3Com WX1200 Switch User Manual
Contents
1. BE GIN C TIBATC ERTIFICATE P3wI BADA2MOswCQYDVQQGEWJVUzELMAkGA1LUECBMCQOExGj AYBgNVBAMU EXR1LY2hwdWJzQHRycHouY2 9tMIG MAOGCSqGS Ib3DQEBAQAA4GNADCBi QKBgQC4 2L809tk G2As 840Y Lm8wmVY gt xP56M CUAm908C2f0YgOY40 eee F D CERTIFICATI a See Also crypto generate request on page 474 crypto generate self signed on page 476 crypto generate key 473 crypto generate key Generates an RSA public private encryption key pair that is required for a Certificate Signing Request CSR or a self signed certificate For SSH the command generates an SSH authentication key Syntax crypto generate key admin eap ssh web 512 1024 2048 admin Generates an administrative key pair for authenticating the WX switch to 3WXM or Web Manager eap Generates an EAP key pair for authenticating the WX switch to 802 1X supplicants clients a ssh Generates a key pair for authenticating the WX switch to Secure Shell SSH clients web Generates an administrative key pair for authenticating the WX switch to WebAAA clients 512 1024 2048 Length of the key pair in bits The minimum key size for SSH is 1024 Defaults None Access Enabled History Introduced in MSS Version 3 0 Webaaa option renamed to web in MSS Version 4 1 Usage You can overwrite a key by generating another key of the sa2. E NP RAND RESOLV RIB ROAM ROGUE SM SNMPD SPAN STORE E TCPSSL TELNET TFTP TLS TUNNEL VLAN X509 XML MAP W EAP FP STAT SSHD SUP DNSD CONFIG BACKUP The following command displays logged messages for the AAA facility WX4400 display log buffer facility AAA AAA Jun 25 09 11 32 579848 ERROR AAA NOTIFY ERR AAA got SM special event 98 on locality 3950 which is gone 612 CHAPTER 23 SYSTEM LOG COMMANDS See Also Clear log on page 609 display log config on page 612 display log config Displays log configuration information Syntax display log config Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples To display how logging is configured type the following command WX4400 display log config Logging console disabled Logging console severity DEBUG Logging sessions disabled Logging sessions severity INFO Logging buffer enabled Logging buffer severity DEBUG Logging trace enabled Logging trace severity DEBUG Logging buffer size 10485760 bytes Log marking disabled Log marking severity NOTICE Log marking interval 300 seconds Logging server 1031 1510 severity DEBUG Current session disabled Current session severity INFO See Also setlog on page 614 Clear log on page 609 display log trace 613 display log trace Displays system information
3. holddown Minimum number of seconds a radio must remain on its current channel setting before RF Auto Tuning is allowed to change the channel You can specify from 0 to 65535 seconds Defaults The default RF Auto Tuning channel holddown is 900 seconds Access Enabled History Introduced in MSS Version 3 0 set radio profile auto tune channel interval 351 Usage The channel holddown applies even if RF anomalies occur that normally cause an immediate channel change Examples The following command changes the channel holddown for radios in radio profile ro2 to 600 seconds WX4400 set radio profile rp2 auto tune channel holddown 600 success change accepted See Also set radio profile auto tune channel config on page 349 set radio profile auto tune channel interval on page 351 set radio profile auto tune channel interval Sets the interval at which RF Auto Tuning decides whether to change the channels on radios in a radio profile At the end of each interval MSS processes the results of the RF scans performed during the previous interval and changes radio channels if needed Syntax set radio profile name auto tune channel interval seconds name Radio profile name a seconds Number of seconds RF Auto Tuning waits before changing radio channels to adjust to RF changes if needed You can specify from O to 65535 seconds Defaults The default channel interval is 3600 seconds
4. Commands by Usage This chapter presents snoop commands alphabetically Use the following table to locate commands in this chapter based on their use Table 108 Remote Monitoring Snooping Commands By Usage Remote set snoop on page 599 monitoring snooping display snoop info on page 604 clear snoop on page 598 set snoop map on page 602 display snoop map on page 605 display snoop on page 604 clear snoop map on page 598 set snoop mode on page 603 display snoop stats on page 606 598 CHAPTER 22 SNOOP COMMANDS clear snoop Deletes a snoop filter Syntax clear snoop filter name a filter name Name of the snoop filter Defaults None Access Enabled History Introduced in MSS Version 4 0 Examples The following command deletes snoop filter snoop7 WX1200 clear snoop snoop1 See Also set snoop on page 599 display snoop info on page 604 clear snoop map Removes a snoop filter from a MAP radio Syntax clear snoop map filter name dap dap num radio 1 2 a filter name Name of the snoop filter dap dap num Number of a Distributed MAP to which to snoop filter is mapped radio 1 Radio 1 of the MAP radio 2 Radio 2 of the MAP This option does not apply to single radio models Defaults None Access Enabled History Introduced in MSS Version 4 0 Examples The following command removes snoop filt
5. display config Displays the configuration running on the WX switch Syntax display config area area all a area area Configuration area You can specify one of the following aaa acls ap arp eapol display config 575 httpd ip a ip config a log mobility domain a ntp a portconfig a portgroup radio profile a rfdetect a service profile sm snmp snoop spantree a system a trace vlan a vilan fdb If you do not specify a configuration area nondefault information for all areas is displayed al1 Includes configuration items that are set to their default values Defaults None Access Enabled History Introduced in MSS Version 3 0 New options added for remote traffic monitoring snoop and rfdevice changed to rfdetect in MSS Version 4 0 Usage If you do not use one of the optional parameters configuration commands that set nondefault values are displayed for all configuration areas If you specify an area commands are displayed for that area only If you use the all option the display also includes commands for configuration items that are set to their default values 576 CHAPTER 20 FILE MANAGEMENT COMMANDS Examples The following command shows configuration information for VLANs WX4400 display config area vlan Configuration nvgen d at 2004 5 21 19 36 48 Image 3 0 0 Model WX4400 Last change occurred at 2004
6. internal uses the internal antenna instead set fap dap radio auto tune max power 335 a antennatype ANT 1360 OUT ANT5360 OUT ANT5060 ANT5120 OUT internal 802 11a external antenna models ANT1360 ouT 360 802 11b g antenna ANT5360 ouT 360 802 11a antenna ANT5060 ouT 60 802 11a antenna ANT5120 ouT 120 802 11a antenna internal uses the internal antenna instead Defaults All radios use the internal antenna by default if the MAP model has an internal antenna The MP 620 802 1 1b g radio uses model ANT 1360 OUT by default The MP 620 802 11a radio uses model ANT 5360 OUT by default The MP 262 802 11b g radio uses model ANT1060 by default Access Enabled History Introduced in MSS Version 3 0 Model numbers added for 802 11a external antennas and the default changed to internal except for the MP 262 in MSS Version 3 2 Model numbers added for MP 620 external antennas Examples The following command configures the 802 1 1b g radio on Distributed MAP 1 to use antenna model ANT1060 WX4400 set dap 1 radio 1 antennatype ANT1060 success change accepted See Also display ap dap config on page 290 set ap dap radio auto tune max power Sets the maximum power that RF Auto Tuning can set on a radio Syntax set ap port list dap dap num auto radio 1 2 auto tune max power power level ap port list List of ports connec
7. Access Enabled History Introduced in MSS Version 3 0 Usage You must disable all radios that are using a radio profile before you can change parameters in the profile Use the set radio profile mode command Examples The following command changes the long retry threshold for radio profile rp7 to 8 WX4400 set radio profile rpl long retry 8 success change accepted See Also display radio profile on page 317 set radio profile mode on page 362 set radio profile short retry on page 369 360 CHAPTER 11 MANAGED ACCESS POINT COMMANDS set radio profile max rx lifetime Changes the maximum receive threshold for the MAP radios in a radio profile The maximum receive threshold specifies the number of milliseconds that a frame received by a radio can remain in buffer memory Syntax set radio profile name max rx lifetime time name Radio profile name time Number of milliseconds You can enter a value from 500 0 5 second through 250 000 250 seconds Defaults The default maximum receive threshold for MAP radios is 2000 ms 2 seconds Access Enabled History Introduced in MSS Version 3 0 Usage You must disable all radios that are using a radio profile before you can change parameters in the profile Use the set radio profile mode command Examples The following command changes the maximum receive threshold for radio profile ro1 to 4000 ms WX4400 set radio
8. Enabled History Introduced in MSS Version 3 0 Usage This command applies only to the default VLAN VLAN 1 To change the priority of a port in another VLAN use the set spantree portvlanpri command Examples The following command sets the priority of ports 3 and 4 to 48 WX1200 set spantree portpri 3 4 priority 48 success change accepted See Also a clear spantree portpri on page 395 Clear spantree portvlanpri on page 396 display spantree on page 398 set spantree portvianpri on page 418 set spantree portviancost 417 set spantree portvlancost Changes the cost of a network port or ports on paths to the STP root bridge for a specific VLAN on a wireless LAN switch Syntax set spantree portvlancost port list cost cost all vlan vlan id port list List of ports MSS applies the cost change to all the specified ports cost cost Numeric value You can specify a value from 1 through 65 535 STP selects lower cost paths over higher cost paths a all Changes the cost on all VLANs vlan vlan id VLAN name or number MSS changes the cost on only the specified VLAN Defaults The default port cost depends on the port speed and link type See Table 68 on page 393 Access Enabled History Introduced in MSS Version 3 0 Examples The following command changes the cost on ports 3 and 4 to 20 in VLAN mauve WX1200 set spantree portvlancost 3 4 cost 20 vlan
9. The DHCP server is enabled by default on a new unconfigured WXR100 in order to provide an IP address to the host connected to the switch for access to the Web Quick Start On all switch models the DHCP server is enabled and cannot be disabled for directly connected MAPs The DHCP server is disabled by default for any other use Access Enabled History Introduced in MSS Version 4 0 Usage By default all addresses except the host address of the VLAN the network broadcast address and the subnet broadcast address are included in the range If you specify the range the start address must be lower than the stop address and all addresses must be in the same subnet The IP interface of the VLAN must be within the same subnet but is not required to be within the range set interface status 163 Examples The following command enables the DHCP server on VLAN red vlan to serve addresses from the 192 168 1 5 to 192 168 1 25 range WX1200 set interface red vlan ip dhcp server enable start 192 168 1 5 stop 192 168 1 25 success change accepted See Also display dhcp server on page 140 set interface status Administratively disables or reenables an IP interface Syntax set interface vlan id status up down a vlan id VLAN name or number a up Enables the interface a down Disables the interface Defaults IP interfaces are enabled by default Access Enabled History Introduced in
10. ciphers cipher tkip authentication 802 1X TKIP countermeasures time 60000ms vlan name orange session timeout 300 service type 2 Table 64 describes the fields in this display Table 64 Output for display service profile Field Description ssid name Service set identifier SSID managed by this service profile ssid type SSID type crypto Wireless traffic for the SSID is encrypted clear Wireless traffic for the SSID is unencrypted 322 CHAPTER 11 MANAGED ACCESS POINT COMMANDS Table 64 Output for display service profile continued Field Description beacon Indicates whether the radio sends beacons to advertise the SSID m NO yes auth fallthru Secondary fallthru encryption type when a user tries to authenticate but the WX switch managing the radio does not have an authentication rule with a userglob that matches the username a last resort Automatically authenticates the user and allows access to the SSID requested by the user without requiring a username and password a none Denies authentication and prohibits the user from accessing the SSID a web auth Redirects the user to a web page for login to the SSID WEP Key 1 value State of static WEP key number 1 Radios can use this key to encrypt traffic with static Wired Equivalent Privacy WEP none T he key is not configured preset The key is configured Note The WEP pa
11. set rfdetect vendor list client ap mac addr client ap Specifies whether the entry is for an AP brand or a client brand a mac addr Organizationally Unique Identifier OUI to remove 562 CHAPTER 19 RF DETECTION COMMANDS Defaults The permitted vendor list is empty by default and all vendors are allowed However after you add an entry to the list MSS allows only the devices whose OUls are on the list Access Enabled History Introduced in MSS Version 4 0 Usage The permitted vendor list applies only to the WX switch on which the list is configured WX switches do not share permitted vendor lists If you add a device that MSS has classified as a rogue to the permitted vendor list but not to the ignore list MSS can still classify the device as a rogue Adding an entry to the permitted vendor list merely indicates that the device is from an allowed vendor However to cause MSS to stop classifying the device as a rogue you must add the device s MAC address to the ignore list Examples The following command adds an entry for clients whose MAC addresses start with aa bb cc WX1200 set rfdetect vendor list client aa bb cc 00 00 00 success MAC aa bb cc 00 00 00 is now in client vendor list The trailing 00 00 00 value is required See Also Clear rfdetect vendor list on page 537 display rfdetect vendor list on page 551 20 FILE MANAGEMENT COMMANDS Use file management comman
12. set service profile auth psk on page 375 set service profile psk phrase on page 381 set service profile wpa ie on page 391 set service profile rsn ie Enables the Robust Security Network RSN Information Element IE The RSN IE advertises the RSN authentication methods and cipher suites supported by radios in the radio profile mapped to the service profile Syntax set service profile name rsn ie enable disable name Service profile name enable Enables the RSN IE disable Disables the RSN IE Defaults The RSN IE is disabled by default Access Enabled History Introduced in MSS Version 3 0 Examples The following command enables the RSN IE in service profile sorsn WX4400 set service profile sprsn rsn ie enable success change accepted See Also set service profile cipher ccmp on page 377 384 CHAPTER 11 MANAGED ACCESS POINT COMMANDS set service profile shared key auth Enables shared key authentication in a service profile Use this command only if advised to do so by 3Com This command does not enable preshared key PSK authentication for Wi Fi Protected Access WPA To enable PSK encryption for WPA use the set service profile auth psk command Syntax set service profile name shared key auth enable disable name Service profile name enable Enables shared key authentication disable Disables shared key authentication Def
13. severity severity level Displays messages at a severity level greater than or equal to the level specified Specify one of the following emergency The WX switch is unusable alert Action must be taken immediately a critical You must resolve the critical conditions If the conditions are not resolved the WX can reboot or shut down error The WX is missing data or is unable to form a connection warning A possible problem exists notice Events that potentially can cause system problems have occurred These are logged for diagnostic purposes No action is required info Informational messages only No problem exists debug Output from debugging Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage The debug level produces a lot of messages many of which can appear to be somewhat cryptic Debug messages are used primarily by 3Com for troubleshooting and are not intended for administrator use Examples Type the following command to see the facilities for which you can view event messages archived in the buffer WX4400 display log buffer facility lt facility name gt ASO BOOT IGMP IP SYS TAG 2 r C MISC NOS GR Select one of KERNEL AAA SYSLOGD ACL APM ARP iI CLUSTER COPP CRYPTO DOT1X NET ETHERNET GATEWAY HTTPD TBRIDG RAPDA WE BVIE
14. string Alphanumeric string up to 256 characters long with no blank spaces Defaults None Access Enabled History Introduced in MSS Version 3 0 To view the system contact string type the display system command Examples The following command sets the system contact information to tamara example com WX1200 set system contact tamara example com success change accepted 56 CHAPTER 3 SYSTEM SERVICE COMMANDS See Also a Clear system on page 40 display system on page 43 set system location on page 59 set system name on page 60 set system Defines the country specific IEEE 802 11 regulations to enforce on the countrycode WX switch Syntax set system countrycode code a code Two letter code for the country of operation for the WX switch You can specify one of the codes listed in Table 8 Table 8 Country Codes Country Code Australia AU Austria AT Belgium BE Brazil BR Canada CA China CN Czech Republic CZ Denmark DK Finland FI France FR Germany DE Greece GR Hong Kong HK Hungary HU Iceland IS India IN Ireland IE Israel IL Italy IT Table 8 Country Codes continued Country Code Japan JP Liechtenstein LI Luxembourg LU Malaysia MY Mexico MX Netherlands NL New Zealand NZ Norway NO Poland PL Portugal PT Saudi Arabia SA Singapore SG Slovakia SK Slovenia SI South Africa ZA South Korea KR Spain ES Sweden SE Switzerland CH Taiwan TW Thailand
15. Access Enabled History Introduced in MSS Version 4 1 Examples The following command displays the default QoS settings WX1200 display gos default Ingress QoS Classification Map dscp to cos Ingress DSCP CoS Level 00 09 0 0 0 0 0 0 0 0 1 10 19 I 1 1 1 1 1 2 2 2 20 29 2 2 2 2 3 3 3 3 3 l 30 39 3 3 4 4 4 4 4 4 4 40 49 5 5 5 5 5 5 5 5 6 50 59 6 6 6 6 6 6 7 7 7 f 60 63 7 7 7 7 Egress QoS Marking Map cos to dscp CoS Level 0 1 2 3 4 5 6 7 Egress DSCP 0 8 16 24 32 40 48 56 Egress ToS byte 0x00 0x20 0x40 0x60 0x80 OxA0 0xCO0 OxE0O See Also display qos dscp table on page 124 124 CHAPTER 6 QUALITY OF SERVICE COMMANDS display qos Displays a table that maps Differentiated Services Code Point DSCP dscp table values to their equivalent combinations of IP precedence values and IP ToS values Syntax display qos dscp table Defaults None Access Enabled History Introduced in MSS Version 4 0 as the display security acl dscp command and renamed in MSS Version 4 1 Examples The following command displays the table WX1200 display qos dscp table DSCP TOS precedence tos dec hex dec hex 0 0x00 0 0x00 0 0 1 0x01 4 0x04 0 2 2 0x02 8 0x08 0 4 63 Ox3f 252 Oxfec 7 14 See Also display qos on page 123 Commands by Usage IP SERVICES COMMANDS Use IP services commands to configure and manage IP interfaces management services the Domain Name Serv
16. Common Name wxl example com Email Address Unstructured Name success self signed cert for admin generated 478 CHAPTER 15 CRYPTOGRAPHY COMMANDS See Also crypto certificate on page 471 crypto generate key on page 473 crypto otp Sets a one time password OTP for use with the crypto pkcs12 command Syntax crypto otp admin eap web one time password admin Creates a one time password for installing a PKCS 12 object file for an administrative certificate and key pair and optionally the certificate authority s own certificate to authenticate the WX switch to 3WXM or Web Manager eap Creates a one time password for installing a PKCS 12 object file for an EAP certificate and key pair and optionally the certificate authority s own certificate to authenticate the WX switch to 802 1X supplicants clients web Creates a one time password for installing a PKCS 12 object file for a WebAAA certificate and key pair and optionally the certificate authority s own certificate to authenticate the WX switch to WebAAA clients one time password Password of at least 1 alphanumeric character with no spaces for clients other than Microsoft Windows clients The password must be the same as the password protecting the PKCS 12 object file Note On an WX switch that handles communications to and from Microsoft Windows clients use a one time password of 31 characters or fewer The followi
17. Enabled 346 CHAPTER 11 MANAGED ACCESS POINT COMMANDS History Introduced in MSS 4 0 Usage This parameter applies to all Distributed MAPs managed by the switch If you change the setting to required the switch requires Distributed MAPs to have encryption keys The switch also requires their fingerprints to be verified in MSS When MAP security is required a MAP can establish a management session with the WX only if its fingerprint has been verified by you in MSS A change to MAP security support does not affect management sessions that are already established To apply the new setting to a MAP restart the MAP Examples The following command configures a WX to require Distributed MAPs to have encryption keys WxX4400 set dap security require See Also set dap fingerprint on page 331 set service profile cipher wep40 on page 380 on page 391 display ap dap status on page 304 set ap dap upgrade firmware Disables or reenables automatic upgrade of a MAP access point s boot firmware Syntax set ap port list dap dap num auto upgrade firmware enable disable ap port list List of ports connected to the MAP access point s on which to allow automatic firmware upgrades dap dap num Number of a Distributed MAP on which to allow automatic firmware upgrades dap auto Configures firmware upgrades for the MAP configuration profile See set dap auto on page 325
18. History Introduced in MSS Version 4 0 Usage To display the mappings for a specific MAP radio use the display snoop map command Examples The following command shows the MAP radio mappings for all snoop filters configured on a WX switch WX1200 display snoop Dap 3 Radio 2 snoopl snoop2 Dap 2 Radio 2 snoop2 See Also a Clear snoop map on page 598 set snoop map on page 602 display snoop map on page 605 display snoop info Shows the configured snoop filters Syntax display snoop filter name filter name Name of the snoop filter Defaults None Access Enabled History Introduced in MSS Version 4 0 display snoop map 605 Examples The following command shows the snoop filters configured in the examples above WX1200 display snoop info snoopl observer 10 10 30 2 snap length 100 all packets snoop2 observer 10 10 30 3 snap length 100 frame type eq data mac pair aa bb cc dd ee ff 11 22 33 44 55 66 See Also Clear snoop on page 598 set snoop on page 599 display snoop map Shows the MAP radios that are mapped to a specific snoop filter Syntax display snoop map filter name filter name Name of the snoop filter Defaults None Access Enabled History Introduced in MSS Version 4 0 Usage To display the mappings for all snoop filters use the display snoop command Examples The following command shows the mappi
19. If you do not use the force option the command first compares the running configuration to the configuration file If the running configuration and configuration file do not match MSS does not restart the WX switch but instead displays a message advising you to either save the configuration changes or use the force option Examples The following command restarts an WX switch that does not have any unsaved configuration changes WX4400 reset system This will reset th ntire system Are you sure y n y The following commands attempt to restart an WX switch with a running configuration that has unsaved changes and then force the switch to restart WX4400 reset system error Cannot reset due to unsaved configuration changes Use reset system force to override WX4400 reset system force date Snel rebooting See Also display boot on page 573 display version on page 576 save config on page 584 restore 583 restore Unzips a system archive created by the backup command and copies the files from the archive onto the switch Syntax restore system tftp ip addr filename all critical Defaults Critical Access Enabled History Introduced in MSS Version 3 2 Usage If a file in the archive has a counterpart on the switch the archive version of the file replaces the file on the switch The restore command does not delete files that do not have counterparts in the archive For
