is not a threat. Ssid list? Yes oui in permitted vendor list? No source mac in attack list? No generate an ala...
Page 571
About rogues and rf detection 571 rf detection scans all radios continually scan for other rf transmitters. Radios perform passive scans and active scans: passive scans — the radio listens for beacons and probe responses. Active scans — the radio sends probe any requests (probe requests with a null ...
Page 572
572 c hapter 26: r ogue d etection and c ountermeasures when a map radio detects radar on a channel, the radio switches to another channel and does not attempt to use the channel where the radar was detected for 30 minutes. Mss also generates a message. The rf auto-tuning feature must be enabled. Ot...
Page 573
Summary of rogue detection features 573 summary of rogue detection features table 48 lists the rogue detection features in mss. Table 48 rogue detection features rogue detection feature description applies to third-party aps clients classification mss can classify third-party aps as rogues or interf...
Page 574
574 c hapter 26: r ogue d etection and c ountermeasures configuring rogue detection lists the following sections describe how to configure lists to specify the devices that are allowed on the network and the devices that mss should attack with countermeasures. (for information about how mss uses the...
Page 575
Configuring rogue detection lists 575 if you add a device that mss has classified as a rogue to the permitted vendor list, but not to the ignore list, mss can still classify the device as a rogue. Adding an entry to the permitted vendor list merely indicates that the device is from an allowed vendor...
Page 576
576 c hapter 26: r ogue d etection and c ountermeasures configuring a permitted ssid list the permitted ssid list specifies the ssids that are allowed on the network. If mss detects packets for an ssid that is not on the list, the ap that sent the packets is classified as a rogue. Mss issues counter...
Page 577
Configuring rogue detection lists 577 the following command clears ssid mycorp from the permitted ssid list: wx1200# clear rfdetect ssid-list mycorp success: mycorp is no longer in ssid-list. Configuring a client black list the client black list specifies clients that are not allowed on the network....
Page 578
578 c hapter 26: r ogue d etection and c ountermeasures configuring an attack list the attack list specifies the mac addresses of devices that mss should issue countermeasures against whenever the devices are detected on the network. The attack list can contain the mac addresses of aps and clients. ...
Page 579
Configuring rogue detection lists 579 the following command clears mac address 11:22:33:44:55:66 from the attack list: wx4400# clear rfdetect attack-list 11:22:33:44:55:66 success: 11:22:33:44:55:66 is no longer in attacklist. Configuring an ignore list by default, when countermeasures are enabled, ...
Page 580
580 c hapter 26: r ogue d etection and c ountermeasures the following command displays an ignore list containing two bssids: wx4400# display rfdetect ignore total number of entries: 2 ignore mac ----------------- aa:bb:cc:11:22:33 aa:bb:cc:44:55:66 enabling countermeasures countermeasures are disabl...
Page 581
Enabling countermeasures 581 the following command disables countermeasures in radio profile radprof3: wx4400# clear radio-profile radprof3 countermeasures success: change accepted. Using on-demand countermeasures in a mobility domain if you are using on-demand countermeasures in a mobility domain, ...
Page 582
582 c hapter 26: r ogue d etection and c ountermeasures disabling or reenabling active scan when active scanning is enabled, the map radios managed by the switch look for rogue devices by sending probe any frames (probes with a null ssid name), to solicit probe responses from other aps. Active scan ...
Page 583
Enabling map signatures 583 creating an encrypted rf fingerprint key as a map signature to create an encrypted rf fingerprint key to use as a signature for a map, use the following command: set rfdetect signature key encrypted for example: wxr100_desk# set rfdetect ? Attack-list add a device to atta...
Page 585
Ids and dos alerts 585 flood attacks a flood attack is a type of denial of service attack. During a flood attack, a rogue wireless device attempts to overwhelm the resources of other wireless devices by continuously injecting management frames into the air. For example, a rogue client can repeatedly...
Page 586
586 c hapter 26: r ogue d etection and c ountermeasures decrypt errors—an excessive number of decrypt errors can indicate that multiple clients are using the same mac address. A device’s mac address is supposed to be unique. Multiple instances of the same address can indicate that a rogue device is ...
Page 587
Ids and dos alerts 587 weak wep key used by client a weak initialization vector (iv) makes a wep key easier to hack. Mss alerts you regarding clients who are using weak wep ivs so that you can strengthen the encryption on these clients or replace the clients. Disallowed devices or ssids you can conf...
Page 588
588 c hapter 26: r ogue d etection and c ountermeasures management frame 6 flood client aa:bb:cc:dd:ee:ff is sending rsvd mgmt frame 6 message flood. Seen by ap on port 2, radio 1 on channel 11 with rssi -53. Management frame 7 flood client aa:bb:cc:dd:ee:ff is sending rsvd mgmt frame 7 message floo...
Page 589
Ids and dos alerts 589 spoofed disassociation frames disassociation frame from ap aa:bb:cc:dd:ee:ff is being spoofed. Seen by ap on port 2, radio 1 on channel 11 with rssi -53. Null probe responses ap aa:bb:cc:dd:ee:ff is sending null probe responses. Seen by ap on port 2, radio 1 on channel 11 with...