20. None Access Enabled History Introduced in MSS Version 3 0 Usage For simplicity this command displays a single entry for each 3Com radio even if the radio is supporting multiple BSSIDs However BSSIDs for third party 802 11 radios are listed separately even if a radio is supporting more than one BSSID Information is displayed for a radio if the radio sends beacon frames or responds to probe requests Even if a radio s SSIDs are unadvertised 3Com radios detect the empty beacon frames beacon frames without SSIDs sent by the radio and include the radio in the neighbor list 312 CHAPTER 11 MANAGED ACCESS POINT COMMANDS Examples The following command displays neighbor information for radio 1 on the directly connected MAP access point on port 2 WX1200 display auto tune neighbors ap 2 radio 1 Total number of entries for port 2 radio 1 5 Channel Neighbor BSS MAC RSSI 1 00 0b 85 06 e3 60 46 1 00 0b 0e 00 0a 80 78 1 00 0b 0e 00 d2 c0 74 1 00 0b 85 06 dd 00 50 L 00 0b 0e 00 05 c1 72 Table 59 describes the fields in this display Table 59 Output for display auto tune neighbors Field Description Channel Channel on which the BSSID is detected Neighbor BSS MAC BSSID detected by the radio RSSI Received signal strength indication RSSI in decibels referred to 1 milliwatt dBm A higher value indicates a stronger signal See Also display auto tune attributes on page 309
21. dap dap num Number of a Distributed MAP on which to set the transmit power radio 1 Radio 1 of the MAP radio 2 Radio 2 of the MAP This option does not apply to single radio models tx power power level Number of decibels in relation to 1 milliwatt dBm The valid values depend on the country of operation The maximum transmit power you can configure on any 3Com radio is the maximum allowed for the country in which you plan to operate the radio or one of the following values if that value is less than the country maximum on an 802 11a radio 11 dBm for channel numbers less than or equal to 64 or 10 dBm for channel numbers greater than 64 on an 802 11b g radio 16 dBm for all valid channel numbers for 802 11b or 14 dBm for all valid channel numbers for 802 11g Defaults The default transmit power on all MAP radio types is the highest setting allowed for the country of operation or highest setting supported on the hardware whichever is lower Access Enabled History Introduced in MSS Version 3 0 Usage You also can configure a radio s channel on the same command line Use the channel option This command is not valid if dynamic power tuning RF Auto Tuning is enabled set dap security 345 Examples The following command configures the transmit power on the 802 11a radio on the MAP access point connected to port 5 WX1200 set ap 5 radio 1 tx power 10 success change accep
22. display accounting statistics on page 222 set authentication admin 229 set authentication admin Configures authentication and defines where it is performed for specified users with administrative access through Telnet or Web Manager Syntax set authentication admin user glob methodl method2 method3 method4 a user glob Single user or set of users with administrative access over the network through Telnet or Web Manager Specify a username use the double asterisk wildcard character to specify all usernames or use the single asterisk wildcard character to specify a set of usernames up to or following the first delimiter character either an at sign or a period For details see User Globs on page 26 methodl method2 method3 method4 At least one of up to four methods that MSS uses to handle authentication Specify one or more of the following methods in priority order MSS applies multiple methods in the order you enter them A method can be one of the following local Uses the local database of usernames and user groups on the WX switch for authentication a server group name Uses the defined group of RADIUS servers for authentication You can enter up to four names of existing RADIUS server groups as methods none For users with administrative access only MSS performs no authentication but prompts for a username and password and accepts any combination o
23. display vlan config on page 111 set security I2 restrict on page 114 118 CHAPTER 5 VLAN COMMANDS set vian tunnel affinity Changes a wireless LAN switch s preferability within a mobility domain for tunneling user traffic for a VLAN When a user roams to a WX switch that is not a member of the user s VLAN the WX can forward the user traffic by tunneling to another WX switch that is a member of the VLAN Syntax set vlan vlan id tunnel affinity num a vilan id VLAN name or number a num Preference of this switch for forwarding user traffic for the VLAN You can specify a value from 1 through 10 A higher number indicates a greater preference Defaults Each VLAN on a WX switch s network ports has an affinity value of 5 by default Access Enabled History Introduced in MSS Version 3 0 Usage Increasing a WX switch s affinity value increases the WX s preferability for forwarding user traffic for the VLAN If more than one WX switch has the highest affinity value MSS randomly selects one of the WX switches for the tunnel Examples The following command changes the VLAN affinity for VLAN beige to 10 WX4400 set vlan beige tunnel affinity 10 success change accepted See Also display roaming vlan on page 108 display vlan config on page 111 QUALITY OF SERVICE COMMANDS Use Quality of Service QoS commands to configure packet prioritization in MSS Packet prioritization ens
24. f boot0 boot1 filename c Nonvolatile storage area containing boot partition O primary a Nonvolatile storage area containing boot partition 1 secondary e Primary partition of the flash card in the flash card slot Secondary partition of the flash card in the flash card slot boot0 Boot partition 0 boot1 Boot partition 1 filename System image filename helo 631 Defaults None Access Boot prompt History Introduced in MSS Version 3 0 Usage To display the image filenames use the dir command This command does not list the boot code versions To display the boot code versions use the version command Examples The following command displays the system image version installed in boot partition 1 boot gt ver bootl File bootl default version is 3 0 1 See Also dir on page 627 version on page 636 help Displays a list of all the boot prompt commands or detailed information for an individual command Syntax help command name command name Boot prompt command Defaults None Access Boot prompt History Introduced in MSS Version 3 0 Usage If you specify a command name detailed information is displayed for that command If you do not specify a command name all the boot prompt commands are listed 632 CHAPTER 24 BOOT PROMPT COMMANDS Examples The following command displays detailed information
25. neq Applies the location policy rule to all users assigned VLAN names not matching vian glob For vian glob specify a VLAN name use the double asterisk wildcard character to specify all VLAN names or use the single asterisk wildcard character to specify a set of VLAN names up to or following the first delimiter character either an at sign or a period For details see VLAN Globs on page 28 user operator user glob Username and condition by which to determine if the location policy rule applies Replace operator with one of the following operands eq Applies the location policy rule to all usernames matching user glob neq Applies the location policy rule to all usernames not matching user g ob For user glob specify a username use the double asterisk wildcard character to specify all usernames or use the single asterisk wildcard character to specify a set of usernames up to or following the first delimiter character either an at sign or a period For details see User Globs on page 26 before rule number Inserts the new location policy rule in front of another rule in the location policy Specify the number of the existing location policy rule To determine the number use the display location policy command 246 CHAPTER 8 AAA COMMANDS modify rule number Replaces the rule in the location policy with the new rule Specify the number of the
26. Access Enabled History Introduced in MSS 4 1 Examples To display Network Domain status type the following command The output of the command differs based on whether the WX switch is a member of a Network Domain or a Network Domain seed On a WX switch that is a Network Domain member the following output is displayed WX1200 display network domain Member Network Domain name California Member State Mode 10 8 107 1 UP SEED On a WX switch that is a Network Domain seed information is displayed about the Network Domains of which the WX switch is a member as well as Network Domain seeds with which the WX switch has a peer relationship For example WX1200 display network domain Network Domain name California Peer State 10 8 107 1 UP ember State Mode 106230 0 DOWN SEED ember Network Domain name ember State ode 10 8 107 1 UP MEMBER 10 45 00 DOWN SEED display network domain 279 Table 48 describes the fields in the display Table 48 Radio Specific Parameters Parameter Description Output if WX is the Network Domain Seed Network Domain name Name of the Network Domain for which the WX switch is a seed Peer IP addresses of the other seeds in the Network Domain State State of the connection between the WX switch and the peer Network Domain seeds UP DOWN Member IP addresses of the seed WX switch and members i
27. Access Enabled History Introduced in MSS Version 4 0 Examples The following command shows statistics for the MAP forwarding queues on a Distributed MAP WX4400 display dap qos stats 4 Cos Queue TX DAP 4 radio 1 1 2 Background 19 O73 BestEffort 437 4 95 Video 3034 6 7 Voice 3068 Cos Queue Tx DAP 4 radio 2 TF2 Background 11 O43 BestEffort 224 4 95 Video 3631 6 7 Voice 7892 display fap dap etherstats 301 Table 53 describes the fields in this display Table 53 Output for display ap dap qos stats Field Description CoS CoS value associated with the forwarding queues Queue Forwarding queue DAP Distributed MAP number or MAP port number Port radio Radio number TX Number of packets transmitted to the air from the queue display ap dap etherstats Displays Ethernet statistics for a MAP s Ethernet ports Syntax display ap dap etherstats port list dap num a port list List of WX switch ports directly connected to the MAPs for which to display counters dap num Number of a Distributed MAP for which to display counters Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command displays Ethernet statistics for the Ethernet ports on Distributed MAP 1 WX4400 display dap etherstats 1 DAP 1 ether 1 RxUnicast 75432 TxGoodFrames 55210
28. Access Enabled History Introduced in MSS Version 4 1 Usage To clear MAC addresses from the list of addresses to which clients are allowed to send data use the clear security 12 restrict command instead Examples The following command clears Layer 2 forwarding restriction statistics for VLAN abc_air Wx4400 clear security 12 restrict counters vlan abc air success change accepted See Also Clear security 12 restrict on page 99 a set security I2 restrict on page 114 display security 12 restrict on page 109 clear vlan 101 clear vlan Removes physical or virtual ports from a VLAN or removes a VLAN entirely CAUTION When you remove a VLAN MSS completely removes the VLAN from the configuration and also removes all configuration information that uses the VLAN If you want to remove only a specific port from the VLAN make sure you specify the port number in the command Syntax clear vlan vlan id port port list tag tag value vlan id VLAN name or number port port list List of physical ports MSS removes the specified ports from the VLAN If you do not specify a list of ports MSS removes the VLAN entirely tag tag value Tag number that identifies a virtual port MSS removes only the specified virtual port from the specified physical ports Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage If you do not specify a port ist the
29. Enabled History Introduced in MSS Version 3 0 132 CHAPTER 7 IP SERVICES COMMANDS Examples The following command removes NTP server 192 168 40 240 from a WX switch configuration WX4400 clear ntp server 192 168 40 240 success change accepted See Also Clear ntp update interval on page 132 display ntp on page 149 set ntp on page 173 set ntp server on page 174 set ntp update interval on page 175 clear ntp update interval Resets the NTP update interval to the default value Syntax clear ntp update interval Defaults The default NTP update interval is 64 seconds Access Enabled History Introduced in MSS Version 3 0 Examples To reset the NTP interval to the default value type the following command WX4400 clear ntp update interval success change accepted See Also Clear ntp server on page 131 display ntp on page 149 set ntp on page 173 set ntp server on page 174 set ntp update interval on page 175 clear snmp community 133 clear snmp community Clears an SNMP community string Syntax clear snmp community name comm string comm string Name of the SNMP community you want to clear Defaults None Access Enabled History Introduced in MSS Version 4 0 Examples The following command clears community string setswitch2 WX1200 clear snmp community name setswitch2 success change accepted See Also set snmp
30. Name Ports magnolia AP 2 See Also Clear mobility profile on page 215 set mobility profile on page 255 set accounting admin console Sets up accounting services for specified wireless users with administrative access and defines the accounting records and where they are sent Syntax set accounting admin console user glob start stop stop only methodi method2 method3 method4 admin Users with administrative access to the WX switch through Telnet or Web Manager a console Users with administrative access to the WX switch through a console connection a user glob Single user or set of users with administrative access or network access Specify a username use the double asterisk wildcard character to specify all usernames or use the single asterisk wildcard character to specify a set of usernames up to or following the first delimiter character either an at sign or a period For details see User Globs on page 26 This option does not apply if mac is specified For mac specify a mac adar glob See MAC Address Globs on page 27 start stop Sends accounting records at the start and end of a network session a stop only Sends accounting records only at the end of a network session 226 CHAPTER 8 AAA COMMANDS methodl1 method2 method3 method4 At least one of up to four methods that MSS uses to process accounting records
31. Port Receiver IP Receiver MAC TTL 2 10 10 20 19 00 02 04 06 09 0d 112 3 10 10 30 31 00 02 04 06 01 0b 112 Port Receiver IP Receiver MAC TTL 1 10 10 40 41 00 02 06 08 02 0c 12 6 10 10 60 61 00 05 09 0c 0a 01 111 23152594299 6299 Table 78 describes the fields in this display Table 78 Output for display igmp receiver table Field Description VLAN VLAN that contains the multicast receiver ports Ports are listed separately for each VLAN Session IP address of the multicast group being received Port Physical port through which the WX can reach the receiver Receiver I P IP address of the receiver Receiver MAC MAC address of the receiver TTL Number of seconds before this entry ages out if the WX does not receive a group membership message from the receiver For static multicast receiver entries the TTL value is undef Static multicast receiver entries do not age out See Also set igmp receiver on page 441 display igmp statistics 431 display igmp Shows IGMP statistics statistics Syntax display igmp statistics vlan vlan id vlan vlan id VLAN name or number If you do not specify a VLAN MSS displays IGMP statistics for all VLANs Defaults None Access All History Introduced in MSS Version 3 0 Examples The following command displays IGMP statistics for VLAN orange WX1200 display igmp statistics vlan orange IGMP statistics for vlan orange IGMP message t
32. See set dap auto on page 325 radio 1 Radio 1 of the MAP radio 2 Radio 2 of the MAP This option does not apply to single radio models xradio profile name Radio profile name of up to 16 alphanumeric characters with no spaces mode enable Enables radios on the specified ports with the parameter settings in the specified radio profile mode disable Disables radios on the specified ports Defaults None Access Enabled History Introduced in MSS Version 3 0 Option auto added for configuration of the MAP configuration profile Usage When you create a new profile the radio parameters in the profile are set to their factory default values To enable or disable all radios that use a specific radio profile use set radio profile Examples The following command enables radio 1 on ports 3 through 6 assigned to radio profile rp1 WX1200 set ap 3 6 radio 1 radio profile rpl mode enable success change accepted See Also Clear ap dap radio on page 286 display radio profile on page 317 344 CHAPTER 11 MANAGED ACCESS POINT COMMANDS set ap dap radio mode on page 341 set radio profile mode on page 362 set ap dap radio tx power Sets a MAP radio s transmit power Syntax set ap port list dap dap num radio 1 2 tx power power level ap port list List of ports connected to the MAP access points on which to set the transmit power
33. When using RADIUS for authentication a MAC user s MAC address is also used as the default authorization password for that user and no global authorization password is set A last resort user s default authorization password is 3Com Access Enabled History Introduced in MSS Version 3 0 Usage For a given RADIUS server the first instance of this command must set both the server name and the IP address and can include any or all of the other optional parameters Subsequent instances of this command can be used to set optional parameters for a given RADIUS server To configure the server as a remote authenticator for the WX switch you must add it to a server group with the set server group command Do not use the same name for a RADIUS server and a RADIUS server group 496 CHAPTER 16 RADIUS AND SERVER GROUP COMMANDS Examples To set a RADIUS server named RS42 with IP address 198 162 1 1 to use the default accounting and authorization ports with a timeout interval of 30 seconds two transmit attempts 5 minutes of dead time and a key string of keys4u type the following command WX1200 set radius server RS42 address 198 162 1 1 timeout 30 retransmit 2 deadtime 5 key keys4U See Also display aaa on page 219 set authentication admin on page 229 set authentication console on page 231 set authentication dot1x on page 233 set authentication last resort on page 236 set authentication mac on page 239
34. Wx4400 display spantree portvlancost 1 port 1 VLAN 1 have path cost 19 See Also Clear spantree portcost on page 394 Clear spantree portvlancost on page 395 display spantree on page 398 set spantree portcost on page 414 set spantree portviancost on page 417 display spantree statistics Displays STP statistics for one or more WX network ports Syntax display spantree statistics port list vlan vlan id port list List of ports If you do not specify any ports MSS displays STP statistics for all ports vlan vlan id VLAN name or number If you do not specify a VLAN MSS displays STP statistics for all VLANs Defaults None Access All History Introduced in MSS Version 3 0 404 CHAPTER 12 STP COMMANDS Usage The command displays statistics separately for each port Examples The following command shows STP statistics for port 1 WX4400 display spantree statistics 1 BPDU related parameters Port 1 VLAN 1 spanning tree enabled for VLAN 1 port spanning tree enabled state Forwarding port_id 0x8015 port_number 0x5 path cost 0x4 message age port VLAN 0 20 designated root 00 0b 0e 00 04 30 designated cost 0x0 designated bridge 00 O0b 0e 00 04 30 designated port 38 top_change_ ack FALSE config pending FALSE port_inconsistency none Port based information statistics config BPDU s xmitted port VLAN QO 1 config B
35. a OK Fan is operating a Failed Fan is not operating MSS sends an alert to the system log every 5 minutes until this condition is corrected Fan 1 is located nearest the front of the chassis and fan 3 is located nearest the back Temperature Status of temperature sensors at three locations in the WX switch a ok Temperature is within the acceptable range of 0 C to 50 C 32 F to 122 F a Alarm Temperature is above or below the acceptable range MSS sends an alert to the system log every 5 minutes until this condition is corrected PSU Status Status of the lower and upper power supply units a missing Power supply is not installed or is inoperable a DC ok Power supply is producing DC power a DC output failure Power supply is not producing DC power MSS sends an alert to the system log every 5 minutes until this condition is corrected a AC ok Power supply is receiving AC power a AC not present Power supply is not receiving AC power 46 CHAPTER 3 SYSTEM SERVICE COMMANDS Table 7 display system output continued Field Description Memory Current size in megabytes of nonvolatile memory NVRAM and synchronous dynamic RAM SDRAM plus the percentage of total memory space in use in the following format NVRAM size SDRAM size percent of total Total Power Over Total power that the device is currently supplying to its Ethernet directly conne
36. clear mobility profile Removes a Mobility Profile entirely Syntax clear mobility profile name name Name of an existing Mobility Profile Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command removes the Mobility Profile for user Nin WX1200 clear mobility profile Nin success change accepted See Also set mobility profile on page 255 set mobility profile mode on page 257 display mobility profile on page 224 clear user Removes a user profile from the local database on the WX switch for a user with a password To remove a user profile in RADIUS see the documentation for your RADIUS server Syntax clear user username username Username of a user with a password Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage Deleting the user s profile from the database deletes the assignment of any attributes in the profile to the user 216 CHAPTER 8 AAA COMMANDS Examples The following command deletes the user profile for user Nin WX4400 clear user Nin success change accepted See Also display aaa on page 219 set user on page 258 clear user attr Removes an authorization attribute from the user profile in the local database on the WX switch for a user with a password To remove an authorization attribute from a RADIUS user profile see the documentation f
37. clear dot1x max req on page 501 Quiet Period and Timeouts set dot1x quiet period on page 513 clear dot1x quiet period on page 502 set dot1x timeout auth server on page 515 clear dot1x timeout auth server on page 504 set dot1x timeout supplicant on page 516 clear dot1x timeout supplicant on page 504 Settings Active Clients and display dot1x on page 505 Statistics clear dot1x bonded period Resets the Bonded Auth bonded authentication period to its default value The bonded period is the number of seconds MSS retains session information for an authenticated machine while waiting for an 802 1X client on the machine to start re authentication for the user When bonded authentication is enabled it applies only to an 802 1X user whose authentication rule on the WX switch contains the bonded option Syntax clear dotlx bonded period Defaults The default bonded authentication period is O seconds which disables the feature Access Enabled History Introduced in MSS Version 3 0 Examples To reset the Bonded period to its default type the following command WX4400 clear dotlx bonded period success change accepted clear dot1x max req 501 See Also display dot1x on page 505 set dot1x bonded period on page 509 clear dot1x max req Resets to the default setting the number of Extensible Authentication Protocol EAP requests that the WX switch retransmits to a
38. set accounting dotlx mac web last resort ssid ssid name wired user glob mac addr glob start stop stop only methodi method2 method3 method4 dot1x Users with network access through the WX switch who are authenticated by 802 1X mac Users with network access through the WX switch who are authenticated by MAC authentication web Users with network access through the WX switch who are authenticated by WebAAA ssid ssid name SSID name to which this accounting rule applies To apply the rule to all SSIDs type any wired Applies this accounting rule specifically to users who are authenticated on a wired authentication port user glob Single user or set of users with administrative access or network access Specify a username use the double asterisk wildcard character to specify all usernames or use the single asterisk wildcard character to specify a set of usernames up to or following the first delimiter character either an at sign or a period For details see User Globs on page 26 This option does not apply if mac or last resort is specified For mac specify a mac adadr glob See MAC Address Globs on page 27 mac addr glob A single user or set of users with access via a MAC address Specify a MAC address or use the wildcard character to specify a set of MAC addresses For details see MAC Address Globs on page 27 This option a