Page 590
590 c hapter 26: r ogue d etection and c ountermeasures displaying rf detection information you can use the cli commands listed in table 50 to display rogue detection information. Spoofed ap ap mac aa:bb:cc:dd:ee:ff(ssid myssid) is being spoofed. Received fingerprint 1122343 does not match our finge...
Page 591
Displaying rf detection information 591 (for information about the fields in the output, see the wireless lan switch and controller command reference .) display rfdetect data displays information about all bssids detected on the air, and labels those that are from rogues or interfering devices. This...
Page 592
592 c hapter 26: r ogue d etection and c ountermeasures displaying rogue clients to display the wireless clients detected by a wx switch, use the following command: display rfdetect clients [mac mac-addr] the following command shows information about all wireless clients detected by a wx switch’s ma...
Page 593
Displaying rf detection information 593 displaying rogue detection counters to display rogue detection statistics counters, use the following command: display rfdetect counters the command shows counters for rogue activity detected by the wx switch on which you enter the command. Wx1200# display rfd...
Page 594
594 c hapter 26: r ogue d etection and c ountermeasures access points not present in ssid-list 0 0 access points not present in vendor-list 0 0 clients not present in vendor-list 0 0 clients added to automatic black-list 0 0 mss generates log messages for most of these statistics. See “ids and dos a...
Page 595
Displaying rf detection information 595 wx-ipaddress: 10.8.121.102 port/radio/ch: 3/1/11 mac: 00:0b:0e:00:0a:6a device-type: interfering adhoc: no crypto-types: clear rssi: -85 ssid: 3com-webaaa bssid: 00:0b:0e:00:7a:8a vendor: 3com ssid: 3com-webaaa type: intfr adhoc: no crypto-types: clear wx1200-...
Page 596
596 c hapter 26: r ogue d etection and c ountermeasures displaying rf detect data to display information about the aps detected by an individual wx switch, use the following command: display rfdetect data you can enter this command on any switch in the mobility domain. Wx1200# display rfdetect data ...
Page 597
Displaying rf detection information 597 00:0a:5e:4b:4a:c6 3com intfr 11 -85 i-t--- 3com-tkip 00:0a:5e:4b:4a:c8 3com intfr 11 -83 i----w 3com-voip 00:0a:5e:4b:4a:ca 3com intfr 11 -85 i----- 3com-webaaa ... Displaying countermeasures information to display the current status of countermeasures against...
Page 598
598 c hapter 26: r ogue d etection and c ountermeasures.
Page 599: Anaging
27 m anaging s ystem f iles a wireless switch (wx) contains nonvolatile storage. Mss allows you to manage the files in nonvolatile storage. In addition, you can copy files between the wx switch and a tftp server on the network. About system files generally, a wx switch’s nonvolatile storage contains...
Page 600
600 c hapter 27: m anaging s ystem f iles to display version information for a wx switch, type the following command: wx# display version mobility system software, version: 6.0.0.2 rel copyright (c) 2002 - 2006 3com corporation. All rights reserved. Build information: (build#0) rel_6_0_0_branch 2006...
Page 601
About system files 601 displaying boot information boot information consists of the mss version and the names of the system image file and configuration file currently running on the wx switch. The boot command also lists the system image and configuration file that will be loaded after the next reb...
Page 602
602 c hapter 27: m anaging s ystem f iles working with files the following section describe how to manage files stored on the wx switch. Displaying a list of files files are stored on a wx switch in the following areas: file — contains configuration files boot — contains system image files temporary...
Page 603
Working with files 603 =============================================================================== boot: filename size created boot0:wxa30001.Rel 9780 kb aug 23 2005, 15:54:08 *boot1:wxa40101.Rel 9796 kb aug 28 2005, 21:09:56 boot0: total: 9780 kbytes used, 2460 kbytes free boot1: total: 9796 kb...
Page 604
604 c hapter 27: m anaging s ystem f iles the following command limits the output to the contents of the /tmp/core subdirectory: wx1200# dir core: =============================================================================== file: filename size created core:command_audit.Cur 37 bytes aug 28 2005, ...
Page 605
Working with files 605 the tftp://ip-addr/filename url refers to a file on a tftp server. If dns is configured on the wx switch, you can specify a tftp server’s hostname as an alternative to specifying the ip address. The tmp:filename url refers to a file in temporary storage. You can copy a file ou...
Page 606
606 c hapter 27: m anaging s ystem f iles the above command copies the file to the same filename. To rename the file when copying it, type the following command: wx1200# copy tftp://10.1.1.1/newconfig wxconfig success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec] to copy system image wxb041...
Page 607
Working with files 607 4 enter a command such as the following to calculate the checksum for the file: wx1200# md5 boot0:wxb04102.Rel md5 (boot0:wx040003.020) = b9cf7f527f74608e50c70e8fb896392a you must include the boot partition name in the filename. For example, you must specify boot0:wx040003.020...
Page 608
608 c hapter 27: m anaging s ystem f iles creating a subdirectory you can create subdirectories in the user files area of nonvolatile storage. To create a subdirectory, use the following command: mkdir [subdirname] to create a subdirectory called corp2 and display the root directory to verify the re...
Page 609
Managing configuration files 609 managing configuration files a configuration file contains cli commands that set up the wx switch. The switch loads a designated configuration file immediately after loading the system software when the software is rebooted. You also can load a configuration file whi...
Page 610
610 c hapter 27: m anaging s ystem f iles set log server 192.168.253.11 severity critical set timezone pst -8 0 set summertime pdt start first sun apr 2 0 end lastsun oct 2 0 set system name wx1200 set system countrycode us set system contact 3com-pubs set radius server r1 address 192.168.253.1 key ...
Page 611
Managing configuration files 611 to save the running configuration to a file named newconfig, type the following command: wx1200# save config newconfig success: configuration saved to newconfig. Specifying the configuration file to use after the next reboot by default, the wx switch loads the config...
Page 612
612 c hapter 27: m anaging s ystem f iles specifying a backup configuration file in the event that part of the configuration file is invalid or otherwise unreadable, mss stops reading information in the configuration file and does not use it. You can optionally specify a backup file to load if mss c...
Page 613
Backing up and restoring the system 613 to back up the current configuration file named configuration and reset the wx switch to the factory default configuration, type the following commands: wx1200# copy configuration tftp://10.1.1.1/backupcfg success: sent 365 bytes in 0.401 seconds [ 910 bytes/s...
Page 614
614 c hapter 27: m anaging s ystem f iles both commands have options to specify the types of files you want to back up and restore: critical—backs up or restores system files, including the configuration file used when booting, and certificate files. The size of an archive created by this option is ...
Page 615
Backing up and restoring the system 615 managing configuration changes the backup command places the boot configuration file into the archive. (the boot configuration file is the configured boot configuration in the display boot command’s output.) if the running configuration contains changes that h...
Page 616
616 c hapter 27: m anaging s ystem f iles the following command restores system-critical files on a switch, from archive sysa_bak: wx1200# restore system tftp:/10.10.20.9/sysa_bak success: received 11908 bytes in 0.150 seconds [ 79386 bytes/sec] success: restore complete. Upgrading the system image ...
Page 617
Upgrading the system image 617 upgrading an individual switch using the cli 1 save the configuration, using the save config command. 2 back up the switch, using the backup system command. 3 copy the new system image onto a tftp server. For example, log in to http://www.3com.Com using a web browser o...
Page 618
618 c hapter 27: m anaging s ystem f iles upgrade scenario to upgrade a wx1200 switch from mss version 4.0 to mss version 4.1, type the following commands. This example copies the image file into boot partition 1. On your switch, copy the image file into the boot partition that was not used the last...
Page 619: Roubleshooting
A t roubleshooting a wx s witch some common problems that occur during wx installation and basic configuration are simple to solve. However, to “recover” the system password, you must delete the existing wx configuration. Fixing common wx setup problems system logs provide a history of mss events. T...
Page 620
620 c hapter a: t roubleshooting a wx s witch table 51 wx setup problems and remedies symptom diagnosis remedy 3com wireless switch manager or a web browser (if you are using web manager) warns that the wx switch’s certificate date is invalid. The switch’s time and date are currently incorrect, or w...
Page 621
Fixing common wx setup problems 621 client cannot access the network. This symptom has more than one possible cause: the client might be failing authentication or might not be authorized for a vlan. 1 type the display aaa command to ensure that the authentication rules on the wx switch allow the cli...
Page 622
622 c hapter a: t roubleshooting a wx s witch recovering the system when the enable password is lost you can recover any model switch if you have lost or forgotten the enable password. You also can recover a wxr100 even if you have lost or forgotten the login password. Recovering the system will del...
Page 623
Configuring and managing the system log 623 configuring and managing the system log system logs provide information about system events that you can use to monitor and troubleshoot mss. Event messages for the wx switch and its attached maps can be stored or sent to the following destinations: stored...
Page 624
624 c hapter a: t roubleshooting a wx s witch system events and conditions at different severity levels can be logged to multiple destinations. By default, events at the error level and higher are posted to the console and to the log buffer. Debug output is logged to the trace buffer by default. Tab...
Page 626
626 c hapter a: t roubleshooting a wx s witch logging to the log buffer the system log consists of rolling entries stored as a last-in first-out queue maintained by the wx. Logging to the buffer is enabled by default for events at the error level and higher. To modify settings to another severity le...
Page 627
Configuring and managing the system log 627 to filter the event log by mss area, use the facility facility-name keyword. For a list of facilities for which you can view event messages, type the following command: wx1200# display log buffer facility ? Select one of: kernel, aaa, syslogd, acl, apm, ar...
Page 628
628 c hapter a: t roubleshooting a wx s witch if you type anything to the console, the typing disables log output to the console until you press the enter key. Logging messages to a syslog server to send event messages to a syslog server, use the following command: set log server ip-addr [port port-...
Page 629
Configuring and managing the system log 629 to disable session logging, use the following command: set log sessions disable changing the current telnet session defaults by default, log information is not sent to your current telnet session, and the log level is set to information (info) or higher. T...
Page 630
630 c hapter a: t roubleshooting a wx s witch mark messages are disabled by default. When they are enabled, mss generates a message at the notice level once every 300 seconds by default. To enable mark messages, use the following command: wx4400# set log mark enable success: change accepted. Saving ...