39. set system ip address 59 set system ip address AN Sets the system IP address so that it can be used by various services in the WX switch CAUTION Any currently configured Mobility Domain operations cease if you change the IP address If you change the address you must reset the Mobility Domain Syntax set system ip address ip addr a ip addr IP address in dotted decimal notation Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command sets the IP address of the WX switch to 192 168 253 1 WX4400 set system ip address 192 168 253 1 success change accepted See Also Clear system on page 40 set interface on page 160 display system on page 43 set system location Stores location information for the WX switch Syntax set system location string string Alphanumeric string up to 256 characters long with no blank spaces Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage You cannot include spaces in the system location string 60 CHAPTER 3 SYSTEM SERVICE COMMANDS To view the system location string type the display system command Examples To store the location of the WX switch in the WX s configuration type the following command WX4400 set system location first floor bldg3 success change accepted See Also a Clear system on page 40 display system on page
40. 32 NONE no encryption 64 Static WEP In addition to these values you can specify a sum of them for a combination of allowed encryption types For example to specify WEP_104 and WEP_4O use 24 250 CHAPTER 8 AAA COMMANDS Table 44 Authentication Attributes for Local Users continued end date Date and time after which the user is no longer allowed to be on the network Date and time in the following format YY MM DD HH MM You can use end date alone or with start date You also can use start date end date or both in conjunction with time of day filter id Inbound or outbound ACL to apply to the user If configured in the WX switch s local database this attribute can be an access control list ACL to filter outbound or inbound traffic Use the following format filter id inboundacl in or filter id outboundacl out If you are configuring the attribute on a RADIUS server the value field of filter id can specify up to two ACLs Any of the following are valid filter id Profile acl1 filter id OutboundACL acl2 filter id Profile acl1 OutboundACL acl2 Each example goes on a single line on the server The format in which to specify the values depends on the RADIUS server Regardless of whether the attributes are defined locally or on a RADIUS server the ACLs must already be configured on the WX switch idle timeout This option is not implemented in th
41. History Introduced in MSS Version 4 1 Examples To display the CPU load recorded from the time the WX switch was booted as well as from the previous time the display load command was run type the following command WX4400 display load System Load overall 2 delta 5 The overall field shows the CPU load as a percentage from the time the WX switch was booted The delta field shows CPU load as a percentage from the last time the display load command was entered See Also display system on page 43 display system Shows system information Syntax display system Defaults None Access Enabled 44 CHAPTER 3 SYSTEM SERVICE COMMANDS Examples To show system information type the following command WX4400 display system Product Name System Name wx4400 WxX bldg3 System Countrycode US System Location first floor bldg3 System Contact tamara example com System IP 192 168 12 7 System idle timeout 3600 System MAC 00 0B 0E 00 04 30 Boot Time Uptime 2003 11 07 15 45 49 13 days 04 29 10 Fan status fanl OK fan2 OK fan3 OK Temperatur PSU Status Memory templ ok temp2 ok temp3 o k Lower Power Supply DC ok AC ok Upper Power Supply missing 97 04 744 03 13 Total Power Over Ethernet 29 000 Table 7 describes the fields of display system output Table 7 display system output Field Description
42. History Introduced in MSS Version 4 0 display rfdetect vendor list 551 Examples The following example shows the permitted SSID list on WX switch WX4400 display rfdetect ssid list Total number of entries 3 SSID mycorp corporate guest See Also clear rfdetect ssid list on page 536 set rfdetect ssid list on page 560 display rfdetect vendor list Displays the entries in the permitted vendor list Syntax display rfdetect vendor list Defaults None Access Enabled History Introduced in MSS Version 4 0 Examples The following example shows the permitted vendor list on WX switch WX1200 display rfdetect vendor list Total number of entries 1 OUI Type aa bb cc 00 00 00 client 11 22 33 00 00 00 ap See Also Clear rfdetect vendor list on page 537 set rfdetect vendor list on page 561 552 CHAPTER 19 RF DETECTION COMMANDS display rfdetect Displays the BSSIDs discovered by a specific 3Com radio The data visible includes BSSIDs transmitted by other 3Com radios as well as by third party access points Syntax display rfdetect visible mac addr Syntax display rfdetect visible ap map num radio 1 2 Syntax display rfdetect visible dap dap num radio 1 2 mac addr Base MAC address of the 3Com radio To display the base MAC address of a 3Com radio use the display ap dap status command map num Port connected to the MAP access point for whi
43. IGMP SNOOPING COMMANDS Defaults By default no ports are static multicast receiver ports Access Enabled History Introduced in MSS Version 3 0 Usage You cannot add MAP access ports or wired authentication ports as static multicast ports However MSS can dynamically add these port types to the list of multicast ports based on multicast traffic Examples The following command adds port 7 as a static multicast receiver port WX1200 set igmp receiver port 7 enable success change accepted The following command removes port 7 from the list of static multicast receiver ports WX1200 set igmp receiver port 7 disable success change accepted See Also display igmp receiver table on page 429 set igmp rv Changes the robustness value for one VLAN or all VLANs on a WX Robustness adjusts the IGMP timers to the amount of traffic loss that occurs on the network Syntax set igmp rv num vlan vlan id a num Robustness value You can specify a value from 2 through 255 Set the robustness value higher to adjust for more traffic loss vlan vlan id VLAN name or number If you do not specify a VLAN MSS changes the robustness value for all VLANs Defaults The default robustness value for all VLANs is 2 Access Enabled History Introduced in MSS Version 3 0 setigmp rv 443 See Also setigmp oqi on page 437 setigmp qi on page 439 setigmp qri on page 440 444 CHAPTER 13
44. IGMP type Packets with Number of packets with an invalid length bad length Packets with Number of packets with an invalid IGMP checksum value bad IGMP checksum Packets Number of multicast packets dropped by the WX dropped See Also Clear igmp statistics on page 422 set igmp Disables or reenables IGMP snooping on one VLAN or all VLANs on a wireless LAN switch Syntax set igmp enable disable vlan vlan id enable Enables IGMP snooping disable Disables IGMP snooping vlan vlan id VLAN name or number If you do not specify a VLAN IGMP snooping is disabled or reenabled on all VLANs History Introduced in MSS Version 3 0 Examples The following command disables IGMP snooping on VLAN orange WX1200 set igmp disable vlan orange success change accepted See Also setigmp rv on page 442 434 CHAPTER 13 IGMP SNOOPING COMMANDS set igmp Imai Changes the IGMP last member query interval timer on one VLAN or all VLANs on a wireless LAN switch Syntax set igmp lmqi tenth seconds vlan vlan id lmqi tenth seconds Amount of time in tenths of a second that the WX waits for a response to a group specific query after receiving a leave message for that group before removing the receiver that sent the leave message from the list of receivers for the group If there are no more receivers for the group the WX switch also sends a leave message for the group to m
45. Index Counter ACL name aL 0 acl 2 0 acl_175 3 916 acl_153 See Also display security acl hits on page 451 display security acl info on page 452 468 CHAPTER 14 SECURITY ACL COMMANDS 15 CRYPTOGRAPHY COMMANDS Use cryptography commands to configure and manage certificates and public private key pairs for system authentication Depending on your network configuration you must create keys and certificates to authenticate the WX switch to IEEE 802 1X wireless clients for which the WX switch performs authentication and to 3Com wireless switch manager 3WXM and Web Manager Commands by Usage This chapter presents cryptography commands alphabetically Use Table 82 to locate commands in this chapter based on their use Table 82 Cryptography Commands by Usage Type Command Encryption Keys crypto generate key on page 473 display crypto key ssh on page 483 PKCS 7 Certificates crypto generate request on page 474 crypto ca certificate on page 470 display crypto ca certificate on page 481 crypto certificate on page 471 display crypto certificate on page 482 PKCS 12 Certificate crypto otp on page 478 crypto pkcs12 on page 479 Self Signed Certificate crypto generate self signed on page 476 470 CHAPTER 15 CRYPTOGRAPHY COMMANDS crypto ca certificate Installs a certificate authority s own PKCS 7 certificate into the WX certificate and key storage area Syntax crypto
46. all of its VLANs Syntax set spantree priority value all vlan vlan id priority value Priority value You can specify a value from O through 65 535 The bridge with the lowest priority value is elected to be the root bridge for the spanning tree a all Changes the bridge priority on all VLANs vlan vlan id VLAN name or number MSS changes the bridge priority on only the specified VLAN Defaults The default root bridge priority for the switch on all VLANs is 32 768 Access Enabled History Introduced in MSS Version 3 0 Examples The following command sets the bridge priority of VLAN pink to 69 WX4400 set spantree priority 69 vlan pink success change accepted See Also display spantree on page 398 set spantree uplinkfast Enables or disables STP uplink fast convergence on a wireless LAN switch This feature enables a WX switch with redundant links to the network backbone to immediately switch to the backup link to the root bridge if the primary link fails Syntax set spantree uplinkfast enable disable enable Enables uplink fast convergence disable Disables uplink fast convergence Defaults Disabled Access Enabled 420 CHAPTER 12 STP COMMANDS History Introduced in MSS Version 3 0 Usage The uplink fast convergence feature is applicable to bridges that are acting as access switches to the network core distribution layer but are no
47. auth key hex string Specifies the authentication type used to authenticate communications with the remote SNMP engine You can specify one of the following none No authentication is used md5 Message digest algorithm 5 is used sha Secure Hashing Algorithm SHA is used If the authentication type is md5 or sha you can specify a passphrase or a hexadecimal key a To specify a passphrase use the auth pass phrase string option The string can be from 8 to 32 alphanumeric characters long with no spaces a To specify a key use the auth key hex string option encrypt type none des 3des aes encrypt pass phrase string encrypt key hex string Specifies the encryption type used for SNMP traffic You can specify one of the following a none No encryption is used This is the default des Data Encryption Standard DES encryption is used 3des Triple DES encryption is used aes Advanced Encryption Standard AES encryption is used 190 CHAPTER 7 IP SERVICES COMMANDS If the encryption type is des 3des or aes you can specify a passphrase or a hexadecimal key a To specify a passphrase use the encrypt pass phrase string option The string can be from 8 to 32 alphanumeric characters long with no spaces a To specify a key use the encrypt key hex string option Defaults No SNMPv3 users are configured by default When you configure an SNMPv3 user the default access is read on
48. change Changing the default configuration is not recommended Are you sure that you want to proceed y n y BOOT TYPE c gt n DEVICE boot0 gt emacl FILENAME default gt bootfile HOST IP 0 0 0 0 gt 172 16 0 1 LOCAL IP 0 0 0 0 gt 172 16 0 21 GATEWAY IP 0 0 0 0 gt 172 16 0 20 IP MASK 0 0 0 0 gt 255 255 255 0 FLAGS 0x00000000 gt OPTIONS run nos boot 0 gt See Also boot on page 621 create on page 624 delete on page 625 dhcp on page 626 display on page 628 next on page 633 create Creates a new boot profile For information about boot profiles see display on page 628 Syntax create Defaults The new boot profile has the same settings as the currently active boot profile by default Access Boot prompt History Introduced in MSS Version 3 0 delete 625 Usage A WX switch can have up to four boot profiles The boot profiles are stored in slots numbered O through 3 When you create a new profile the system uses the next available slot for the profile If all four slots already contain profiles and you try to create a fifth profile the switch displays a message advising you to change one of the existing profiles instead To make a new boot profile the currently active boot profile use the next command To change boot parameter settings use the change command Examples The following command creates a new boot profil
49. dap num List of Distributed MAP connections through which any user assigned this profile is allowed access The same Distributed MAP can be used in multiple Mobility Profile port lists Defaults No default Mobility Profile exists on the WX switch If you do not assign Mobility Profile attributes all users have access through all ports unless denied access by other AAA servers or by access control lists ACLs Access Enabled History Introduced in MSS Version 3 0 Usage To assign a Mobility Profile to a user or group specify it as an authorization attribute in one of the following commands set user attr mobility profile name set usergroup attr mobility profile name set mac user attr mobility profile name set mac usergroup attr mobility profile name To enable the use of the Mobility Profile feature on the WX switch use the set mobility profile mode command CAUTION When the Mobility Profile feature is enabled a user is denied access if assigned a Mobility Profile attribute in the local WX switch database or RADIUS server when no Mobility Profile of that name exists on the WX switch To change the ports in a profile use set mobility profile again with the updated port list Examples The following commands create the Mobility Profile magnolia which restricts user access to port 2 enable the Mobility Profile feature on the WX switch and assign the magnolia Mobility Profile to user Jose WX1200 se
50. display radio profile on page 317 set ap dap radio auto tune max power on page 335 set ap dap radio auto tune max retransmissions on page 337 set radio profile auto tune channel config on page 349 set radio profile auto tune channel holddown on page 350 set radio profile auto tune channel interval on page 351 set radio profile auto tune power backoff timer on page 352 set radio profile auto tune power config on page 353 set radio profile auto tune power interval on page 354 display dap connection 313 display dap connection Displays the system IP address of the WX switch that booted a Distributed MAP Syntax display dap connection dap num serial id serial ID dap num Number of a Distributed MAP for which to display information about its active connection serial id serial ID MAP access point serial ID Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage The serial id parameter displays the active connection for the specified Distributed MAP even if that MAP is not configured on this WX switch If you instead use the command with the dap num parameter or without a parameter connection information is displayed only for Distributed MAPs that are configured on this WX switch This command provides information only if the Distributed MAP is configured on the switch where you use the command The switch does not need to be the one that booted the MAP but it m
51. eap md5 Extensible Authentication Protocol EAP with message digest algorithm 5 For wired authentication clients Uses challenge response to compare hashes Provides no encryption or integrity checking for the connection eap tls EAP with Transport Layer Security TLS Provides mutual authentication integrity protected negotiation and key exchange Requires X 509 public key certificates on both sides of the connection 234 CHAPTER 8 AAA COMMANDS Provides encryption and integrity checking for the connection Cannot be used with RADIUS server authentication requires user information to be in the switch s local database peap mschapv2 Protected EAP PEAP with Microsoft Challenge Handshake Authentication Protocol version 2 MS CHAP V2 For wireless clients Uses TLS for encryption and data integrity checking and server side authentication Provides MS CHAP V2 mutual authentication Only the server side of the connection needs a certificate The wireless client authenticates using TLS to set up an encrypted session Then MS CHAP V2 performs mutual authentication using the specified AAA method pass through MSS sends all the EAP protocol processing to a RADIUS server i gt EAP MD5 does not work with Microsoft wired authentication clients method1 method2 method3 method4 At least one and up to four methods that MSS uses to handle authentication Specify one or more of the following methods in pr
52. into subdirectory corpa in a WX switch s nonvolatile storage WX4400 copy tftp 10 1 1 1 corpa login html corpa corpa login html success received 637 bytes in 0 253 seconds 2517 bytes sec See Also delete on page 569 dir on page 570 delete Deletes a file A gt CAUTION MSS does not prompt you to verify whether you want to delete a file When you press Enter after typing a delete command MSS immediately deletes the specified file MSS does not allow you to delete the currently running software image file or the running configuration Syntax delete url a url Filename Specify between 1 and 128 alphanumeric characters with no spaces If the file is in a subdirectory specify the subdirectory name followed by a forward slash in front of the filename For example subdir_a file_a Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage You might want to copy the file to a TFTP server as a backup before deleting the file 570 CHAPTER 20 FILE MANAGEMENT COMMANDS Examples The following commands copy file testconfig to a TFTP server and delete the file from nonvolatile storage WX4400 copy testconfig tftp 10 1 1 1 testconfig success sent 365 bytes in 0 401 seconds 910 bytes sec WX4400 delete testconfig success file deleted The following commands delete file dang_doc from subdirectory dang Wx4400 delete dang dang_ doc success file deleted
53. local facility facility level enable disable buffer Sets log parameters for the log buffer in nonvolatile storage console Sets log parameters for console sessions current Sets log parameters for the current Telnet or console session These settings are not stored in nonvolatile memory server ip addr Sets log parameters for a syslog server Specify an address in dotted decimal notation sessions Sets the default log values for Telnet sessions You can set defaults for the following log parameters Severity setlog 615 a Logging state enabled or disabled To override the session defaults for an individual session type the set log command from within the session and use the current option trace Sets log parameters for trace files severity severity level Logs events at a severity level greater than or equal to the level specified Specify one of the following emergency The WX switch is unusable alert Action must be taken immediately a critical You must resolve the critical conditions If the conditions are not resolved the WX can reboot or shut down a error The WX is missing data or is unable to form a connection warning A possible problem exists notice Events that potentially can cause system problems have occurred These are logged for diagnostic purposes No action is required info Informational messages only No
54. mj D SE j D SE 21807 21825 00 0b 0e 00 04 30 00 0b 0e 02 76 f6 Table 71 describes the fields in this display 406 CHAPTER 12 STP COMMANDS Table 71 Output for display spantree statistics Field Description Port Port number VLAN VLAN ID Spanning Tree enabled for vlan State of the STP feature on the VLAN port spanning tree State of the STP feature on the port state STP state of the port Blocking The port is not forwarding Layer 2 traffic but is listening to and forwarding STP control traffic Disabled The port is not forwarding any traffic including STP control traffic The port might be administratively disabled or the link might be disconnected a Forwarding The port is forwarding Layer 2 traffic Learning The port is learning the locations of other WX switches in the spanning tree before changing state to forwarding a Listening The port is comparing its own STP information with information in STP control packets received by the port to compute the spanning tree and change state to blocking or forwarding port_id STP port ID port_number STP port number path cost Cost to use this port to reach the root bridge This is part of the total path cost designated cost message age Age of the protocol information for a port and the value of the maximum age parameter shown in parenthesis recorded by
55. name Radio profile name a seconds Number of seconds radios wait before lowering the power by 1 dBm You can specify from O to 65535 seconds Defaults The default power backoff interval is 10 seconds Access Enabled History Introduced in MSS Version 3 0 A radio can increase power again if required to preserve the minimum data rate for an associated client Examples The following command changes the power backoff interval for radios in radio profile ro2 to 15 seconds WX4400 set radio profile rp2 auto tune power backoff timer 15 success change accepted See Also set ap dap radio auto tune max power on page 335 set radio profile auto tune power config 353 set ap dap radio auto tune max retransmissions on page 337 set radio profile auto tune power config on page 353 set radio profile auto tune power interval on page 354 set radio profile auto tune power config Enables or disables dynamic power tuning RF Auto Tuning for the MAP radios in a radio profile Syntax set radio profile name auto tune power config enable disable name Radio profile name enable Configures radios to dynamically set their power levels when the MAPs are started disable Configures radios to use their statically assigned power levels or the default power levels if unassigned when the radios are started Defaults Dynamic power assignment is disabled by default Acces
56. name Service profile name enable Enables 104 bit WEP encryption for WPA clients disable Disables 104 bit WEP encryption for WPA clients Defaults 104 bit WEP encryption is disabled by default Access Enabled History Introduced in MSS Version 3 0 Usage To use 104 bit WEP with WPA clients you must also enable the WPA IE When 104 bit WEP in WPA is enabled in the service profile radios managed by a radio profile that is mapped to the service profile can also support non WPA clients that use dynamic WEP To support WPA clients that use 40 bit dynamic WEP you must enable WEP with 40 bit keys Use the set service profile cipher wep40 command Microsoft Windows XP does not support WEP with WPA To configure a service profile to provide dynamic WEP for XP clients leave WPA disabled and use the set service profile wep commands To support non WPA clients that use static WEP you must configure static WEP keys Use the set service profile wep key index command Examples The following command configures service profile so2 to use 104 bit WEP encryption WX4400 set service profile sp2 cipher wep104 enable success change accepted 380 CHAPTER 11 MANAGED ACCESS POINT COMMANDS See Also set service profile cipher ccmp on page 377 set service profile cipher tkip on page 378 set service profile cipher wep40 on page 380 set service profile wep key index on page 390 set service profile
57. notice Events that potentially can cause system problems have occurred These are logged for diagnostic purposes No action is required info Informational messages only No problem exists debug Output from debugging 614 CHAPTER 23 SYSTEM LOG COMMANDS Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples Type the following command to see the facilities for which you can view event messages archived in the buffer WX4400 display log trace facility lt facility name gt Select one of KERNEL AAA SYSLOGD ACL APM ARP ASO BOOT CLI CLUSTER COPP CRYPTO DOT1X ENCAP ETHERNET GATEWAY HTTPD IGMP IP MISC NOSE NP RAND RESOLV RIB ROAM ROGUE SM SNMPD SPAN STORE SYS TAGMGR TBRIDGE TCPSSL TELNET TFTP TLS TUNNEL VLAN X509 XML MAP RAPDA WEBVIEW EAP PORTCONFIG FP See Also Clear log on page 609 display log config on page 612 set log Enables or disables logging of WX and MAP events to the WX log buffer or other logging destination and sets the level of the events logged For logging to a syslog server only you can also set the facility logged Syntax set log buffer console current server ip addr sessions trace severity severity level enable disable Syntax set log server ip addr severity severity level
58. one hour Access Enabled History Introduced in MSS Version 3 0 Usage 3Com recommends that you use an interval of at least 300 seconds 5 minutes RF Auto Tuning can change a radio s channel before the channel interval expires in response to RF anomalies Even in this case channel changes cannot occur more frequently than the channel holddown interval If you set the interval to 0 RF Auto Tuning does not reevaluate the channel at regular intervals However RF Auto Tuning can still change the channel in response to RF anomalies 352 CHAPTER 11 MANAGED ACCESS POINT COMMANDS Examples The following command sets the channel interval for radios in radio profile ro2 to 2700 seconds 45 minutes WX4400 set radio profile rp2 auto tune channel interval 2700 success change accepted See Also set radio profile auto tune channel config on page 349 set radio profile auto tune channel holddown on page 350 set radio profile auto tune power backoff timer Sets the interval at which radios in a radio profile reduce power after temporarily increasing the power to maintain the minimum data rate for an associated client At the end of each power backoff interval radios that temporarily increased their power reduce it by 1 dBm The power backoff continues in 1 dBm increments after each interval until the power returns to expected setting Syntax set radio profile name auto tune power backoff timer seconds
59. or Distributed MAP and the direction of the packets to stop filtering This command deletes the ACL mapping but not the ACL Examples To clear the mapping of security ACL acljoe from port 4 for incoming packets type the following command WX4400 clear security acl map acljoe port 4 in clear mapping accepted commit security acl 449 To clear all physical ports virtual ports and VLANs on a WX switch of the ACLs mapped for incoming and outgoing traffic type the following command WX4400 clear security acl map all success change accepted See Also a Clear security acl on page 446 display security acl map on page 453 set security acl map on page 464 commit security acl Saves a security ACL or all security ACLs in the edit buffer to the running configuration and nonvolatile storage on the WX switch Or when used with the clear security acl command commit security acl deletes a security ACL or all security ACLs from the running configuration and nonvolatile storage Syntax commit security acl acl name all acl name Name of an existing security ACL to commit ACL names must start with a letter and are case insensitive all Commits all security ACLs in the edit buffer Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage Use the commit security acl command to save security ACLs into or delete them from the permanent configuration Until you
60. vlan vlan id a port list List of ports Statistics counters are reset on the specified ports vlan vlan id VLAN name or number MSS resets statistics counters for only the specified VLAN Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command clears STP statistics counters for ports 1 3 and 5 through 8 for all VLANs WX1200 clear spantree statistics 1 3 5 8 success change accepted See Also display spantree statistics on page 403 398 CHAPTER 12 STP COMMANDS display spantree Displays STP configuration and port state information Syntax display spantree port list vlan vlan id active port list List of ports If you do not specify any ports MSS displays STP information for all ports vlan vlan id VLAN name or number If you do not specify a VLAN MSS displays STP information for all VLANs a active Displays information for only the active forwarding ports Defaults None Access All History Introduced in MSS Version 3 0 Examples The following command displays STP information for VLAN default WX1200 display spantree vlan default VLAN 1 Spanning tree mode Spanning tree type Spanning tree enabled Designated Root PVST IEEE 00 02 4a 70 49 7 Designated Root Priority 32768 Designated Root Path Cost 19 Designated Root Port 1 Root Max Age 20 sec Hello Time 2
61. 1 intfr 87 00 05 5d 7e 96 a7 D Link Unknown dap 1 1 149 Ponti LET 00 05 5d 7e 96 ce D Link Unknown dap 1 1 157 1 intfr 162 00 05 5d 84 dl c5 D Link Unknown dap 1 1 1 1 intfr 52 The following command displays more details about a specific client WX4400 display rfdetect clients mac 00 0c 41 63 fd 6d Client Mac Address 00 0c 41 63 fd 6d Vendor Linksys Port dap 1 Radio 1 Channel 11 RSSI 82 Rate 2 Last Seen secs ago 84 Bssid 00 0b 0e 01 02 00 Vendor 3Com Type intfr Dst ff ff ff ff ff ff Last Rogue Status Check secs ago 3 The first line lists information for the client The other lines list information about the most recent 802 11 packet detected from the client Table 95 and Table 96 describe the fields in these displays 540 CHAPTER 19 RF DETECTION COMMANDS Table 95 display rfdetect clients Output Field Description Client MAC MAC address of the client Client Vendor Company that manufactures or sells the client AP MAC MAC address of the radio with which the rogue client is associated AP Vendor Company that manufactures or sells the AP with which the rogue client is associated Port Radio Channel Port number radio number and channel number of the radio that detected the rogue For a Distributed MAP the connection number is labeled dap This stands for distributed ap NoL Number of listeners This is the number of MAP radios that detected the rogue cl
62. 207 Clear authentication mac on page 208 set authentication web on page 242 display aaa on page 219 clear location policy Removes a rule from the location policy on a WX switch Syntax clear location policy rule number a rule number Index number of a location policy rule to remove from the location policy Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage To determine the index numbers of location policy rules use the display location policy command Removing all the ACEs from the location policy disables this function on the WX switch Examples The following command removes location policy rule 4 from an WX switch s location policy WX4400 clear location policy 4 success clause 4 is removed clear mac user 211 See Also display location policy on page 224 set location policy on page 244 clear mac user Removes a user profile from the local database on the WX switch for a user who is authenticated by a MAC address To remove a user profile in RADIUS see the documentation for your RADIUS server Syntax clear mac user mac addr mac addr MAC address of the user in hexadecimal numbers separated by colons You can omit leading zeros Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage Deleting a MAC user s profile from the database deletes the assignment of any attributes in the pr
63. 239 clear authentication proxy 209 clear authentication proxy Removes a proxy rule for third party AP users Syntax clear authentication proxy ssid ssid name user glob a ssid ssid name SSID name to which this authentication rule applies a user glob User glob associated with the rule you are removing Defaults None Access Enabled History Introduced in MSS Version 4 0 Examples The following command removes the proxy rule for SSID mycorp and userglob WX4400 clear authentication proxy ssid mycorp See Also set authentication proxy on page 241 display aaa on page 219 clear authentication web Removes a WebAAA rule Syntax clear authentication web ssid ssid name wired user glob a ssid ssid name SSID name to which this authentication rule applies a wired Clears a rule used for access over a WX switch s wired authentication port a user glob User glob associated with the rule you are removing Defaults None Access Enabled History Introduced in MSS 3 0 210 CHAPTER 8 AAA COMMANDS Examples The following command removes WebAAA for SSID research and userglob temp thiscorp com WX4400 clear authentication web ssid research temp thiscorp com See Also Clear authentication admin on page 204 Clear authentication console on page 205 Clear authentication dot1x on page 206 Clear authentication last resort on page
64. 255 enable hits Wx4400 rollback security acl acl_122 WX4400 display security acl info all editbuffer ACL edit buffer information for all See Also display security acl on page 450 set security acl In the edit buffer creates a security access control list ACL adds one access control entry ACE to a security ACL and or reorders ACEs in the ACL The ACEs in an ACL filter IP packets by source IP address a Layer 4 protocol or IP ICMP TCP or UDP packet information By source address Syntax set security acl ip acl name permit cos cos deny source ip addr mask before editbuffer index modify editbuffer index hits By Layer 4 protocol Syntax set security acl ip acl name permit cos cos deny protocol number source ip addr mask destination ip addr mask precedence precedence tos tos before editbuffer index modify editbuffer index hits By IP packets Syntax set security acl ip acl name permit cos cos deny ip source ip addr mask destination ip addr mask precedence precedence tos tos before editbuffer index modify editbuffer index hits 460 CHAPTER 14 SECURITY ACL COMMANDS gt By ICMP packets Syntax set security acl ip acl name permit cos cos deny icmp source ip addr mask destination ip addr mask type icmp type code icmp code precedence precedence tos tos before editbuffer index modify editbuffer index hits By TCP packets S
65. 2b 3c 4d 5e 6 port 1 vlan default success change accepted 114 CHAPTER 5 VLAN COMMANDS See Also Clear fdb on page 98 display fdb on page 102 set fdb agingtime Changes the aging timeout period for dynamic entries in the forwarding database Syntax set fdb agingtime vlan id age seconds vilan id VLAN name or number The timeout period change applies only to entries that match the specified VLAN age seconds Value for the timeout period in seconds You can specify a value from O through 1 000 000 If you change the timeout period to 0 aging is disabled Defaults The aging timeout period is 300 seconds 5 minutes Access Enabled History Introduced in MSS Version 3 0 Examples The following command changes the aging timeout period to 600 seconds for entries that match VLAN orange WX4400 set fdb agingtime orange age 600 success change accepted See Also display fdb agingtime on page 104 set security 2 restrict Restricts Layer 2 forwarding between clients in the same VLAN When you restrict Layer 2 forwarding in a VLAN MSS allows Layer 2 forwarding only between a client and a set of MAC addresses generally the VLAN s gateway routers Clients within the VLAN are not permitted to communicate among themselves directly To communicate with another client the client must use one of the specified gateway routers Syntax set security 12 restrict vlan vlan id mode enab
66. 33554432 s n 0333000288 hw_rev A3 Uptime 3 hours 44 minutes 28 seconds Radio 2 type 802 11lg state configure succeed Enabled 802 11b protect operational channel 1 operational power 15 base mac 00 0b 0e 00 d1 00 bssidl 00 0b 0e 00 d1 00 ssid public bssid2 00 0b 0e 00 d1 02 ssid employee net bssid3 00 0b 0e 00 d1 04 ssid mycorp tkip 306 CHAPTER 11 MANAGED ACCESS POINT COMMANDS The following command uses the terse option to display brief information for Distributed MAPs WX4400 display dap status terse Total number of entries 4 Operational 1 Image Downloading 0 Unknown 3 Other 0 Flags o operational b booting d image downloading c configuring f configuration failed a auto DAP i insecure Port Flg IP Address Model MAC Address Radiol Radio2 Uptime Se tala MP 372 D D Od Oh Om Os Dap 1 MP 372 D D Od Oh Om Os Dap 2 MP 372 D D Od Oh Om Os Dap100 oa 10 8 255 11 MP 122 00 0b 0e da da 82 E 1 17 E36 11 Od Oh Om17s Table 56 and Table 57 describe the fields in this display Table 56 Output for display ap status Field Description DAP Connection ID for the Distributed MAP Note This field is applicable only if the MAP is configured on the WX switch as a Distributed MAP Port WX port number Note This field is applicable only if the MAP is directly connected to the WX switch and the WX switch s port is configured as a MAP access
67. 503 18 19 clear dot1x reauth period 503 clear dot1x timeout auth server 504 clear dot1x timeout supplicant 504 clear dot1x tx period 505 display dot1x 505 set dot1x authcontrol 508 set dot1x bonded period 509 set dot1x key tx 510 set dot1x max req 511 set dot1x port control 512 set dot1x quiet period 513 set dot1x reauth 513 set dot1x reauth max 514 set dot1x reauth period 515 set dot1x timeout auth server 515 set dot1x timeout supplicant 516 set dot1x tx period 516 set dot1x wep rekey 517 set dot1x wep rekey period 518 SESSION MANAGEMENT COMMANDS Commands by Usage 519 clear sessions 519 clear sessions network 521 display sessions 522 display sessions network 525 RF DETECTION COMMANDS Commands by Usage 533 clear rfdetect attack list 534 clear rfdetect black list 535 clear rfdetect ignore 535 clear rfdetect ssid list 536 clear rfdetect vendor list 537 display rfdetect attack list 537 display rfdetect black list 538 display rfdetect clients 539 20 display rfdetect countermeasures 541 display rfdetect counters 542 display rfdetect data 544 display rfdetect ignore 546 display rfdetect mobility domain 546 display rfdetect ssid list 550 display rfdetect vendor list 551 display rfdetect visible 552 set rfdetect active scan 554 set rfdetect attack list 554 set rfdetect black list 555 set rf detect countermeasures 556 set rfdetect countermeasures mac 557 set rfdetect ignore 558 set rf
68. 65535 seconds Defaults The default power tuning interval is 300 seconds Access Enabled History Introduced in MSS Version 3 0 Usage RF Auto Tuning also can temporarily increase a radio s power level to preserve the minimum data rate for an associated client In this case the radio reduces its power in 1 dBm increments until the power returns to the expected level Examples The following command sets the power interval for radios in radio profile rp2 to 240 seconds WX4400 set radio profile rp2 auto tune power interval 240 success change accepted See Also set ap dap radio auto tune max power on page 335 set ap dap radio auto tune max retransmissions on page 337 set radio profile auto tune power backoff timer on page 352 set radio profile auto tune power config on page 353 set radio profile beacon interval 355 set radio profile beacon interval Changes the rate at which each MAP radio in a radio profile advertises its service set identifier SSID Syntax set radio profile name beacon interval interval name Radio profile name interval Number of milliseconds ms between beacons You can specify from 25 ms to 8191 ms Defaults The beacon interval for MAP radios is 100 ms by default Access Enabled History Introduced in MSS Version 3 0 Usage You must disable all radios that are using a radio profile before you can change parameters in the pro
69. AAA method ACTIVE User s AAA attributes have been applied and the user is active on the network DEASSOCIATED One of the following Wireless client has sent the WX switch a disassociate message User associated with one of the current WX switch s MAP access points has appeared at another WX switch in the Mobility Domain ROAMING AWAY The WX switch has been sent a request to transfer the user who is roaming to another WX switch STATUS UPDATED WX switch is receiving a final update from an MAP access point about the user who has roamed away WEB_AUTHING User is being authenticated by WebAAA WIRED AUTH ING User is being authenticated by the 802 1X protocol on a wired authentication port KILLING User s session is being cleared because of 802 1X authentication failure entry of a clear command or some other event Port Radio Number of the port and radio through which the user is accessing this session MAC address MAC address of the session user User Name Name of the authenticated user of this session IP Address IP address of the session user Vlan Name Name of the VLAN associated with the session Tag System wide supported VLAN tag type display sessions network 531 Table 93 display sessions network session id Output continued Field Description Session Assigned session timeout in seconds Timeout Authentication Extensible
70. ACLs use source and destination IP addresses and wildcard masks to determine whether the wireless LAN switch filters or forwards IP packets Matching packets are either permitted or denied network access The ACL checks the bits in IP addresses that correspond to any Os zeros in the mask but does not check the bits that correspond to 7s ones in the mask You specify the wildcard mask in dotted decimal notation For example the address 10 0 0 0 and mask 0 255 255 255 match all IP addresses that begin with 10 in the first octet Name globbing is a way of using a wildcard pattern to expand a single element into a list of elements that match the pattern MSS accepts user globs MAC address globs and VLAN globs The order in which globs appear in the configuration is important because once a glob is matched processing stops on the list of globs User Globs A user glob is shorthand method for matching an authentication authorization and accounting AAA command to either a single user or a set of users A user glob can be up to 80 characters long and cannot contain spaces or tabs The double asterisk wildcard characters with no delimiter characters match all usernames The single asterisk wildcard character matches any number of characters up to but not including a delimiter character in the glob Valid user glob delimiter characters are the at sign and the period CLI Conventions 27 Table 3 gives exampl
71. Authentication Protocol EAP type used to authenticate Method the session user and the IP address of the authentication server Session Time the session statistics were last updated from the MAP access Statistics as updated from AP point in seconds since a fixed standard date and time Unicast packets in Total number of unicast packets received from the user by the WX 64 bit counter Unicast bytes in Total number of unicast bytes received from the user by the WX 64 bit counter Unicast packets out Total number of unicast packets sent by the WX to the user 64 bit counter Unicast bytes out Total number of unicast bytes sent by the WX to the user 64 bit counter Multicast packets in Total number of multicast packets received from the user by the WX 64 bit counter Multicast bytes in Total number of multicast bytes received from the user by the WX 64 bit counter Number of packets with encryption errors Total number of decryption failures Number of bytes with encryption errors Total number of bytes with decryption errors Last packet data rate Data transmit rate in megabits per second Mbps of the last packet received by the MAP access point Last packet signal strength Signal strength in decibels referred to 1 milliwatt dBm of the last packet received by the MAP access point Last packet data S N ratio See Also Signal
72. CHAPTER 11 MANAGED ACCESS POINT COMMANDS Access Enabled History Introduced in MSS Version 3 0 Usage This command affects authentication of WPA clients only To use PSK authentication you also must configure a passphrase or key In addition you must enable the WPA IE The WebAAA fallthru authentication type is not supported in conjunction with WPA encryption using preshared keys PSK for the same SSID These options are configurable together but are not compatible WebAAA traffic is not encrypted whereas the PSK four way handshake requires a client to already be authenticated and for encryption to be in place Examples The following command enables PSK authentication for service profile wpa_clients Wx4400 set service profile wpa_clients auth psk enable success change accepted See Also display service profile on page 321 set service profile auth dot1x on page 373 set service profile psk raw on page 382 set service profile wpa ie on page 391 set service profile beacon Disables or reenables beaconing of the SSID managed by the service profile A MAP radio responds to an 802 11 probe any request with only the beaconed SSID s For a nonbeaconed SSID radios respond only to directed 802 11 probe requests that match the nonbeaconed SSID s SSID string When you disable beaconing for an SSID the radio still sends beacon frames but the SSID name in the frames is blank Syntax set service
73. Distributed MAP DAP IP Address IP address assigned by DHCP to the Distributed MAP WX IP Address System IP address of the WX switch on which the MAP has an active connection This is the switch that the MAP used for booting and configuration and is using for data transfer See Also display ap dap config on page 290 display dap global on page 314 display dap unconfigured on page 316 display dap global Displays connection information for Distributed MAPs configured on a WX switch Syntax display dap global dap num serial id serial ID dap num Number of a Distributed MAP for which to display configuration settings a serial id serial ID MAP access point serial ID Defaults None Access Enabled History Introduced in MSS Version 3 0 display dap global 315 Usage Connections are shown only for the Distributed MAPs that are configured on the WX switch from which you enter the command and only for the Mobility Domain the switch is in To show information only for Distributed MAPs that have active connections use the display dap connection command Examples The following command displays configuration information for all the Distributed MAPs configured on a WX switch WX4400 display dap global Total number of entries 8 DAP Serial Id WX IP Address Bias 1 9DE48B012F00 10 3 8 1 HIGH 9DE48B012F00 10 4 3 2 LOW 9DE48B123400 10 3 8 1 LOW 9DE48B123400 10 4 3 2 HIGH
74. Enables the DHCP option on Same effect as ON oFF Disables the DHCP option off Same effect as OFF Defaults The DHCP option is disabled by default Access Boot prompt History Introduced in MSS Version 1 0 diag 627 Examples The following command displays the current setting of the DHCP option boot gt dhcp DHCP is currently enabled The following command disables the DHCP option boot gt dhcp DHCP is currently disabled See Also boot on page 621 diag Accesses the diagnostic mode Syntax diag Defaults The diagnostic mode is disabled by default Access Boot prompt History Introduced in MSS Version 3 0 Usage Access to the diagnostic mode requires a password which is not user configurable Use this mode only if advised to do so by 3Com dir Displays the boot code and system image files on a WX switch Syntax dir c d e f boot0 boot1 c Nonvolatile storage area containing boot partition O primary a d Nonvolatile storage area containing boot partition 1 secondary a e Primary partition of the flash card in the flash card slot a f Secondary partition of the flash card in the flash card slot boot0 Boot partition 0 boot1 Boot partition 1 628 CHAPTER 24 BOOT PROMPT COMMANDS Defaults None Access Boot prompt History Introduced in MSS Version 3 0 Usage To display t
75. Examples The following command enables the HTTPS server on a WX switch WX1200 set ip https server enable success change accepted See Also Clear ip telnet on page 131 display ip https on page 145 display ip telnet on page 148 setip telnet on page 171 setip telnet server on page 172 set ip route Adds a static route to the IP route table Syntax set ip route default ip addr mask ip addr mask length gateway metric default Default route A WX switch uses the default route if an explicit route is not available for the destination Default is an alias for IP address 0 0 0 0 0 168 CHAPTER 7 IP SERVICES COMMANDS ip addr mask IP address and subnet mask for the route destination in dotted decimal notation for example 10 10 10 10 255 255 255 0 ip addr mask length IP address and subnet mask length in CIDR format for example 10 10 10 10 24 gateway IP address DNS hostname or alias of the next hop router a metric Cost for using the route You can specify a value from O through 2 147 483 647 Lower cost routes are preferred over higher cost routes Defaults The HTTPS server is enabled by default Access Enabled Usage MSS can use a static route only if a direct route in the route table resolves the static route MSS adds routes with next hop types Local and Direct when you add an IP interface to a VLAN if the VLAN is up If one of these add