Page 631
Running traces 631 running traces trace commands enable you to perform diagnostic routines. You can set a trace command with a keyword, such as authentication or sm, to trace activity for a particular feature, such as authentication or the session manager. Warning: using the set trace command can ha...
Page 632
632 c hapter a: t roubleshooting a wx s witch tracing authorization activity tracing authorization activity can help diagnose authorization problems. For example, to trace the authorization of mac address 00:00:30:b8:72:b0, type the following command: wx1200# set trace authorization mac-addr 00:00:3...
Page 633
Running traces 633 about trace results the trace commands use the underlying logging mechanism to deliver trace messages. Trace messages are generated with the debug severity level. By default, the only log target that receives debug-level messages is the volatile trace buffer. (to see the contents ...
Page 634
634 c hapter a: t roubleshooting a wx s witch /number-of-messages — displays the specified number of the most recent entries in the log, starting with the least recent. To filter trace output by mss area, use the facility facility-name keyword. For a list of valid facilities for which you can view e...
Page 635
Using display commands 635 using display commands to troubleshoot the wx switch, you can use display commands to display information about different areas of the mss. The following commands can provide helpful information if you are experiencing mss performance issues. Viewing vlan interfaces to vie...
Page 636
636 c hapter a: t roubleshooting a wx s witch (for more information about aaa, see chapter 3, “configuring aaa for administrative and local access,” on page 51 and chapter 21, “configuring aaa for network users,” on page 433.) viewing fdb information the display fdb command displays the hosts learne...
Page 637
Port mirroring 637 port mirroring port mirroring is a troubleshooting feature that copies (mirrors) traffic sent or received by a wx port (the source port) to another wx port (the observer). You can attach a protocol analyzer to the observer port to examine the source port’s traffic. Both traffic di...
Page 638
638 c hapter a: t roubleshooting a wx s witch remotely monitoring traffic remote traffic monitoring enables you to snoop wireless traffic, by using a map as a sniffing device. The map copies the sniffed 802.11 packets and sends the copies to an observer, which is typically a protocol analyzer such a...
Page 639
Remotely monitoring traffic 639 best practices for remote traffic monitoring do not specify an observer that is associated with the map where the snoop filter is running. This configuration causes an endless cycle of snoop traffic. If the snoop filter is running on a distributed map, and the map use...
Page 641
Remotely monitoring traffic 641 displaying configured snoop filters to display the snoop filters configured on the wx switch, use the following command: display snoop info [filter-name] the following command shows the snoop filters configured in the examples above: wx1200# display snoop info snoop1:...
Page 642
642 c hapter a: t roubleshooting a wx s witch the following command maps snoop filter snoop1 to radio 2 on map 3: wx1200# set snoop map snoop1 ap 3 radio 2 success: change accepted. Displaying the snoop filters mapped to a radio to display the snoop filters that are mapped to a radio, use the follow...
Page 644
644 c hapter a: t roubleshooting a wx s witch use netcat to listen to udp packets on the tzsp port. This avoids a constant flow of icmp destination unreachable messages from the observer back to the radio. You can obtain netcat through the following link: http://www.Vulnwatch.Org/netcat/ if the obse...
Page 645
Capturing system information and sending it to technical support 645 capturing system information and sending it to technical support if you need help from 3com technical support to diagnose a system problem, you can make troubleshooting the problem easier by providing the following: display tech-su...
Page 646
646 c hapter a: t roubleshooting a wx s witch core files if a wx switch restarts due to an error condition (crashes), the switch generates a core file in the temporary file area. The name of the file indicates the system area where the problem occurred. Core files are saved in tarball (tar) format. ...
Page 647
Capturing system information and sending it to technical support 647 if the switch’s network interfaces to the tftp server have gone down, copy the core file to the nonvolatile file area before restarting the switch. The following commands copy netsys.Core.217.Tar to the nonvolatile file area and ve...
Page 648
648 c hapter a: t roubleshooting a wx s witch sending information to 3com technical support after you save the display tech-support output, as well as core files and debug messages (if applicable), you can send them to 3com. 3com has an external ftp server for use by customers to upload mss debuggin...
Page 649: Nabling
B e nabling and l ogging i nto w eb v iew web view is a web-based management application available on wx switches. You can use web view for common configuration and management tasks. On most wx models (wx-2200, wx-4400, or wxr100), you also can use web view to perform initial configuration of a new ...
Page 650
650 c hapter b: e nabling and l ogging i nto w eb v iew the switch must have an ip interface that can be reached by the pc where the browser is installed. If you are configuring a new wx-2200, wx-4400, or wxr100, you can access web view without any preconfiguration. Attach your pc directly to a wx-2...
Page 651: Upported
C s upported radius a ttributes 3com mobility system software (mss) supports the standard and extended radius authentication and accounting attributes listed in table 55 on page 652. Also supported are 3com vendor-specific attributes (vsas), listed in table 56 on page 659. Attributes an attribute is...
Page 652
652 c hapter c: s upported radius a ttributes supported standard and extended attributes the radius attributes shown in table 55 are sent by wx switches to radius servers during authentication and accounting. Table 55 801.1x attributes attribute type rcv in access resp? Sent in access reqst? Sent in...