76. Filter dot1x 5 0 sm 5 0 See Also Clear trace on page 590 set trace authentication on page 592 set trace authorization on page 593 set trace dot1x on page 594 set trace sm on page 595 592 CHAPTER 21 TRACE COMMANDS save trace Saves the accumulated trace data for enabled traces to a file in the WX switch s nonvolatile storage Syntax save trace filename filename Name for the trace file To save the file in a subdirectory specify the subdirectory name then a slash For example traces trace7 Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples To save trace data into the file trace7 in the subdirectory traces type the following command WX4400 save trace traces tracel set trace authentication Traces authentication information Syntax set trace authentication mac addr mac address port port num user username level level mac addr mac address Traces a MAC address Specify a MAC address using colons to separate the octets for example 00 11 22 aa bb cc port port num Traces on a WX port number user username Traces a user Specify a username of up to 32 alphanumeric characters with no spaces level level Determines the quantity of information included in the output You can set the level with an integer from 1 to 10 where level 10 provides the most information Levels 1 through 5 provide user readabl
77. History Introduced in MSS Version 3 0 Examples The following command shows the current roaming VLANS WX4400 display roaming vlan VLAN WX Affinity vlan cs 192 168 14 2 5 vlan eng 192 168 14 4 5 vian fin 192 168 14 2 5 vlan it 192 168 14 4 5 vlan it 192 168 14 2 5 vlan pm 192 168 14 2 5 vlan sm 192 168 14 2 5 vlan tp 192 168 14 4 5 vlan tp 192 168 14 2 5 Table 23 describes the fields in the display Table 23 Output for display roaming vlan Field Description VLAN VLAN name WX System IP address of the wireless LAN switch on which the VLAN is configured Affinity Preference of this WX switch for forwarding user traffic for the VLAN A higher number indicates a greater preference See Also display roaming station on page 106 display vlan config on page 111 display security 12 restrict 109 display security 12 restrict Displays configuration information and statistics for Layer 2 forwarding restriction Syntax display security 12 restrict vlan vlan id all vlan id VLAN name or number all Displays information for all VLANs Defaults If you do not specify a VLAN name or all information is displayed for all VLANs Access Enabled History Introduced in MSS Version 4 1 Examples The following command shows Layer 2 forwarding restriction information for all VLANs VLAN Name En Drops Permit MAC Hits 1 default X 0 00 0b 0e 02 53 3e 5947 00
78. IP 192 168 1 1 0 0 0 0 destination IP any enable hits The following command displays the contents of ac _123 in the edit buffer including the committed ACE rules 1 and 2 and the uncommitted rule 3 WX4400 display security acl info acl_123 editbuffer ACL edit buffer information for acl 123 set security acl ip acl_123 ACEs 3 add 3 del 0 modified 0 1 permit IP source IP 192 168 1 11 0 0 0 255 destination IP any enable hits 2 deny IP source IP 192 168 2 11 0 0 0 0 destination IP any 3 deny SRC source IP 192 168 1 234 255 255 255 255 enable hits See Also a Clear security acl on page 446 commit security acl on page 449 set security acl on page 459 display security acl Displays the VLANs ports and virtual ports on the WX switch to which a map security ACL is assigned Syntax display security acl map acl name acl name Name of an existing security ACL for which to show static mapping ACL names must start with a letter and are case insensitive Defaults None 454 CHAPTER 14 SECURITY ACL COMMANDS Access Enabled History Introduced in MSS Version 3 0 Examples The following command displays the port to which security ACL acl_111 is mapped WX4400 display security acl map acl_111 ACL acl_111 is mapped to Port 4 in See Also Clear security acl map on page 447 a display security acl map on page 453 set security acl map on page 464 display security acl resource usag
79. MAC addresses MSS no longer allows clients mac addr in the VLAN to send traffic to the MAC addresses at mac addr Layer 2 all Removes all MAC addresses from the list Defaults If you do not specify a list of MAC addresses or all all addresses are removed Access Enabled History Introduced in MSS Version 4 1 Usage If you clear all MAC addresses Layer 2 forwarding is no longer restricted in the VLAN Clients within the VLAN will be able to communicate directly To clear the statistics counters without removing any MAC addresses use the clear security I2 restrict counters command instead 100 CHAPTER 5 VLAN COMMANDS Examples The following command removes MAC address aa bb cc dd ee ff from the list of addresses to which clients in VLAN abc_air are allowed to send traffic at Layer 2 Wx4400 clear security 12 restrict vlan abc_air permit mac aa bb cc dd ee ff success change accepted See Also Clear security 12 restrict counters on page 100 Clear security 12 restrict on page 99 display security 12 restrict on page 109 clear security 12 restrict counters Clears statistics counters for Layer 2 forwarding restriction Syntax clear security 12 restrict counters vlan vian id all a vilan id VLAN name or number all Clears Layer 2 forwarding restriction counters for all VLANs Defaults If you do not specify a VLAN or all counters for all VLANs are cleared
80. MAC user is sooner than the start date configured for the MAC user group the user is in the MAC user s network access can begin as soon as the user start date The MAC user does not need to wait for the MAC user group s start date Examples The following command creates the MAC user group eastcoasters and assigns the group members to VLAN orange WX4400 set mac usergroup eastcoasters attr vlan name orange success change accepted See Also Clear mac usergroup attr on page 214 display aaa on page 219 set mobility profile Creates a Mobility Profile and specifies the MAP access point and or wired authentication ports on the WX switch through which any user assigned to the profile is allowed access Syntax set mobility profile name name port none all port list dap none all dap num name Name of the Mobility Profile Specify up to 32 alphanumeric characters with no spaces none Prevents any user to whom this profile is assigned from accessing any MAP access point or wired authentication port on the WX switch all Allows any user to whom this profile is assigned to access all MAP access ports and wired authentication port on the WX switch port list List of MAP access ports or wired authentication ports through which any user assigned this profile is allowed access The same port can be used in multiple Mobility Profile port lists 256 CHAPTER 8 AAA COMMANDS
81. MSS Version 3 0 Examples The following command disables the IP interface on VLAN mauve WX4400 set interface mauve status down success set interface mauve to down See Also Clear interface on page 127 display interface on page 142 set interface on page 160 164 CHAPTER 7 IP SERVICES COMMANDS set ip alias Configures an alias which maps a name to an IP address You can use aliases as shortcuts in CLI commands Syntax set ip alias name ip addr name String of up to 32 alphanumeric characters with no spaces ip addr IP address in dotted decimal notation Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command configures the alias HR1 for IP address 192 168 1 2 WX4400 set ip alias HR1 192 168 1 2 success change accepted See Also Clear ip alias on page 128 display ip alias on page 143 set ip dns Enables or disables DNS on a wireless LAN switch Syntax set ip dns enable disable enable Enables DNS disable Disables DNS Defaults DNS is disabled by default Access Enabled History Introduced in MSS Version 3 0 Examples The following command enables DNS on a WX switch WX1200 set ip dns enable Start DNS Client set ip dns domain 165 See Also Clear ip dns domain on page 129 Clear ip dns server on page 129 display ip dns on page 144 setip dns domain on page 165 set i
82. MSS changes the interval on only the specified VLAN Defaults The default hello timer interval is 2 seconds Access Enabled History Introduced in MSS Version 3 0 Examples The following command changes the hello interval for all VLANs to 4 seconds WxX4400 set spantree hello 4 all success change accepted See Also display spantree on page 398 set spantree maxage Changes the maximum age for an STP root bridge hello packet that is acceptable to a wireless LAN switch acting as a designated bridge on one or all of its VLANs After waiting this period of time for a new hello packet the WX switch determines that the root bridge is unavailable and issues a topology change message Syntax set spantree maxage aging time all vlan vlan id aging time Maximum age value You can specify from 6 through 40 seconds all Changes the maximum age on all VLANs vlan vlan id VLAN name or number MSS changes the maximum age on only the specified VLAN Defaults The default maximum age for root bridge hello packets is 20 seconds Access Enabled History Introduced in MSS Version 3 0 414 CHAPTER 12 STP COMMANDS Examples The following command changes the maximum acceptable age for root bridge hello packets on all VLANs to 15 seconds WX4400 set spantree maxage 15 all success change accepted See Also display spantree on page 398 set spantree portcost Chan
83. Network Domain seeds have the same database of VLAN information Syntax set network domain peer ip addr ip addr IP address of the Network Domain seed to specify as a peer in dotted decimal notation Defaults None Access Enabled History Introduced in MSS 4 1 Usage This command must be entered on a WX switch configured as a Network Domain seed Examples The following command sets the WX switch with IP address 192 168 9 254 as a peer of this Network Domain seed WX1200 set network domain peer 192 168 9 254 success change accepted See Also Clear network domain on page 274 display network domain on page 278 282 CHAPTER 10 NETWORK DOMAIN COMMANDS set network domain mode seed domain name Creates a Network Domain by setting the current WX switch as a seed device and naming the Network Domain Syntax set network domain mode seed domain name net domain name net domain name Name of the Network Domain Specify between 1 and 16 characters with no spaces Defaults None Access Enabled History Introduced in MSS 4 1 Usage Before you use this command the current WX switch must have its IP address set with the set system ip address command After you enter this command Network Domain traffic is sent and received from the specified IP address You can configure multiple WX switches as Network Domain seeds If you do this you must identify them as peers
84. Product Name Switch model number System Name System name factory default or optionally configured with set system name oe System Countrycode Country specific 802 11 code required for MAP operation configured with set system countrycode System Location Record of the WX switch s physical location optionally configured with set system location System Contact Contact information about the system administrator or another person to contact about the system optionally configured with set system contact System IP Common interface source and default IP address for the device in dotted decimal notation configured with set system ip address display system 45 Table 7 display system output continued Field Description System idle timeout Number of seconds MSS allows a CLI management session console Telnet or SSH to remain idle before terminating the session The system idle timeout can be configured using the set system idle timeout command System MAC WX switch s media access control MAC machine address set at the factory in 6 byte hexadecimal format License License level installed on the WX switch if applicable Boot Time Date and time of the last system reboot Uptime Number of days hours minutes and seconds that the WX has been operating since its last restart Fan status Operating status of the WX switch s three cooling fans
85. RxMulticast 18789 TxSingleColl 32 RxBroadcast 8 TxLateColl 0 RxGoodFrames 94229 TxMaxColl 0 RxAlignErrs 0 TxMultiColl 47 RxShortFrames 0 TxUnderruns 0 RxCrcErrors 0 TxCarrierLoss 0 RxOverruns 0 TxDeferred 150 RxDiscards 0 CHAPTER 11 MANAGED ACCESS POINT COMMANDS Table 54 describes the fields in this display Table 54 Output of display ap etherstats Field Description RxUnicast Number of unicast frames received RxMulticast Number of multicast frames received RxBroadcast Number of broadcast frames received RxGoodFrames Number of frames received properly from the link RxAlignErrs Number of received frames that were both misaligned and contained a CRC error RxShortFrames Number of received frames that were shorter than the minimum frame length RxCrcErrors Number of received frames that were discarded due to CRC errors RxOverruns Number of frames known to be lost due to a temporary lack of hardware resources RxDiscards Number of frames known to be lost due to a temporary lack of software resources TxGoodFrames Number of frames transmitted properly on the link TxSingleColl Number of transmitted frames that encountered a single collision TxLateColl Number of frames that were not transmitted because they encountered a collision outside the normal collision window TxMaxColl Number of frames that were not transmitted because they encountered the maximum allo
86. See Also copy on page 567 dir on page 570 dir Displays a list of the files in nonvolatile storage and temporary files Syntax dir subdirname file core boot0 boot1 subdirname Subdirectory name If you specify a subdirectory name the command lists the files in that subdirectory Otherwise the command lists the files in the root directory and also lists the subdirectories a file Limits dir output to the contents of the user files area core Limits dir output to the contents of the tmp core subdirectory boot0 Limits dir output to the contents of the bootd partition boot1 Limits dir output to the contents of the boot partition Defaults None Access Enabled History Introduced in MSS Version 3 0 Core file boot0 and boot1 options added to limit the output to the specified category in MSS Version 4 0 dir 571 Examples The following command displays the files in the root directory WX4400 dir file Filename Size Created file configuration 48 KB J l V2 20054 L5202332 file corp2 corp2cnfig 17 KB Mar 14 2005 22 20 04 corp_a 512 bytes May 21 2004 19 15 48 file dangcfg 14 KB Mar 14 2005 22 20 04 old 512 bytes May 16 2004 17 23 44 file pubsconfig april062005 40 KB May 09 2005 21 08 30 file sysa_bak 12 KB Mar 15 2005 19 18 44 file testback 28 KB Apr 19 2005 16 37 18 Total 159 Kbytes used 2076
87. Service Request If you have trouble registering your product please contact 3Com Global Services for assistance Purchase Value Added Services To enhance response times or extend warranty benefits contact 3Com or your authorized 3Com reseller Value added services like 3Com ExpresssM and Guardians can include 24x7 telephone Technical Support software upgrades onsite assistance or advance hardware replacement Experienced engineers are available to manage your installation with minimal disruption to your network Expert assessment and implementation services are offered to fill resource gaps and ensure the success of your networking projects More information on 3Com maintenance and Professional Services is available at http www 3com com Contact your authorized 3Com reseller or 3Com for a complete list of the value added services available in your area 638 APPENDIX A OBTAINING SUPPORT FOR YOUR PRODUCT Troubleshoot Online You will find support tools posted on the 3Com web site at http www 3com com 3Com Knowledgebase helps you troubleshoot 3Com products This query based interactive tool is located at http knowledgebase 3com com and contains thousands of technical solutions written by 3Com support engineers Access Software Downloads Software Updates are the bug fix maintenance releases for the version of software initially purchased with the product In order to access these Software Updates you
88. Specify an address in dotted decimal notation Defaults None 610 CHAPTER 23 SYSTEM LOG COMMANDS Access Enabled History Introduced in MSS Version 3 0 Examples To stop sending system logging messages to a server at 192 168 253 11 type the following command WX4400 clear log server 192 168 253 11 success change accepted Type the following command to clear all messages from the log buffer WX4400 clear log buffer success change accepted See Also Clear log trace on page 590 set log on page 614 display log buffer Displays system information stored in the nonvolatile log buffer or the trace buffer Syntax display log buffer number of messages facility facility name matching string severity severity level buffer Displays the log messages in nonvolatile storage number of messages Displays the number of messages specified as follows A positive number for example 100 displays that number of log entries starting from the oldest in the log A negative number for example 100 displays that number of log entries starting from newest in the log a facility facility name Area of MSS that is sending the log message Type a space and a question mark after display log buffer facility for a list of valid facilities matching string Displays messages that match a string for example a username or IP address display log buffer 611
89. Syntax display crypto key ssh Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples To display SSH key information type the following command WX4400 display crypto key ssh ec 6f 56 7f d1 fd c0 28 93 ae a4 9 7c 5 13 04 See Also crypto generate key on page 473 484 CHAPTER 15 CRYPTOGRAPHY COMMANDS 16 RADIUS AND SERVER GROUP COMMANDS Use RADIUS commands to set up communication between a WX switch and groups of up to four RADIUS servers for remote authentication authorization and accounting AAA of administrators and network users Commands by Usage This chapter presents RADIUS commands alphabetically Use Table 85 to locate commands in this chapter based on their uses Table 85 RADIUS Commands by Usage Type Command RADIUS Client set radius client system ip on page 491 clear radius client system ip on page 487 RADIUS Servers set radius on page 490 set radius server on page 494 clear radius on page 486 clear radius server on page 489 Server Groups set server group on page 496 set server group load balance on page 497 clear server group on page 489 RADIUS Proxy set radius proxy client on page 492 set radius proxy port on page 493 clear radius proxy client on page 488 clear radius proxy port on page 488 For information about RADIUS attributes see the RADIUS appendix in the Wireless LAN Switch an
90. Temporary storage is reserved for use by MSS If you are copying a system image file into nonvolatile storage the filename must be preceded by the boot partition name which can be boot0 or boot1 Enter the filename as boot0 filename or boot1 filename You must specify the boot partition that was not used to load the currently running image The maximum supported file size for TFTP is 32 MB Examples The following command copies a file called floorwx from nonvolatile storage to a TFP server WX4400 copy floorwx tftp 10 1 1 1 floorwx success sent 365 bytes in 0 401 seconds 910 bytes sec The following command copies a file called closetwx from a TFP server to nonvolatile storage WX4400 copy tftp 10 1 1 1 closetwx closetwx success received 637 bytes in 0 253 seconds 2517 bytes sec The following command copies system image WXA03007 Rel from a TFTP server to boot partition 1 in nonvolatile storage WX4400 copy tftp 10 1 1 107 WxXA03001 Rel boot1 WXA03001 Rel BG 5 LW bas Sree Rea os ate es Sa Aa eRe Gan SE Baa ap Beet Dhaene success received 9163214 bytes in 105 939 seconds 86495 bytes sec delete 569 The following commands rename test config to new config by copying it from one name to the other in the same location then deleting test config WX4400 copy test config new config WX4400 delete test config success file deleted The following command copies file corpa login htm from a TFTP server
91. This command completely removes the running configuration and replaces it with the configuration contained in the file 3Com recommends that you save a copy of the current running configuration to a backup configuration file before loading a new configuration Syntax load config url a url Filename Specify between 1 and 128 alphanumeric characters with no spaces If the file is in a subdirectory specify the subdirectory name followed by a forward slash in front of the filename For example backup_configs config_c Defaults The default file location is nonvolatile storage The current version supports loading a configuration file only from the switch s nonvolatile storage You cannot load a configuration file directly from a TFTP server load config 579 If you do not specify a filename MSS uses the same configuration filename that was used for the previous configuration load For example if the WX switch used configuration for the most recent configuration load MSS uses configuration again unless you specify a different filename To display the filename of the configuration file MSS loaded during the last reboot use the display boot command Access Enabled History Introduced in MSS Version 3 0 Usage This command completely replaces the running configuration with the configuration in the file Examples The following command reloads the configuration from the most recently loaded
92. User Nin created set userattr 259 The following command assigns the password chey3nne to the admin user WX4400 set user admin password chey3nne success User admin created The following command changes Nin s password from goody to 29Jan04 WX4400 set user Nin password 29Jan04 See Also Clear user on page 215 display aaa on page 219 set user attr Configures an authorization attribute in the local database on the WX switch for a user with a password To assign authorization attributes in RADIUS see the documentation for your RADIUS server Syntax set user username attr attribute name value username Username of a user with a password attribute name valu Name and value of an attribute you are using to authorize the user for a particular service or session characteristic For a list of authorization attributes and values that you can assign to network users see Table 44 on page 249 Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage To change the value of an attribute enter set user attr with the new value To delete an attribute use clear user attr 260 CHAPTER 8 AAA COMMANDS You can assign attributes to individual users and to user groups If attributes are configured for a user and also for the group the user is in the attributes assigned to the individual user take precedence for that user For example if the start date attribute config
93. VLAN on which this WX switch received the MAP s Find WX message See Also display dap connection on page 313 display dap global on page 314 display radio profile Displays radio profile information Syntax display radio profile name name Displays information about the named radio profile a Displays a list of radio profiles Defaults None Access Enabled History Introduced in MSS Version 3 0 Name of the backoff timer field changed from Client Backoff Timer to Power Backoff Timer and new fields added in MSS Version 4 0 Countermeasures Active Scan a WMM enabled 318 CHAPTER 11 MANAGED ACCESS POINT COMMANDS Usage MSS contains a default radio profile 3Com recommends that you do not change this profile but instead keep the profile for reference Examples The following command shows radio profile information for the default radio profile WX4400 display radio profile default Beacon Interval Fe RTS Short Retry Limit Long Preamble a ax Threshold Tune Channel x Lifetime Service profiles m une Channel Interval Channel Holddown Countmeasures WMM enabled 100 2000 2346 5 NO no 3600 300 none yes default dot1lx DTIM Interval 1 Max Rx Lifetime 2000 Frag Threshold 2346 Long Retry Limit 5 Allow 802 11lg clients only NO Tune Power no Tune Power Interval 600 Power Backoff Timer 10 Activ
94. WEP or use WEP 40 or WEP 104 encryption with WPA or RSN These clients can be affected by the 802 1X reauthentication parameter or the RADIUS Session Timeout parameter 3Com recommends that you try 60 seconds and change the period to a longer value only if clients are unable to authenticate within 60 seconds The bonded authentication period applies only to 802 1X authentication rules that contain the bonded option Examples To set the bonded authentication period to 60 seconds type the following command WX4400 set dotlx bonded period 60 success change accepted See Also display dot1x on page 505 Clear dot1x bonded period on page 500 set dot1x key tx Enables or disables the transmission of encryption key information to the supplicant client in EAP over LAN EAPoL key messages after authentication is successful Syntax set dotlx key tx enable disable enable Enables transmission of encryption key information to clients disable Disables transmission of encryption key information to clients Defaults Key transmission is enabled by default Access Enabled History Introduced in MSS Version 3 0 set dot1x max req 511 Examples Type the following command to enable key transmission WX4400 set dotlx key tx enable success dotlx key transmission enabled See Also display dot1x on page 505 set dot1x max req Sets the maximum number of times the WX retransmi
95. WEP to be rotated at an interval set by the set dot1x wep rekey period for each radio associated VLAN and encryption type The WX generates the new broadcast and multicast keys and pushes the keys to the clients via EAPoL key messages disable WEP broadcast and multicast keys are never rotated Defaults WEP key rotation is enabled by default Access Enabled History Introduced in MSS Version 3 0 Usage Reauthentication is not required for WEP key rotation to take place Broadcast and multicast keys are always rotated at the same time so all members of a given radio VLAN or encryption type receive the new keys at the same time Examples Type the following command to disable WEP key rotation WX4400 set dotlx wep rekey disable success wep rekeying disabled See Also display dot1x on page 505 set dot1x wep rekey period on page 518 518 CHAPTER 17 802 1X MANAGEMENT COMMANDS set dot1x wep rekey period Sets the interval for rotating the WEP broadcast and multicast keys Syntax set dotlx wep rekey period seconds seconds Specify a value between 30 and 1 641 600 19 days Defaults The default is 1800 seconds 30 minutes Access Enabled History Introduced in MSS Version 3 0 Examples Type the following command to set the WEP rekey period to 300 seconds WX4400 set dotlx wep rekey period 300 success dotlx wep rekey period set to 300 See Also display dot
96. WX switch are numbered 1 through 4 for the 3Com Wireless LAN Controller WX4400 and 1 through 8 for the 3Com Wireless Lan Switch WX1200 No port 0 exists on the WX switch You can include a single port or multiple ports in a command that includes port port list Use one of the following formats for port list A single port number For example WX1200 set port enable 6 A comma separated list of port numbers with no spaces For example WX1200 display port poe 1 2 4 Command Line Editing 29 Ahyphen separated range of port numbers with no spaces For example WX1200 reset port 1 3 Any combination of single numbers lists and ranges Hyphens take precedence over commas For example WX1200 display port status 1 3 6 Virtual LAN Identification The names of virtual LANs VLANs which are used in Mobility Domain communications are set by you and can be changed In contrast VLAN ID numbers which the wireless LAN uses locally are determined when the VLAN is first configured and cannot be changed Unless otherwise indicated you can refer to a VLAN by either its VLAN name or its VLAN number CLI set and display commands use a VLAN s name or number to uniquely identify the VLAN within the WX Command Line Editing MSS editing functions are similar to those of many other network operating systems Keyboard Shortcuts The following table lists the keyboard shortcuts for entering and editing CLI commands
97. When the feature is enabled the WX becomes the querier for a subnet so long as the WX does not receive a query message from a router with a lower IP address than the IP address of the WX in that subnet To enable the pseudo querier feature use set igmp querier Examples The following command changes the other querier present interval on VLAN orange to 200 seconds WX1200 set igmp oqi 200 vlan orange success change accepted 438 CHAPTER 13 IGMP SNOOPING COMMANDS See Also set igmp Imai on page 434 setigmp qi on page 439 setigmp qri on page 440 setigmp querier on page 441 set igmp mrouter on page 435 setigmp rv on page 442 set igmp proxy report Disables or reenables proxy reporting by a WX on one VLAN or all VLANs Syntax set igmp proxy report enable disable vlan vlan id VLAN name or number If you do not specify a VLAN proxy reporting is disabled or reenabled on all VLANs enable Enables proxy reporting disable Disables proxy reporting Defaults Proxy reporting is enabled on all VLANs by default Access Enabled History Introduced in MSS Version 3 0 Usage Proxy reporting reduces multicast overhead by sending only one membership report for a group to the multicast routers and discarding other membership reports for the same group If you disable proxy reporting the WX sends all membership reports to the routers including multiple reports for the s
98. Wireless device that is on the network but is not supposed to be on the network a intfr Wireless device that is not part of your network and is not a rogue but might be causing RF interference with MAP radios known Device that is a legitimate member of the network Countermeasures MAC address of the 3Com radio sending countermeasures Radio MAC against the rogue WX IPaddr System IP address of the WX switch that is managing the MAP that is sending or will send countermeasures Port Radio Channel Port number radio number and channel number of the countermeasures radio For a Distributed MAP the connection number is labeled dap This stands for distributed ap See Also set radio profile countermeasures on page 355 display rfdetect counters Displays statistics for rogue and Intrusion Detection System IDS activity detected by the MAPs managed by a WX switch Syntax display rfdetect counters Defaults None Access Enabled History Introduced in MSS 4 0 display rfdetect counters 543 Examples The following command shows counters for rogue activity detected by a WX switch WX4400 display rfdetect counters Type Current Total Weak wep initialization vectors Spoofed access point mac address attacks Spoofed client mac address attacks bh ao E o E o E o E o E o DE e D i e a e a e D ee a ee D eo DE COCO ae DE e AE OO oO Ssid masquerade attacks Spoofed deauth
99. You can configure up to three NTP servers MSS queries all the servers and selects the best response based on the method described in RFC 1305 Network Time Protocol Version 3 Specification Implementation and Analysis To use NTP you also must enable the NTP client with the set ntp command Examples The following command configures a WX switch to use NTP server 192 168 1 5 WxX4400 set ntp server 192 168 1 5 See Also Clear ntp server on page 131 Clear ntp update interval on page 132 display ntp on page 149 set ntp on page 173 set ntp update interval on page 175 set ntp update interval 175 set ntp update interval Changes how often MSS sends queries to the NTP servers for updates Syntax set ntp update interval seconds seconds Number of seconds between queries You can specify from 16 through 1 024 seconds Defaults The default NTP update interval is 64 seconds Access Enabled History Introduced in MSS Version 3 0 Examples The following command changes the NTP update interval to 128 seconds WX4400 set ntp update interval 128 success change accepted See Also Clear ntp server on page 131 Clear ntp update interval on page 132 display ntp on page 149 set ntp on page 173 set ntp server on page 174 set snmp community gt Configures a community string for SNMPv1 or SNMPv2c For SNMPv3 use the set snmp usm command to configure an SNMPv3
100. all Sends or drops all notifications Defaults A default notification profile named default is already configured in MSS All notifications in the default profile are dropped by default Access Enabled History Introduced in MSS Version 4 0 Examples The following command changes the action in the default notification profile from drop to send for all notification types WX1200 set snmp notify profile default send all success change accepted The following commands create notification profile snmpprof_rfdetect and change the action to send for all RF detection notification types WX1200 set snmp notify profile snmpprof rfdetect send RFDetectAdhocUserTraps success change accepted WX1200 set snmp notify profile snmpprof rfdetect send RFDetectClientViaRogueWiredAPTraps success change accepted WX1200 set snmp notify profile snmpprof rfdetect send RFDetectDoSTraps success change accepted WX1200 set snmp notify profile snmpprof rfdetect send RFDetectAdhocUserTraps success change accepted WX1200 set snmp notify profile snmpprof rfdetect send RFDetectInterferingRogueAPTraps success change accepted WX1200 set snmp notify profile snmpprof rfdetect send RFDetectInterferingRogueDisappearTraps success change accepted WX1200 set snmp notify profile snmpprof_rfdetect send RFDetectRogueAPTraps success change accepted WX1200 set snmp notify profile snmpprof rfdetect send RFDetectRogueDi
101. an WX switch within the Mobility Domain to which this WX switch belongs network access mode only On some RADIUS servers you might need to use the standard RADIUS attribute Tunnel Pvt Group ID instead of VLAN Name Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage To change the value of an attribute enter set mac user attr with the new value To delete an attribute use clear mac user attr You can assign attributes to individual MAC users and to MAC user groups If attributes are configured for a MAC user and also for the group the MAC user is in the attributes assigned to the individual MAC user take precedence for that user For example if the start date attribute configured for a MAC user is sooner than the start date configured for the MAC user group the user is in the MAC user s network access can begin as soon as the user start date The MAC user does not need to wait for the MAC user group s start date 254 CHAPTER 8 AAA COMMANDS Examples The following command assigns input access control list ACL ac 03 to filter the packets from a user at MAC address 01 02 03 04 05 06 WX4400 set mac user 01 02 03 04 05 06 attr filter id acl 03 in success change accepted The following command restricts a user at MAC address 06 05 04 03 02 01 to network access between 7 p m on Mondays and Wednesdays and 7 a m on Tuesdays and Thursdays WX4400 set mac user 06 05 04 03
102. are from 0 to 7 dscp to cos map Resets the mapping between the specified range of DSCP values and internal QoS value with which MSS classifies inbound packets Defaults None Access Enabled History Introduced in MSS Version 4 1 Usage To reset all mappings to their default values use the clear qos command without the optional parameters Examples The following command resets all QoS mappings WX1200 clear qos success change accepted The following command resets the mapping used to classify packets with DSCP value 44 WX1200 clear qos dscp to qos map 44 success change accepted set gos cos to dscp map 121 set qos cos to dscp map Changes the value to which MSS maps an internal QoS value when marking outbound packets Syntax set qos cos to dscp map level dscp dscp value level Internal CoS value You can specify a number from O0 to 7 dscp dscp value DSCP value You can specify the value as a decimal number Valid values are 0 to 63 Defaults The defaults are listed by the display qos command Access Enabled History Introduced in MSS Version 4 1 Examples The following command maps internal CoS value 5 to DSCP value 50 WX1200 set qos cos to dscp map 5 dscp 50 warning cos 5 is marked with dscp 50 which will be classified as cos 6 If the change results in a change to CoS MSS displays a warning message indicating the change In this example p
103. asterisk Table 40 describes the traceroute error messages Table 40 Error messages for traceroute Field Description IN No route to host The network is unreachable IH No route to host The host is unreachable IP Connection refused The protocol is unreachable traceroute 199 Table 40 Error messages for traceroute continued Field Description IF Fragmentation needed but Do Not Fragment DNF bit was set IS Source route failed IA Communication administratively prohibited Unknown error occurred See Also ping on page 156 200 CHAPTER 7 IP SERVICES COMMANDS AAA COMMANDS Use authentication authorization and accounting AAA commands to provide a secure network connection and a record of user activity Location policy commands override any virtual LAN VLAN or security ACL assignment by AAA or the local WX database to help you control access locally Security ACLs are packet filters For command descriptions see Chapter 14 Commands by Usage This chapter presents AAA commands alphabetically Use Table 41 to locate commands in this chapter based on their use Table 41 AAA Commands by Usage Type Command Authentication set authentication console on page 231 set authentication admin on page 229 set authentication dot1x on page 233 set authentication mac on page 239 set authentication last resort on page 236 set authentication proxy on pa
104. attributes 309 Table 57 Output for display ap status terse and display dap status terse Field Description Port WX port number connected to the MAP Fig Operational status flags for the MAP For flag definitions see the key in the command output IP Address IP address of the MAP The address is assigned to the MAP by a DHCP server This field is applicable only if the MAP is configured on the WX switch as a Distributed MAP Model MAP model number MAC Address MAC address of the MAP Radiol State channel and power information for radio 1 The state can be D disabled or E enabled The channel and power settings are shown as channel power Radio2 State channel and power information for radio 2 Uptime Amount of time since the MAP booted using this link display auto tune attributes Displays the current values of the RF attributes RF Auto Tuning uses to decide whether to change channel or power settings Syntax display auto tune attributes ap map num radio 1 2 all Syntax display auto tune attributes dap dap num radio 1 2 all map num MAP port connected to the MAP access point for which to display RF attributes dap num Number of a Distributed MAP for which to display RF attributes radio 1 Shows RF attribute information for radio 1 radio 2 Shows RF attribute information for radio 2 This option does not apply to single radio
105. because of 802 1X authentication failure entry of a clear command or some other event now on IP address and port and radio numbers of the session s current WX SW itch the MAC address of the MAP access point and the last update ime from SW IP address and port and radio numbers of the session s previous WX itch the MAC address of the MAP access point and the last update ime Up to six roaming events are tracked in this display Vlan Name Service Type End Date Start Date Au au thorization attributes for the user and how they were assigned The horization attributes can be assigned either by a RADIUS server or he local database indicated in the output by AAA or by SSID default settings in the service profile the user used to gain access to the network indicated in the output by service profile 530 CHAPTER 18 SESSION MANAGEMENT COMMANDS Table 93 display sessions network session id Output Field Description Global Id A unique session identifier within the Mobility Domain State Status of the session AUTH ASSOC REQ Client is being associated by the 802 1X protocol AUTH AND ASSOC Client is being associated by the 802 1X protocol and the user is being authenticated AUTHORIZING User has been authenticated for example by the 802 1X protocol and an AAA method and is entering AAA authorization AUTHORIZED User has been authorized by an
106. boot prompt boot gt reset WX Bootstrap 3 1 Release Testing Low Memory 1 Testing Low Memory 2 CISTPL VERS 1 4 1 lt SanDisk gt lt SDP gt lt 5 3 0 6 gt Reset Cause 0x0100 is WARM test 635 3Com WX 4400 Bootstrap Bootloader Version 3 0 2 Release Compiled on Wed Sep 22 09 18 47 PDT 2004 by Bootstrap 0 version 3 1 Active Bootloader 0 version 3 0 2 Active Bootstrap 1 version 3 1 Bootloader 1 version FOE WX 4400 Board Revision 2 WX 4400 Controller Revision Jz WXA30001 Rel 8863722 bytes BOOT Index 0 BOOT TYPE e DEVICE boot0 FILENAME default FLAGS 00000000 OPTIONS run nos root md0a See Also boot on page 621 test Displays or changes the state of the poweron test flag The poweron test flag controls whether a WX performs a set of self tests prior to the boot process Syntax test ON on OFF off on Enables the poweron test flag on Same effect as ON OFF Disables the poweron test flag off Same effect as OFF Defaults The poweron test flag is disabled by default Access Boot prompt History Introduced in MSS Version 3 0 636 CHAPTER 24 BOOT PROMPT COMMANDS Examples The following command displays the current setting of the poweron test flag boot gt test The diagnostic execution flag is not set See Also boot on page 621 version Displays version informati
107. by using the set network domain peer command Examples The following command creates a Network Domain named California with the current WX switch as a seed WX1200 set network domain mode seed domain name California success change accepted The seed switch in a Network Domain must also be configured as a member of the Network Domain with the specified seed IP address pointing to the seed itself set network domain mode member seed ip ip addr affinity num For example the following command sets the current WX switch as a member of a Network Domain where the WX switch with IP address 192 168 9 254 is a seed WX1200 set network domain mode member seed ip 192 168 9 254 success change accepted See Also Clear network domain on page 274 display network domain on page 278 11 AN MANAGED ACCESS POINT COMMANDS Use MAP access point commands to configure and manage MAP access points Be sure to do the following before using the commands a Define the country specific IEEE 802 11 regulations on the WX switch See set system countrycode on page 56 a Install the MAP access point and connect it to a port on the WX switch Configure a MAP access port for a directly connected MAP or a Distributed MAP See set port type ap on page 91 and set dap on page 81 CAUTION Changing the system country code after MAP configuration disables MAP access points and deletes their configuration If you change the countr
108. ca certificate admin eap web PEM formatted certificate admin Stores the certificate authority s certificate that signed the administrative certificate for the WX switch The administrative certificate authenticates the WX to 3Com wireless switch manager 3XWM or Web Manager eap Stores the certificate authority s certificate that signed the Extensible Authentication Protocol EAP certificate for the WX switch The EAP certificate authenticates the WX to 802 1X supplicants clients a web Stores the certificate authority s certificate that signed the WebAAA certificate for the WX switch The Web certificate authenticates the WX to clients who use WebAAA PEM formatted certificate ASCII text representation of the certificate authority PKCS 7 certificate consisting of up to 5120 characters that you have obtained from the certificate authority Defaults None Access Enabled History Introduced in MSS Version 3 0 Webaaa option renamed to web in MSS Version 4 1 Usage The Privacy Enhanced Mail protocol PEM format is used for representing a PKCS 7 certificate in ASCII text PEM uses base64 encoding to convert the certificate to ASCII text then puts the encoded text between the following delimiters BEGIN CERTIFICATE END CERTIFICATE crypto certificate 471 To use this command you must already have obtained a copy of the cert
109. characters long with no spaces To modify the default notification profile specify default drop send Specifies the action that the SNMP engine takes with regard to the notifications you specify with notification type or all notification type Name of the notification type APBootTraps Generated when a MAP access point boots ApNonOperStatusTraps Generated to indicate a MAP radio is nonoperational ApOperRadioStatusTraps Generated when the status of a MAP radio changes APTimeoutTraps Generated when a MAP access point fails to respond to the WX switch AuthenTraps Generated when the WX switch s SNMP engine receives a bad community string AutoTuneRadioChannelChangeTraps Generated when the RF Auto Tuning feature changes the channel on a radio 178 CHAPTER 7 IP SERVICES COMMANDS AutoTuneRadioPowerChangeTraps Generated when the RF Auto Tuning feature changes the power setting on a radio ClientAssociationFailureTraps Generated when a client s attempt to associate with a radio fails ClientAuthorizationSuccessTraps Generated when a client is successfully authorized ClientAuthenticationFailureTraps Generated when authentication fails for a client ClientAuthorizationFailureTraps Generated when authorization fails for a client ClientClearedTraps Generated when a client s session is cleared ClientDeAssociationTraps Generated when a client is dissociated from a radi
110. clear radius client system ip 487 WX4400 clear radius timeout success change accepted See Also set radius on page 490 set radius server on page 494 display aaa on page 219 clear radius client system ip Removes the WX switch s system IP address from use as the permanent source address in RADIUS client requests from the switch to its RADIUS server s Syntax clear radius client system ip Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage The clear radius client system ip command causes the WX switch to use the IP address of the interface through which it sends a RADIUS client request as the source IP address The WX switch selects a source interface address based on information in its routing table as the source address for RADIUS packets leaving the switch Examples To clear the system IP address as the permanent source address for RADIUS client requests type the following command WX4400 clear radius client system ip success change accepted See Also display aaa on page 219 set radius client system ip on page 491 488 CHAPTER 16 RADIUS AND SERVER GROUP COMMANDS clear radius proxy client Removes RADIUS proxy client entries for third party APs Syntax clear radius proxy client all Defaults None Access Enabled History Introduced in MSS 4 0 Examples The following command clears all RADIUS proxy client entries from the
111. community on page 175 display snmp community on page 151 clear snmp notify profile Clears an SNMP notification profile Syntax clear snmp notify profile profile name profile name Name of the notification profile you are clearing Defaults None Access Enabled History Introduced in MSS Version 4 0 Examples The following command clears notification profile snmpprof_rfdetect WX1200 clear snmp notify profile snmpprof_rfdetect success change accepted 134 CHAPTER 7 IP SERVICES COMMANDS See Also setsnmp notify profile on page 177 display snmp notify profile on page 152 clear snmp notify target Clears an SNMP notification target Syntax clear snmp notify target target num target num ID of the target Defaults None Access Enabled History Introduced in MSS Version 4 0 Examples The following command clears notification target 3 WX1200 clear snmp notify target 3 success change accepted See Also set snmp notify target on page 181 display snmp notify target on page 152 clear snmp usm Clears an SNMPv3 user Syntax clear snmp usm usm username usm username Name of the SNMPv3 user you want to clear Defaults None Access Enabled History Introduced in MSS Version 4 0 clear summertime 135 Examples The following command clears SNMPv3 user snmpmgr7 WX1200 clear snmp usm snmpmgrl success change acc
112. config Field Description VLAN VLAN number Name VLAN name Admin Status Administrative status of the VLAN a Down The VLAN is disabled Up The VLAN is enabled VLAN State Link status of the VLAN Down The VLAN is not connected a Up The VLAN is connected Tunl Affin Tunnel affinity value assigned to the VLAN Port Member port of the VLAN The port can be a physical port or a virtual port a Physical ports are 10 100 Ethernet or gigabit Ethernet ports on the WX switch and are listed by port number a Virtual ports are tunnels to other WX switches in a mobility domain and are listed as follows t jp addr where ip addr is the system IP address of the WX switch at the other end of the tunnel Note This field can include MAP access ports and wired authentication ports because MSS dynamically adds these ports to a VLAN when handling user traffic for the VLAN Tag Tag value assigned to the port Port State See Also Link state of the port a Down The port is not connected Up The port is connected Clear security 12 restrict on page 99 set security I2 restrict on page 114 set vian port on page 117 set vlan tunnel affinity on page 118 setfdb 113 set fdb Adds a permanent or static entry to the forwarding database Syntax set fdb perm static mac addr port port list vlan vlan id tag tag value perm Ad