Page 653
Supported standard and extended attributes 653 service- type 5 no yes yes access type, which can be one of the following: 2—framed; for network user access 6—administrative; for administrative access to the wx switch, with authorization to access the enabled (configuration) mode. The user must enter...
Page 654
654 c hapter c: s upported radius a ttributes filter-id 11 yes no optional if configured in the wx switch’s local database, this attribute can be an access control list (acl) to filter outbound or inbound traffic. Use the following format: filter-id inboundacl.In or filter-id outboundacl.Out if you ...
Page 655
Supported standard and extended attributes 655 reply- message 18 yes no no string. Text that can be displayed to the user. Multiple reply-messages can be included. If any are displayed, they must appear in the order in which they appear in the packet. State 24 yes yes no can be sent by a radius serv...
Page 656
656 c hapter c: s upported radius a ttributes called- station-id 30 no yes yes for ieee 802.1x authenticators, stores the map mac address in uppercase ascii format, with octet values separated by hyphens (for example, 00-10-a4-23-19-c0). Calling- station-id 31 no yes yes for ieee 802.1x authenticato...
Page 657
Supported standard and extended attributes 657 acct-output- octets 43 no no yes number of octets sent on the port in the course of this service being provided. Can be present only in accounting-request records in which acct-status-type is set to acct-stop or acct-interim-update. Acct- session-id 44 ...
Page 658
658 c hapter c: s upported radius a ttributes acct-output- packets 48 no no yes number of packets sent in the course of this service being provided. Can be present only in accounting-request records in which acct-status-type is set to acct-stop or acct-interim-update. Acct-multi- session-id 50 no no...
Page 659
3com vendor-specific attributes 659 3com vendor-specific attributes the vendor-specific attributes (vsas) created by 3com are embedded according to the procedure recommended in rfc 2865, with vendor-id set to 43. Table 56 describes the 3com vsas, listed in order by vendor type number. (for attribute...
Page 660
660 c hapter c: s upported radius a ttributes ssid 26, 43, 6 yes no yes name of the ssid you want the user to use. The ssid must be configured in a service profile, and the service profile must be used by a radio profile assigned to 3com radios in the mobility domain. End-date 26, 43, 7 yes no no da...
Page 661: Raffic
D t raffic p orts u sed by mss when deploying a 3com wireless network, you might attach 3com equipment to subnets that have firewalls or access controls between them. 3com equipment uses various protocol ports to exchange information. To ensure full operation of your network, make sure the equipment...
Page 662
662 c hapter d: t raffic p orts u sed by mss roaming traffic uses ip tunnels, encapsulated with ip protocol 4. To list the tcp port numbers in use on a wx, including those for the other end of a connection, use the display tcp command. Ip/udp (17) 5000 wx-map communication. This applies to wx commun...
Page 663: Dhcp S
E dhcp s erver mss has a dhcp server that the switch uses to allocate ip addresses to the following: directly connected maps host connected to a new (unconfigured) wxr100, to configure the switch using the web quick start dhcp service for these items is enabled by default. Optionally, you can config...
Page 664
664 c hapter e: dhcp s erver the mss dhcp server is configurable on an individual vlan basis only, and operates only on the subnets for which you configure it. Use of the mss dhcp server to allocate client addresses is intended for temporary, demonstration deployments and not for production networks...
Page 665
Configuring the dhcp server 665 option 3—default router. If this option is not set with the set interface dhcp-server command’s default-router option, the mss dhcp server can use the value set by the set ip route command. A default route configured by set ip route can be used if the route is in the ...
Page 666
666 c hapter e: dhcp s erver displaying dhcp server information to display information about the mss dhcp server, use the following command: display dhcp-server [interface vlan-id] [verbose] if you enter the command without the interface or verbose option, the command displays a table of all the ip ...
Page 667: Btaining
F o btaining s upport for y our 3c om p roducts 3com offers product registration, case management, and repair services through esupport.3com.Com . You must have a user name and password to access these services, which are described in this appendix. Register your product to gain service benefits to ...
Page 668
668 a ppendix f: o btaining s upport for y our 3c om p roducts purchase extended warranty and professional services to enhance response times or extend your warranty benefits, you can purchase value-added services such as 24x7 telephone technical support, software upgrades, onsite assistance, or adv...
Page 669
Contact us 669 telephone technical support and repair to obtain telephone support as part of your warranty and other service benefits, you must first register your product at: http://esupport.3com.Com/ when you contact 3com for assistance, please have the following information ready: ■ product model...
Page 670
670 a ppendix f: o btaining s upport for y our 3c om p roducts from the following countries, call the appropriate number: austria belgium denmark finland france germany hungary ireland israel italy 0800 297 468 0800 71429 800 17309 0800 113153 0800 917959 0800 182 1502 06800 12813 1 800 553 117 180 ...
Page 671: Lossary
G lossary 3com wireless switch manager™ (3wxm)™ a tool suite for planning, configuring, deploying, and managing a 3com mobility system wireless lan (wlan). Based on site and user requirements, 3wxm determines the location of wireless switches (wxs) and managed access points (maps) and can store and ...
Page 672
672 g lossary 802.2 an ieee lan specification that defines the logical link control (llc) sublayer, the upper portion of the data link layer. Llc encapsulation can be used by any lower-layer lan technology. Compare 802.3; ethernet ii. 802.3 an ieee lan specification for a carrier sense multiple acce...
Page 673
G lossary 673 802.11g a supplement to the ieee 802.11 wireless lan (wlan) specification, describing transmission through the physical layer (phy) based on orthogonal frequency division multiplexing (ofdm), at a frequency of 2.4 ghz and data rates of up to 54 mbps. 802.11i a draft supplement to the i...
Page 674
674 g lossary ad hoc network one of two ieee 802.11 network frameworks. In an ad hoc network, a set of wireless stations communicate directly with one another without using an access point (ap) or any connection to a wired network. With an ad hoc network, also known as a peer-to-peer network or inde...
Page 675
G lossary 675 authentication, authorization, and accounting see aaa. Authentication mobility the ability of a user (client) authenticated via extensible authentication protocol (eap) — plus an appropriate subprotocol and back-end authentication, authorization, and accounting (aaa) service — to roam ...
Page 676
676 g lossary bssid basic service set identifier. The 48-bit media access control (mac) address of the radio in the access point (ap) that serves the stations in a basic service set (bss). Ca see certificate authority (ca). Cbc-mac see ccmp. Cci co-channel interference. Obstruction that occurs when ...
Page 677
G lossary 677 chap challenge handshake authentication protocol. An authentication protocol that defines a three-way handshake to authenticate a user (client). Chap uses the md5 hash algorithm to generate a response to a challenge that can be checked by the authenticator. For wireless connections, ch...
Page 678
678 g lossary cryptography the science of information security. Modern cryptography is typically concerned with the processes of scrambling ordinary text (known as plain text or clear text) into encrypted text at the sender’s end of a connection, and decrypting the encrypted text back into clear tex...
Page 679
G lossary 679 des data encryption standard. A federally approved symmetric encryption algorithm in use for many years and replaced by the advanced encryption standard (aes). See also 3des. Dhcp dynamic host configuration protocol. A protocol that dynamically assigns ip addresses to stations, from a ...
Page 680
680 g lossary domain policy a collection of configuration settings that you can define once in 3com wireless switch manager (3wxm) and apply to many wireless switches (wxs). Each mobility domain group in the network has a default domain policy that applies to every wx switch in the mobility domain. ...
Page 681
G lossary 681 eap extensible authentication protocol. A general point-to-point protocol that supports multiple authentication mechanisms. Defined in rfc 2284, eap has been adopted by ieee 802.1x in an encapsulated form for carrying authentication messages in a standard message exchange between a use...
Page 682
682 g lossary enabled access permission to use all mobility system software (mss) command-line interface (cli) commands required for configuration and troubleshooting. Enabled access requires a separate enable password. Compare restricted access. Encryption any procedure used in cryptography to tran...
Page 683
G lossary 683 fdb see forwarding database (fdb). Federal communications commission see fcc. Fhss frequency-hopping spread-spectrum. One of two types of spread-spectrum radio technology used in wireless lan (wlan) transmissions. The fhss technique modulates the data signal with a narrowband carrier s...
Page 684
684 g lossary gmk group master key. A cryptographic key used to derive a group transient key (gtk) for the temporal key integrity protocol (tkip) and advanced encryption standard (aes). Greenfield network an original deployment of a telecommunications network. Gre tunnel a virtual link between two r...
Page 685
G lossary 685 hewlett-packard open view see hpov. Homologation the process of certifying a product or specification to verify that it meets regulatory standards. Hpov hewlett-packard open view. The umbrella network management system (nms) family of products from hewlett-packard. The 3com wireless sw...
Page 686
686 g lossary igmp snooping a feature that prevents the flow of multicast stream packets within a virtual lan (vlan) and forwards the multicast traffic through a path to only the clients that want to receive it. A wireless switch (wx) uses igmp snooping to monitor the internet group management proto...
Page 687
G lossary 687 internet authentication service see ias. Internet group management protocol see igmp. Interswitch link see isl. Isl interswitch link. A proprietary cisco protocol for interconnecting multiple switches and maintaining virtual lan (vlan) information as traffic travels between switches. W...
Page 688
688 g lossary location policy an ordered list of rules that overrides the virtual lan (vlan) assignment and security acl filtering applied to users during normal authentication, authorization, and accounting (aaa) — or assigns a vlan or security acl to users without these assignments. Defining locat...
Page 689
G lossary 689 managed access point™ (map™) a small hardware unit that functions as a wireless access point (ap) in a 3com mobility system. Using one or more radio transmitters, a map transmits and receives information as radio frequency (rf) signals to and from a wireless user (client). The map tran...
Page 690
690 g lossary message integrity code see mic. Mic message integrity code. The ieee term for a message authentication code (mac). See mac. Microsoft challenge handshake authentication protocol see ms-chap-v2. Minimum data transmit rate the lowest rate at which a managed access point (map) can transmi...