113. display spantree portvlancost on page 403 set spantree portviancost on page 417 set spantree portfast Enables or disables STP port fast convergence on one or more ports on a wireless LAN switch Syntax set spantree portfast port port list enable disable port port list List of ports MSS enables the feature on the specified ports enable Enables port fast convergence disable Disables port fast convergence Defaults STP port fast convergence is disabled by default Access Enabled History Introduced in MSS Version 3 0 Usage Use port fast convergence on ports that are directly connected to servers hosts or other MAC stations 416 CHAPTER 12 STP COMMANDS Examples The following command enables port fast convergence on ports 2 5 and 7 WX1200 set spantree portfast port 2 4 7 enable success change accepted See Also display spantree portfast on page 402 set spantree portpri Changes the STP priority of a network port or ports for selection as part of the path to the STP root bridge in the default VLAN on a wireless LAN switch Syntax set spantree portpri port list priority value port list List of ports MSS changes the priority on the specified ports priority value Priority value You can specify a value from 0O highest priority through 255 lowest priority Defaults The default STP priority for all network ports is 128 Access
114. existing location policy rule To determine the number use the display location policy command a port port list List of physical port s by which to determine if the location policy rule applies Defaults By default users are permitted VLAN access and assigned security ACLs according to the VLAN Name and Filter Id attributes applied to the users during normal authentication and authorization Access Enabled History Introduced in MSS Version 3 0 SSID option added in MSS Version 3 2 Usage Only a single location policy is allowed per WX switch Once configured the location policy becomes effective immediately To disable location policy operation use the clear location policy command Conditions within a rule are ANDed All conditions in the rule must match for MSS to take the specified action If the location policy contains multiple rules MSS compares the user information to the rules one at a time in the order the rules appear in the switch s configuration file beginning with the rule at the top of the list MSS continues comparing until a user matches all conditions in a rule or until there are no more rules The order of rules in the location policy is important to ensure users are properly granted or denied access To position rules within the location policy use before ru e number and modify rule number in the set location policy command and the clear location policy ru e number command When a
115. fingerprint information in the command output is blank 332 CHAPTER 11 MANAGED ACCESS POINT COMMANDS Examples The following example verifies the fingerprint for Distributed MAP 8 WxX4400 set dap 8 fingerprint b4 9 2a 52 37 58 4 d0 10 75 43 2 45 c9 52 c3 success change accepted See Also set dap security on page 345 set service profile cipher wep40 on page 380 on page 391 display ap dap status on page 304 set ap dap group Configures a named group of MAP access points MSS automatically load balances sessions among the access points in a group To balance the sessions MSS rejects an association request for an access point s radio if that radio has at least four more active sessions than the radio of the same type with the least number of active sessions within the group Syntax set ap port list dap dap num auto group name ap port list List of MAP access ports to add to the group dap dap num Number of a Distributed MAP to add to the group dap auto Configures a MAP group for the MAP configuration profile See set dap auto on page 325 a name MAP access point group name of up to 16 alphanumeric characters with no spaces Defaults MAP access points are not grouped by default Access Enabled History Introduced in MSS Version 3 0 Option auto added for configuration of the MAP configuration profile Usage You can assign any subset or all o
116. for the fver command boot gt help fver fver Display the version of the specified device filename USAGE fver c file d file le file f file boot0 file bootl file boot2 file boot3 file Command to display the version of the compressed image fil associated with the given device filename See Also Ison page 632 Is Displays a list of the boot prompt commands Syntax 1s Defaults None Access Boot prompt History Introduced in MSS Version 3 0 Usage To display help for an individual command type help followed by the command name for example help boot next 633 Examples To display a list of the commands available at the boot prompt type the following command boot gt 1s ls Display a list of all commands and descriptions help Display help information for each command autoboot Display the state of enable or disable the autoboot option boot Load and execute an image using the current boot configuration profile change Change the current boot configuration profile creat Create a new boot configuration profile delet Delete the current boot configuration profile next Select the next boot configuration profile display Display the current boot configuration profile dir Display the contents of the specified boot partition fver Display the version of the loadable image specified by device filenam version Display HW and Bootstrap Bootloader versi
117. identity OU 28 CHAPTER 1 USING THE COMMAND LINE INTERFACE Port Lists VLAN Globs A VLAN glob is a method for matching one of a set of local rules on an wireless LAN switch known as the location policy to one or more users MSS compares the VLAN glob which can optionally contain wildcard characters against the VLAN Name attribute returned by AAA to determine whether to apply the rule To match all VLANs use the double asterisk wildcard characters with no delimiters To match any number of characters up to but not including a delimiter character in the glob use the single asterisk wildcard Valid VLAN glob delimiter characters are the at sign and the period For example the VLAN glob bldg4 matches bldg4 security and bldg4 hr and all other VLAN names with bldg4 at the beginning Matching Order for Globs In general the order in which you enter AAA commands determines the order in which MSS matches the user MAC address or VLAN to a glob To verify the order view the output of the display aaa or display config command MSS checks globs that appear higher in the list before items lower in the list and uses the first successful match The physical Ethernet ports on a WX switch can be set for connection to MAP access points authenticated wired users or the network backbone You can include a single port or multiple ports in one MSS CLI command by using the appropriate list format The ports on a
118. in the profile Use the set radio profile mode command 348 CHAPTER 11 MANAGED ACCESS POINT COMMANDS Even when association of 802 11b clients is disabled if an 802 11b g radio detects a beacon from an 802 11b network the radio enters protection mode to guard against interference The set radio profile 11g only command does not affect the radio support configured with the set port type ap command For example if you configure a radio to be 802 11b only when you set the port type the set radio profile 11g only enable command does not enable 802 11g support on the radio Examples The following command configures the 802 1 1b g radios in radio profile ro7 to allow associations from 802 11g clients only WX4400 set radio profile rpl 11lg only enable success change accepted See Also display ap dap config on page 290 display radio profile on page 317 set port type ap on page 91 set radio profile mode on page 362 set radio profile active scan Disables or reenables active RF detection scanning on the MAP radios managed by a radio profile When active scanning is enabled MAP radios look for rogue devices by sending probe any requests probe requests with a null SSID name to solicit probe responses from other access points Passive scanning is always enabled and cannot be disabled During passive scanning radios look for rogues by listening for beacons and probe responses Syntax set radio profile n
119. linkup and linkdown traps on ports 3 and 4 WX1200 set port trap 3 4 enable See Also set ip snmp server on page 169 set snmp community on page 175 setporttypeap 91 set port type ap Ty y r Configures an WX switch port for a MAP access point CAUTION When you set the port type for MAP use you must specify the PoE state enable or disable of the port Use the WX switch s PoE to power 3Com MAP access points only If you enable PoE on a port connected to another device physical damage to the device can result Before configuring a port as a MAP access point port you must use the set system countrycode command to set the IEEE 802 11 country specific regulations on the WX switch See set system countrycode on page 56 For a MAP that is indirectly connected to the WX switch through an intermediate Layer 2 or Layer 3 network use the set dap command to configure a Distributed MAP Before changing the port type from ap to wired auth or from wired auth to ap you must reset the port with the clear port type command Syntax set port type ap port list model ap2750 ap3750 ap7250 ap8250 ap8750 mp 52 mp 241 mp 252 mp 262 mp 341 mp 352 mp 372 mp 372 CN mp 37 JP mp 620 poe enable disable radiotype lla 11b 11g a port list List of physical ports model ap2750 ap3750 ap7250 ap8250 ap8750 mp 52 mp 241 mp 252 mp 262 mp 341 mp 352 mp 372 mp 372 C
120. load balance enable disable Enables or disables load balancing of authentication requests among the servers in the group Defaults Load balancing is disabled by default Access Enabled History Introduced in MSS Version 3 0 Usage You can optionally enable load balancing after assigning the server group members If you configure load balancing MSS sends each AAA request to a separate server starting with the first one on the list and skipping unresponsive servers If no server in the group responds MSS moves to the next method configured with set authentication and set accounting In contrast if load balancing is not configured MSS always begins with the first server in the list and sends unfulfilled requests to each subsequent server in the group before moving on to the next configured AAA method 498 CHAPTER 16 RADIUS AND SERVER GROUP COMMANDS Examples To enable load balancing between the members of server group shorebirds type the following command WX1200 set server group shorebirds load balance enable success change accepted To disable load balancing between shorebirds server group members type the following command WX1200 set server group shorebirds load balance disable success change accepted See Also Clear server group on page 489 Clear radius server on page 489 display aaa on page 219 set server group on page 496 17 A 802 1X MANAGEMENT COMMANDS Use 802 IE
121. must first register your product on the 3Com web site at http eSupport 3com com First time users will need to apply for a user name and password A link to software downloads can be found at http eSupport 3com com Or under the Product Support heading at http www 3com com Software Upgrades are the software releases that follow the software version included with your original product In order to access upgrades and related documentation you must first purchase a service contract from 3Com or your reseller Telephone Technical Support and Repair To enable telephone support and other service benefits you must first register your product at http eSupport 3com com Warranty and other service benefits start from the date of purchase so it is important to register your product quickly to ensure you get full use of the warranty and other service benefits available to you When you contact 3Com for assistance please have the following information ready a Product model name part number and serial number a Proof of purchase if you have not pre registered your product a A list of system hardware and software including revision level a Diagnostic error messages a Details about recent configuration changes if applicable Contact Us 639 To send a product directly to 3Com for repair you must first obtain a return authorization number RMA Products sent to 3Com without authorization numbers clearly marked on the
122. name Syntax clear ip dns domain Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command removes the default DNS domain name from a WX switch WX1200 clear ip dns domain Default DNS domain name cleared See Also Clear ip dns server on page 129 display ip dns on page 144 setip dns on page 164 setip dns domain on page 165 set ip dns server on page 166 clear ip dns server Removes a DNS server from a WX switch configuration Syntax clear ip dns server ip addr ip addr IP address of a DNS server Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command removes DNS server 10 10 10 69 from a WX switch s configuration WxX4400 clear ip dns server 10 10 10 69 success change accepted 130 CHAPTER 7 IP SERVICES COMMANDS See Also Clear ip dns domain on page 129 display ip dns on page 144 setip dns on page 164 setip dns domain on page 165 set ip dns server on page 166 clear ip route Removes a route from the IP route table Syntax clear ip route default ip addr mask ip addr mask length gateway a default Default route default is an alias for IP address 0 0 0 0 0 ip addr mask IP address and subnet mask for the route destination in dotted decimal notation for example 10 10 10 10 255 255 255 0 ip addr mask length
123. nen nen WX1200 display dotlx config 802 1X user policy tate ting tica tica tica tica tica tica tica tica tica tica tica tica hentica tica tica ted ted ted ted ted ted ted ted ted ted ted ted ted ted ted host bob laptop mycorp com bob mycorp com Vv Vv Vv Vv Vv Vv Vv Vv Vv Vv Vv Vv Vv Vv Vv unknown lan it lan eng lan eng lan eng lan eng lan pm lan eng lan eng lan eng lan eng lan pm lan pm lan cs lan wep lan eng on ssid mycorp doing PASSTHRU Identity EXAMPLE jose EXAMPLE singh bard xmple com EXAMPLE havel EXAMPLE nash xalik xmple com EXAMPLE mishan EXAMPLE ethan EXAMPLE fmarshall EXAMPLE bmccarthy neailey xmple com EXAMPLE tamara dmc xmple com AC authenticated EXAMPLE wong Type the following command to display the 802 1X configuration on ssid mycorp doing PASSTHRU bonded 802 1X parameter supplicant timeout auth server timeout quiet period transmit period reauthentication period maximum requests key transmission reauthentication authentication control WEP rekey period 2 3600 enabled enabled enabled 1800 WEP rekey Bonded period port 5 authcontrol port 6 authcontrol port 7 authcontrol port 8 authcontrol enabled 60 auto auto auto auto max sessions max ses
124. no spaces snmp engine id ip ip addr local hex hex string Specifies a unique identifier for the SNMP engine To send informs you must specify the engine ID of the inform receiver To send traps and to allow get and set operations and so on specify local as the engine ID hex hex string lID is a hexadecimal string ip ip addr lD is based on the IP address of the station running the management application Enter the IP address of the station MSS calculates the engine ID based on the address local Uses the value computed from the switch s system IP address setsnmp usm 189 access read only read notify notify only read write notify read write Specifies the access level of the user xread only An SNMP management application using the string can get read object values on the switch but cannot set write them xread notify An SNMP management application using the string can get object values on the switch but cannot set them The switch can use the string to send notifications notify only The switch can use the string to send notifications xread write An SNMP management application using the string can get and set object values on the switch notify read write An SNMP management application using the string can get and set object values on the switch The switch can use the string to send notifications auth type none md5 sha auth pass phrase string
125. of lines allowed by default for a terminal type Examples To set the number of lines displayed to 100 type the following command WX4400 set length 100 success screen length for this session set to 100 set license Installs an upgrade license for managing more MAPs Syntax set license license key activation key license key License key starting with WXL You can enter the key with or without the hyphens a activation key Activation key starting with WXA You can enter the key with or without the hyphens Defaults The WX4400 can boot and manage 24 MAPs by default Access Enabled History Introduced in MSS Version 3 0 54 CHAPTER 3 SYSTEM SERVICE COMMANDS Usage The license key is shipped with the switch To obtain the activation key access the 3Com web site Each license and activation key pair allows the switch to actively manage an additional 24 MAPs You can install up to three upgrade license and activation key pairs to actively manage up to 96 MAPs Examples To install an upgrade license and activation key type the following command WX4400 set license WXL 076E 93E9 62DA 54D8 WXA 3E04 4CC2 430D B508 Serial Number M8XE4IBB8DB10 License Number 1 245 License Key WXL 076E 93E9 62DA 54D8 Activation key WXA 3E04 4CC2 430D B508 Feature 24 additional ports Expires Never 48 ports are enabled success license was installed The additiona
126. of the Wireless LAN Switch and Controller Configuration Guide Examples The following command disables WMM in radio profile radprofsvp WX4400 set radio profile radprofsvp wmm disable success change accepted See Also set radio profile mode on page 362 display radio profile on page 317 set service profile attr Configures authorization attributes that are applied by default to users accessing the SSID managed by the service profile These SSID default attributes are applied in addition to any supplied by the RADIUS server or from the local database Syntax set service profile name attr attribute name value a name Service profile name a attribute name valu Name and value of an attribute you are using to authorize SSID users for a particular service or session characteristic For a list of authorization attributes and values that you can assign to network users see Table 44 on page 249 All of the attributes listed in Table 44 can be used with this command except ssid Defaults By default a service profile does not have any authorization attributes set Access Enabled History Introduced in MSS 4 1 Usage To change the value of a default attribute for a service profile use the set service profile attr command and specify a new value 372 CHAPTER 11 MANAGED ACCESS POINT COMMANDS The SSID default attributes are applied in addition to any attributes supplied for the user by t
127. of user and user group profiles stored in the local database on the WX switch set accounting admin console on page 225 set authentication admin on page 229 set authentication console on page 231 set authentication dot1x on page 233 222 CHAPTER 8 AAA COMMANDS set authentication last resort on page 236 set authentication mac on page 239 set authentication web on page 242 display accounting statistics Displays the AAA accounting records for wireless users The records are stored in the local database on the WX switch To display RADIUS accounting records see the documentation for your RADIUS server Syntax display accounting statistics Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples To display the locally stored accounting records type the following command WX4400 display accounting statistics Sep 26 11 01 48 Acct Status Type START Acct Authentic 2 User Name geetha AAA TTY ATTR 2 Event Timestamp 1064599308 Sept 26 12 50 21 Acct Status Type STOP Acct Authentic 2 User Name geetha AAA TTY ATTR 2 Acct Session Time 6513 Event Timestamp 1064605821 Acct Output Octets 332 Acct Input Octets 61 Sep 26 12 50 33 Acct Status Type START Acct Authentic 2 User Name geetha AAA TTY ATTR 2 Event Timestamp 1064605833 Table 43 describes the fields that can appear in display accounting statistics output Table 43 display accou
128. of usernames and user groups on the WX switch for authentication a server group name Uses the defined group of RADIUS servers for authentication You can enter up to four names of existing RADIUS server groups as methods For more information see Usage Defaults By default authentication is unconfigured for all clients with network access through MAP ports or wired authentication ports on the WX switch Connection authorization and accounting are also disabled for these users When using RADIUS for authentication a last resort user s default authorization password is 3Com Access Enabled History Introduced in MSS Version 3 0 Usage You can configure different authentication methods for different groups of users by globbing For details see User Globs on page 26 You can configure a rule either for wireless access to an SSID or for wired access through a WX switch s wired authentication port If the rule is for wireless access to an SSID specify the SSID name or specify any to match on all SSID names If the rule is for wired access specify wired instead of an SSID name If you specify multiple authentication methods in the set authentication last resort command MSS applies them in the order in which they appear in the command with these results If the first method responds with pass or fail the evaluation is final a f the first method does not respond MSS tries the second
129. offset You can use a standard name or any name you like a start Start of the time change period week Week of the month to start or end the time change Valid values are first second third fourth or last weekday Day of the week to start or end the time change Valid values are sun mon tue wed thu fri and sat month Month of the year to start or end the time change Valid values are jan feb mar apr may jun jul aug sep oct nov and dec a hour Hour to start or end the time change a value between 0 and 23 on the 24 hour clock a min Minute to start or end the time change a value between 0 and 59 end End of the time change period Defaults If you do not specify a start and end time the system implements the time change starting at 2 00 a m on the first Sunday in April and ending at 2 00 a m on the last Sunday in October according to the North American standard Access Enabled History Introduced in MSS Version 3 0 Usage You must first set the time zone with the set timezone command for the offset to work properly without the start and end values Configure summertime before you set the time and date Otherwise summertime s adjustment of the time will make the time incorrect if the date is within the summertime period 192 CHAPTER 7 IP SERVICES COMMANDS Examples To enable summertime and set the summertime time zone to PDT Pac
130. or disables the IGMP pseudo querier on a WX on one VLAN or all VLANs Syntax set igmp querier enable disable vlan vlan id enable Enables the pseudo querier disable Disables the pseudo querier vlan vlan id VLAN name or number If you do not specify a VLAN the pseudo querier is enabled or disabled on all VLANs Defaults The pseudo querier is disabled on all VLANs by default Access Enabled History Introduced in MSS Version 3 0 Usage 3Com recommends that you use the pseudo querier only when the VLAN contains local multicast traffic sources and no multicast router is servicing the subnet Examples The following example enables the pseudo querier on the orange VLAN WX1200 set igmp querier enable vlan orange success change accepted See Also display igmp querier on page 427 set igmp receiver Adds or removes a network port in the list of ports on which a WX forwards traffic to multicast receivers Static multicast receiver ports are immediately added to or removed from the list of receiver ports and do not age out Syntax set igmp receiver port port list enable disable a port port list Network port list MSS adds the specified ports to the list of static multicast receiver ports enable Adds the port to the list of static multicast receiver ports disable Removes the port from the list of static multicast receiver ports 442 CHAPTER 13
131. outside of the package will be returned to the sender unopened at the sender s expense If your product is registered and under warranty you can obtain an RMA number online at http eSupport 3com com First time users will need to apply for a user name and password Contact Us Country 3Com offers telephone e mail and internet access to Technical Support and repair services To access these services for your region use the appropriate telephone number URL or e mail address from the list below Telephone numbers are correct at the time of publication Find a current directory of contact information posted on the 3Com web site at http csoweb4 3com com contactus Telephone Number Country Telephone Number Asia Pacific Rim Telephone Technical Support and Repair Australia Hong Kong India Indonesia Japan Malaysia New Zealand Pakistan 1 800 678 515 Philippines 1235 61 266 2602 or 800 933 486 1800 1 888 9469 61 2 9424 5179 or P R of China 800 810 3033 000800 650 1111 Singapore 800 6161 463 001 803 61009 S Korea 080 333 3308 00531 616 439 or Taiwan 00801 611 261 03 3507 5984 Thailand 001 800 611 2000 1800 801 777 0800 446 398 61 2 9937 5083 You can also obtain support in this region using the following e mail apr_technical_support 3com com Or request a repair authorization number RMA by fax using this number 65 543 6348 Europe Middle East and Africa Telephone Technical Support and Rep