Page 691
G lossary 691 msdu mac service data unit. In ieee 802.11 communications, the data payload encapsulated within a mac protocol data unit (mpdu). Mss see mobility system software™ (mss™). Mtu maximum transmission unit. The size of the largest packet that can be transmitted over a particular medium. Pac...
Page 692
692 g lossary peap protected extensible authentication protocol. A draft extension to the extensible authentication protocol with transport layer security (eap-tls), developed by microsoft corporation, cisco systems, and rsa data security, inc. Tls is used in peap part 1 to authenticate the server o...
Page 693
G lossary 693 the pki uses the digital certificate to identify an individual or an organization. The private key is given only to the requesting party and is never shared, and the public key is made publicly available (as part of the digital certificate) in a directory that all parties can access. Y...
Page 694
694 g lossary pre-master secret a key generated during the handshake process in transport layer security (tls) protocol negotiations and used to derive a master secret. Preshared key see psk. Prf pseudorandom function. A function that produces effectively unpredictable output. A prf can use multiple...
Page 695
G lossary 695 ptk pairwise transient key. A value derived from a pairwise master key (pmk) and split into multiple encryption keys and message integrity code (mic) keys for use by a client and server as temporal session keys for ieee 802.11i robust security. See also 802.11i. Public key in cryptogra...
Page 696
696 g lossary radius remote authentication dial-in user service. A client-server security protocol described in rfc 2865 and rfc 2866. Radius extensions, including radius support for the extensible authentication protocol (eap), are described in rfc 2869. Originally developed by livingston enterpris...
Page 697
G lossary 697 roaming the ability of a wireless user (client) to maintain network access when moving between access points (aps). Robust security network see rsn. Rogue access point an access point (ap) that is not authorized to operate within a wireless network. Rogue access points subvert the secu...
Page 698
698 g lossary seed (1) an input to a pseudorandom number generator (prng), that is generally the combination of two or more inputs. (2) the wireless switch (wx) that distributes information to all the wx switches in a mobility domain™ group. Sentrysweep™ a radio frequency (rf) detection sweep that r...
Page 699
G lossary 699 ssl secure sockets layer protocol. A protocol developed by netscape for managing the security of message transmission over the internet. Ssl has been succeeded by transport layer security (tls) protocol, which is based on ssl. The sockets part of the term refers to the sockets method o...
Page 700
700 g lossary tls transport layer security protocol. An authentication and encryption protocol that is the successor to the secure sockets layer (ssl) protocol for private transmission over the internet. Defined in rfc 2246, tls provides mutual authentication with nonrepudiation, encryption, algorit...
Page 701
G lossary 701 u-nii unlicensed national information infrastructure. Three unlicensed frequency bands of 100 mhz each in the 5 ghz band, designated by the u.S. Federal communications commission (fcc) to provide high-speed wireless networking. The three frequency bands — 5.15 ghz through 5.25 ghz (for...
Page 702
702 g lossary vlan glob a 3com convention for applying the authentication, authorization, and accounting (aaa) attributes in the location policy on a wx switch to one or more users, based on a virtual lan (vlan) attribute. To specify all vlans, use the double-asterisk (**) wildcard characters. To ma...
Page 703
G lossary 703 wep wired-equivalent privacy protocol. A security protocol, specified in the ieee 802.11 standard, that attempts to provide a wireless lan (wlan) with a minimal level of security and privacy comparable to a typical wired lan. Wep encrypts data transmitted over the wlan to protect the v...
Page 704
704 g lossary wireless lan see wlan. Wireless switch™ (wx™) a switch in a 3com mobility system. A wx provides forwarding, queuing, tunneling, and some security services for the information it receives from its directly attached managed access points (maps). In addition, the wx coordinates, provides ...
Page 705
G lossary 705 x.509 an international telecommunications union telecommunication standardization sector (itu-t) recommendation and the most widely used standard for defining digital certificates. Xml extensible markup language. A simpler and easier-to-use subset of the standard generalized markup lan...
Page 706
706 g lossary.
Page 707: Ndex
I ndex numbers 3com knowledgebase tool 667 3com professional services 668 3com resources, directory 669 3com technical support 645 3wxm keys and certificates requirement 413 802.11a 74, 224 802.11b 74, 224 802.11g 74, 224 802.1q tagging 90 802.1x authentication 449 authentication port control 532 au...
Page 708
708 i ndex sessions, clearing 557 sessions, displaying 557 telnet client sessions, displaying and clearing 559 telnet sessions, displaying and clearing 559 aeroscout rfid tag support 323 affinity 90 configuring 93 in roaming vlans 160 number 160 aging timeout arp 131 fdb 99 alert logging level 624 a...
Page 709
I ndex 709 calling-station-id attribute 656 case in usernames and passwords 58 catalyst switch, interoperating with load-sharing port groups 87 ccmp 284 enabling 291, 297 certificate authority certificate source 415 enrolling with 424 certificate signing request (csr) 420, 421 defined 417 generating...
Page 710
710 i ndex logging system messages to 627 no authentication 57 passwords 59 sessions, clearing 558 sessions, displaying 558 target 624 conventions cli 27 notice icons, about this guide 23 text, about this guide 24 cos (class of service) default 382 filtering by, in security acls 380 priority assigne...
Page 711
I ndex 711 enabled mode. See enabled access encrypted ssid 207 encryption affects of authentication methods on 448 assigning a type locally 496 assigning a type on a radius server 497 clearing types from users 497 configuration scenarios 302 effects of authentication on 448 radios 281 encryption key...
Page 712
712 i ndex other-querier-present interval, configuring 371 proxy reporting 370 pseudo-querier 370 querier, displaying 375 query interval 370 query interval, configuring 371 query response interval 370 query response interval, configuring 371 robustness value 371 robustness value, configuring 371 rou...
Page 713
I ndex 713 defined 499 disabling 503 displaying rules in 502 order of rules in 502 location policy rules clearing 503 configuring 501 defined 500 displaying 502 positioning 502 reassigning security acls 502 lock-out user, restore 70 log configuration 630 log message components 623 logging console 62...
Page 714
714 i ndex monitoring roaming users 162 names 154 roaming vlans in 160 seed 153, 154 status 155 mobility points (maps) wi-fi multimedia (wmm) 327 mobility profile 510, 511 authorization 510 defined 510 mobility system software cli. See cli (command-line interface) mobility-profile attribute, descrip...
Page 715
I ndex 715 other-querier-present interval 370 configuring 371 otp 423, 429 outbound authorization password 459 output filters, reassigning 502 override, local, scenario 64 p packets cos handling 382 denying or permitting with security acls 377 pass-through authentication configuration scenario 514 c...
Page 716
716 i ndex stp port cost, configuring 354 stp port cost, displaying 362 stp port priority 353 stp port priority, configuring 355, 356 telnet 117 types. See port types vlans, configuration scenario 100 wired, authentication on 532 power over ethernet. See poe (power over ethernet) preamble length 244...
Page 717
I ndex 717 value characteristics 651 vlan assignment 88 vsas 659 radius proxy 482 range operator in security acls 385 reauthentication 802.1x client 536 interval 537 number of attempts 537 reauthorization attempts 537 receivers, multicast 376 recovering the system, lost password 622 redundancy map l...
Page 718
718 i ndex network domain 174 overriding vlan assignment 516 peap-ms-chap-v2 configuration 514 peap-ms-chap-v2 offload authentication 515 peap-ms-chap-v2 with pass-through authentication 516 port and vlan configuration 100 problems in configuration order 508 radius and server group configuration 528...
Page 719
I ndex 719 simple network time protocol. See ntp (network time protocol) single asterisks (*) in mac address globs 31 in network session information 560 in user globs 30 in vlan globs 32 wildcard 34 snmp community strings 140 informs 144 notifications, rogue detection 584 trap receiver 148 traps 144...
Page 720
720 i ndex system logs configuring 625 destinations 623 disabling output to the console 628 displaying the configuration of 630 managing 623 message components 623 severity levels 624 system recovery, lost password 622 system time, configuring 124 t table of 3com support contact numbers 668 tabs, fo...
Page 721
I ndex 721 incomplete boot load 621 invalid certificate 620 missing configuration 621 mss debugging via trace 631 mss logging 623 no network access 621 system trace files for 599 vlan authorization failure 621 wx switch 619 tty sessions, current, logging system messages to 629 tunnel-private-group-i...
Page 722
722 i ndex disconnected, troubleshooting 621 displaying 95 mapping security acls to 392 overriding assignment with the location policy 516 ports, configuration scenario 100 removing 93 roaming, displaying 160 tagging 90 user assignment 88 see also vlan globs; vlan id or name; vlan names; vlan-name a...
Page 723: Ommand
C ommand i ndex b backup system 613, 616 c clear ap 77, 227 clear ap radio 251 clear boot config 612 clear dot1x bonded-period 453 clear dot1x max-req 535 clear dot1x port-control 532 clear dot1x quiet-period 539 clear dot1x reauth-max 537 clear dot1x reauth-period 537 clear dot1x timeout auth-serve...
Page 724
726 c ommand i ndex clear snmp usm 141 clear snoop 641 clear snoop map 642 clear spantree portcost 354 clear spantree portpri 356 clear spantree portvlancost 354 clear spantree portvlanpri 356 clear spantree statistics 365 clear summertime 126 clear system idle-timeout 119 clear system ip-address 10...
Page 726
728 c ommand i ndex set boot configuration-file 611 set dot1x authcontrol 531 set dot1x bonded-period 453 set dot1x key-tx 533 set dot1x max-req 535 set dot1x port-control 532 set dot1x quiet-period 538 set dot1x reauth 536 set dot1x reauth-max 536 set dot1x reauth-period 537 set dot1x timeout auth-...
Page 727
C ommand i ndex 729 set radio-profile service-profile 249, 295, 298 set radio-profile wmm-powersave 342 set radius 522 set radius proxy client 485 set radius proxy port 485 set radius server 523 set radius server address key 523 set radius server author-password 459 set rfdetect attack-list 578 set ...
Page 728
730 c ommand i ndex set usergroup attr filter-id 494 set vlan name 91 set vlan port 92 set vlan tunnel-affinity 93 set vlan-profile 253 t telnet 132 traceroute 134 u uninstall soda-agent 554.