132. page wep key index No keys Uses dynamic WEP rather than static WEP defined If you configure a WEP key for static WEP MSS continues to also support dynamic WEP wep active 1 Uses WEP key 1 for static WEP encryption multicast index of multicast traffic if WEP encryption is enabled and keys are defined wep active unicast 1 Uses WEP key 1 for static WEP encryption index of unicast traffic if WEP encryption is enabled and keys are defined Wpa ie disable Does not use the WPA IE in transmitted frames Access Enabled History Introduced in MSS Version 3 0 Usage You must configure the service profile before you can map it to a radio profile You can map the same service profile to more than one radio profile You must disable all radios that use a radio profile before you can change parameters in the profile Use the set radio profile mode command Examples The following command maps service profile wpa_clients to radio profile rp2 Wx4400 set radio profile rp2 service profile wpa_clients success change accepted See Also a display service profile on page 321 set service profile auth dot1x on page 373 set service profile auth fallthru on page 374 set service profile auth psk on page 375 set service profile beacon on page 376 set radio profile short retry 369 set service profile cipher ccmp on page 377 set service profile cipher tkip on page 378 set service profile ci
133. page 290 330 CHAPTER 11 MANAGED ACCESS POINT COMMANDS set ap dap blink Enables or disables LED blink mode on a MAP access point to make it easy to identify When blink mode is enabled on an AP2750 the 11a LED blinks on and off When blink mode is enabled on an AP7250 the Radio LED flashes red and the Power LED flashes green orange The Ethernet LED does not change When blink mode is enabled on an AP8250 the Radio LED flashes red and the Power LED flashes green orange The Ethernet LED does not change When blink mode is enabled on an AP8750 both Radio LEDs flash red and the Power LED flashes green orange The Ethernet LED does not change When blink mode is enabled on other models MP xxx the health and radio LEDs alternately blink green and amber By default blink mode is disabled Syntax set ap port list dap dap num auto blink enable disable ap port list List of ports connected to the MAP access points on which to turn blink mode on or off dap dap num Number of a Distributed MAP on which to turn blink mode on or off dap auto Configures blink mode for the MAP configuration profile See set dap auto on page 325 enable Enables blink mode disable Disables blink mode Defaults LED blink mode is disabled by default Access Enabled History Introduced in MSS Version 3 0 Option auto added for configuration of the MAP configuration profile
134. page 442 440 CHAPTER 13 IGMP SNOOPING COMMANDS set igmp qri Changes the IGMP query response interval timer on one VLAN or all VLANs on a WX Syntax set igmp qri tenth seconds vlan vlan id qri tenth seconds Amount of time in tenths of a second that the WX waits for a receiver to respond to a group specific query message before removing the receiver from the receiver list for the group You can specify a value from 1 through 65 535 vlan vlan id VLAN name or number If you do not specify a VLAN the timer change applies to all VLANs Defaults The default query response interval is 100 tenths of a second 10 seconds Access Enabled History Introduced in MSS Version 3 0 Usage The query response interval is applicable only when the WX is querier for the subnet For the WX to become the querier the pseudo querier feature must be enabled on the WX and the WX must have the lowest IP address among all the WX switches eligible to become a querier To enable the pseudo querier feature use set igmp querier Examples The following command changes the query response interval on VLAN orange to 50 tenths of a second 5 seconds WX1200 set igmp qri 50 vlan orange success change accepted See Also set igmp Imai on page 434 set igmp oqi on page 437 setigmp qi on page 439 setigmp querier on page 441 setigmp rv on page 442 set igmp querier 441 set igmp querier Enables
135. page 56 Configures a WX switch port for a wired authentication user Before changing the port type from ap to wired auth or from wired auth to ap you must reset the port with the clear port type command Syntax set port type wired auth port list tag tag list max sessions num auth fall thru last resort none web portal a port list List of physical ports tag list One or more numbers between 1 and 4094 that subdivide a wired authentication port into virtual ports a num Maximum number of simultaneous user sessions supported last resort Automatically authenticates the user without requiring a username and password none Denies authentication and prohibits the user from accessing the network over this port web portal Serves the user a web page from the MX switch s nonvolatile storage for secure login to the network set port type wired auth 95 Defaults The default tag list is null no tag values The default number of sessions is 1 The default fallthru authentication type is none Access Enabled History Introduced in MSS Version 3 0 Option for WebAAA fallthru authentication type changed from web auth to web portal in MSS Version 4 0 Usage You cannot set a port s type if the port is a member of a port VLAN To remove a port from a VLAN use the clear vlan command To reset a port as a network port use the clear port type command When you change port
136. port IP addr IP address of the MAP The address is assigned to the MAP by a DHCP server Note This field is applicable only if the MAP is configured on the WX switch as a Distributed MAP AP model MAP access point model number manufacturer Company that made the MAP access point fingerprint Hexadecimal fingerprint of the MAP s public encryption key This field is displayed only for Distributed MAPs name MAP access point name Link Status of this link with the MAP access point and the MAP port at the other end of the link The status can be up or down display ap dap status 307 Table 56 Output for display ap status continued Field Description MAP port MAP port number connected to this WX port State State of the MAP a init The MAP has been recognized by the WX but has not yet begun booting booting The MAP has asked the WX for a boot image a image downloading The MAP is receiving a boot image from the WX a image downloaded The MAP has received a boot image from the WX and is booting configuring The MAP has booted and is ready to receive or is already receiving configuration parameters from the WX Operational The MAP has received configuration parameters for one or more radios and is ready to accept client connections configure failure One or more of the radio parameters received from the WX is invalid For Dist
137. problem exists debug Output from debugging local facility facility level For messages sent to a syslog server maps all messages of the severity you specify to one of the standard local log facilities defined in RFC 3164 You can specify one of the following values 0 maps all messages to oca 0 1 maps all messages to oca 7 2 maps all messages to oca 2 3 maps all messages to oca 3 4 maps all messages to oca 4 5 maps all messages to oca 5 6 maps all messages to oca 6 7 maps all messages to ocal7 If you do not specify a local facility MSS sends the messages with their default MSS facilities For example AAA messages are sent with facility 4 and boot messages are sent with facility 20 by default enable Enables messages to the specified target disable Disables messages to the specified target 616 CHAPTER 23 SYSTEM LOG COMMANDS Defaults The following are defaults for the set log commands Events at the error level and higher are logged to the WX console a Events at the error level and higher are logged to the WX system buffer a Trace logging is enabled and debug level output is stored in the WX trace buffer Access Enabled History Introduced in MSS Version 3 0 Usage Using the command with only enable or disable turns logging on or off for the target at all levels For example entering set log buffer enable with no other keyw
138. profile cipher tkip 378 set service profile cipher wep104 379 set service profile cipher wep40 380 set service profile psk phrase 381 set service profile psk raw 382 set service profile rsn ie 383 set service profile shared key auth 384 set service profile ssid name 384 set service profile ssid type 385 set service profile tkip mc time 386 set service profile web auth url 387 set service profile wep active multicast index 388 INDEX 645 set service profile wep active unicast index 389 set service profile wep key index 390 set service profile wpa ie 391 set snmp community 175 set snmp notify profile 177 set snmp notify target 181 set snmp protocol 186 set snmp security 187 set snmp usm 188 set snoop 599 set snoop map 602 set snoop mode 603 set spantree 410 set spantree backbonefast 411 set spantree fwddelay 412 set spantree hello 412 set spantree maxage 413 set spantree portcost 414 set spantree portfast 415 set spantree portpri 416 set spantree portvlancost 417 set spantree portvlanpri 418 set spantree priority 419 set spantree uplinkfast 419 set summertime 191 set system contact 55 set system countrycode 56 set system idle timeout 58 set system ip address 59 192 set system location 59 set system name 60 set timedate 193 set timezone 194 set trace authentication 592 set trace authentication mac addr 592 set trace authentication port 592 set trace authentication
139. profile rpl max rx lifetime 4000 success change accepted See Also set radio profile mode on page 362 set radio profile max tx lifetime on page 361 display radio profile on page 317 set radio profile max tx lifetine 361 set radio profile max tx lifetime Changes the maximum transmit threshold for the MAP radios in a radio profile The maximum transmit threshold specifies the number of milliseconds that a frame scheduled to be transmitted by a radio can remain in buffer memory Syntax set radio profile name max tx lifetime time name Radio profile name time Number of milliseconds You can enter a value from 500 0 5 second through 250 000 250 seconds Defaults The default maximum transmit threshold for MAP radios is 2000 ms 2 seconds Access Enabled History Introduced in MSS Version 3 0 Usage You must disable all radios that are using a radio profile before you can change parameters in the profile Use the set radio profile mode command Examples The following command changes the maximum transmit threshold for radio profile ro7 to 4000 ms WX4400 set radio profile rpl max tx lifetime 4000 success change accepted See Also display radio profile on page 317 set radio profile mode on page 362 set radio profile max rx lifetime on page 360 362 CHAPTER 11 MANAGED ACCESS POINT COMMANDS set radio profile mode Creates a new radio profile or disables o
140. radio antennatype command Access Enabled History Introduced in MSS Version 3 0 New values for model option added in Version 4 1 a AP3750 a AP2750 Usage You cannot set a port s type if the port is a member of a port VLAN To remove a port from a VLAN use the clear vlan command To reset a port as a network port use the clear port type command When you change port type MSS applies default settings appropriate for the port type Table 18 lists the default settings that MSS applies when you set a port s type to ap set port typeap 93 Table 18 MAP Access Port Defaults Port Parameter Setting VLAN membership Removed from all VLANs You cannot assign a MAP access port to a VLAN MSS automatically assigns MAP access ports to VLANs based on user traffic Spanning Tree Protocol Not applicable STP 802 1X Uses authentication parameters configured for users Port groups Not applicable IGMP snooping Enabled as users are authenticated and join VLANs Maximum user Not applicable sessions This command does not apply to any gigabit Ethernet ports or to ports 7 and 8 on the WX1200 switch To manage a MAP access point on a switch model that does not have 10 100 Ethernet ports use the set dap command to configure a Distributed MAP connection on the switch Examples The following command sets ports 1 through 3 and port 5 for MAP access point model AP2750 and enables PoE on the ports WX1200
141. required and a time range in hhmm hhmm 4 digit 24 hour format optional mo Monday tu Tuesday we Wednesday th Thursday fr friday sa Saturday su Sunday wk Any day between Monday and Friday Separate values or a series of ranges except time ranges with commas or a vertical bar Do not use spaces The maximum number of characters is 253 For example to allow access only on Tuesdays and Thursdays between 10 a m and 4 p m specify the following time of day tu1000 1600 th1000 1600 To allow access only on weekdays between 9 a m and 5 p m and on Saturdays from 10 p m until 2 a m specify the following time of day wk0900 1700 sa2200 0200 Also see the examples for set user attr on page 259 You can use time of day in conjunction with start date end date or both set mac user attr 253 Table 44 Authentication Attributes for Local Users continued url URL to which the user is Web URL in standard format For fetnork cces redirected after example successful WebAAA mode only http Awww example com You must include the http portion You can dynamically include any of the variables in the URL string u Username v VLAN s SSID p Service profile name To use the literal character or use the following q vlan name Virtual LAN VLAN Name of a VLAN that you want the assignment user to use The VLAN must be configured on
142. rogues by other means Changes the number of times after every beacon that each MAP radio in a radio profile sends a delivery traffic indication map DTIM A MAP access point sends the multicast and broadcast frames stored in its buffers to clients who request them in response to the DTIM The DTIM interval applies to both the beaconed SSID and the nonbeaconed SSID Syntax set radio profile name dtim interval interval name Radio profile name a interval Number of times the DTIM is transmitted after every beacon You can enter a value from 1 through 31 Defaults By default MAP access points send the DTIM once after each beacon Access Enabled History Introduced in MSS Version 3 0 Usage You must disable all radios that are using a radio profile before you can change parameters in the profile Use the set radio profile mode command The DTIM interval does not apply to unicast frames Examples The following command changes the DTIM interval for radio profile rp7 to 2 WX4400 set radio profile rpl dtim interval 2 success change accepted 358 CHAPTER 11 MANAGED ACCESS POINT COMMANDS See Also display radio profile on page 317 set radio profile mode on page 362 set radio profile frag threshold Changes the fragmentation threshold for the MAP radios in a radio profile The fragmentation threshold specifies the maximum length a frame is allowed to be without being broken into mul
143. running trace commands and ends trace processes Syntax clear trace trace area all a trace area Ends a particular trace process Specify one of the following keywords to end the traces documented in this chapter authorization Ends an authorization trace dot1x Ends an 802 1X trace authentication Ends an authentication trace sm Ends a session manager trace all Ends all trace processes Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples To clear all trace processes type the following command WX4400 clear trace all success clear trace all display trace 591 To clear the session manager trace type the following command WX4400 clear trace sm success clear trace sm See Also display trace on page 591 set trace authentication on page 592 set trace authorization on page 593 set trace dot1x on page 594 set trace sm on page 595 display trace Displays information about traces that are currently configured on the WX switch or all possible trace options Syntax display trace all all Displays all possible trace options and their configuration Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples To view the traces currently running type the following command WX4400 display trace milliseconds spent printing traces 1885 614 Trace Area Level Mac User Port
144. sec Forward Delay 15 sec Bridge ID MAC ADDR 00 Ob O0e 02 76 7 Bridge ID Priority 32768 Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec Port Vlan Port State Cost Prio Portfast 1 Forwarding 9 128 Disabled 2 Disabled 9 128 Disabled 3 Disabled 9 128 Disabled 4 Disabled 9 128 Disabled 5 Disabled 9 128 Disabled 6 Forwarding 9 128 Disabled 7 Disabled 9 128 Disabled 8 Disabled 9 128 Disabled display spantree 399 Table 69 describes the fields in this display Table 69 Output for display spantree Field Description VLAN VLAN number Spanning tree mode In the current software version the mode is always PVST which means Per VLAN Spanning Tree Spanning tree type In the current software version the type is always EEE which means MSS STP is 802 1D compatible Spanning tree enabled State of STP on the VLAN Designated Root MAC address of the spanning tree s root bridge Designated Root Priority Bridge priority of the root bridge Designated Root Path Cost Cumulative cost from this bridge to the root bridge If this WX switch is the root bridge then the root cost is 0 Designated Root Port Port through which this WX switch reaches the root bridge If this WX switch is the root bridge this field says We are the root Root Max Age Maximum acceptable age for hello packets on the root bridge Root Hello Time Hello inter
145. server enable success change accepted See Also Clear ip telnet on page 131 setntp 173 display ip https on page 145 display ip telnet on page 148 setip https server on page 167 setip telnet on page 171 set ntp Enables or disables the NTP client on a wireless LAN switch Syntax set ntp enable disable a enable Enables the NTP client disable Disables the NTP client Defaults The NTP client is disabled by default Access Enabled History Introduced in MSS Version 3 0 Usage If NTP is configured on a system whose current time differs from the NTP server time by more than 10 minutes convergence of the WX time can take many NTP update intervals 3Com recommends that you set the time manually to the NTP server time before enabling NTP to avoid a significant delay in convergence Examples The following command enables the NTP client WxX4400 set ntp enable success NTP Client enabled See Also Clear ntp server on page 131 Clear ntp update interval on page 132 display ntp on page 149 set ntp server on page 174 set ntp update interval on page 175 174 CHAPTER 7 IP SERVICES COMMANDS set ntp server Configures a wireless LAN switch to use an NTP server Syntax set ntp server ip addr ip addr IP address of the NTP server in dotted decimal notation Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage
146. set authentication web on page 242 set radius on page 490 set server group on page 496 set server group Configures a group of one to four RADIUS servers Syntax set server group group name members server namel server name2 server name3 server name4 group name Server group name of up to 32 characters with no spaces or tabs members server namel server name2 server name3 server name4 The names of one or more configured RADIUS servers You can enter up to four server names Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage You must assign all group members simultaneously as shown in the example To enable load balancing use set server group load balance enable set server group load balance 497 Do not use the same name for a RADIUS server and a RADIUS server group Examples To set server group shorebirds with members heron egret and sandpiper type the following command WX1200 set server group shorebirds members heron egret sandpiper success change accepted See Also Clear server group on page 489 display aaa on page 219 set server group load balance on page 497 set server group load balance Enables or disables load balancing among the RADIUS servers in a server group Syntax set server group group name load balance enable disable group name Server group name of up to 32 characters
147. set service profile beacon on page 376 Radio Properties set radio profile 11g only on page 347 set radio profile beacon interval on page 355 set radio profile rts threshold on page 365 set radio profile frag threshold on page 358 set radio profile short retry on page 369 set radio profile long retry on page 359 set radio profile max rx lifetime on page 360 set radio profile max tx lifetime on page 361 set radio profile preamble length on page 364 set radio profile countermeasures on page 355 set radio profile active scan on page 348 set radio profile wmm on page 370 Authentication and Encryption set service profile attr on page 371 set service profile auth dot1x on page 373 set service profile auth fallthru on page 374 set service profile web portal form on page 387 set service profile auth psk on page 375 MAP Access Point Commands by Usage 285 Table 49 Map Access Point Commands by Usage continued Type Command set service profile wpa ie on page 391 set service profile rsn ie on page 383 set service profile cipher ccmp on page 377 set service profile cipher tkip on page 378 set service profile cipher wep104 on page 379 set service profile cipher wep40 on page 380 set service profile psk phrase on page 381 set service profile psk raw on page 382 set service profile tkip mc time on page 386 se
148. shows the keywords but not the variables For example the following command name appears at the top of a command description and in the index set ap dap name The set ap dap name command has the following complete syntax set ap port list dap dap num name name A brief description of the command s functions The full command syntax Any command defaults The command access which is either enabled or all All indicates that anyone can access this command Enabled indicates that you must enter the enable password before entering the command The command history which identifies the MSS version in which the command was introduced and the version numbers of any subsequent updates Special tips for command usage These are omitted if the command requires no special usage One or more examples of the command in context with the appropriate system prompt and response One or more related commands ACCESS COMMANDS This chapter describes access commands used to control access to the Mobility Software System MSS command line interface CLI Commands by Usage This chapter presents access services commands alphabetically Use Table 5 to located commands in this chapter based on their use Table 5 Access Commands by Usage Type Command Access Privileges enable on page 34 set enablepass on page 35 disable on page 33 quit on page 34 disable Changes the CLI sessio
149. so on However if local appears first followed by a RADIUS server group MSS ignores any failed searches in the local WX database and sends an authentication request to the RADIUS server group If a AAA rule specifies local as a secondary AAA method to be used if the RADIUS servers are unavailable and MSS authenticates a client with the local method MSS starts again at the beginning of the method list when attempting to authorize the client This can cause unexpected delays during client processing and can cause the client to time out before completing logon Examples The following command configures administrator Jose who connects via Telnet for authentication on RADIUS server group sg3 WX4400 set authentication admin Jose sg3 success change accepted See Also Clear authentication admin on page 204 display aaa on page 219 set authentication console on page 231 set authentication dot1x on page 233 set authentication last resort on page 236 set authentication console 231 set authentication mac on page 239 set authentication web on page 242 set authentication console Configures authentication and defines where it is performed for specified users with administrative access through a console connection Syntax set authentication console user glob methodl1 method2 method3 method4 a user glob Single user or set of users with administrative access through the switch s console
150. success change accepted The following command assigns users accessing the SSID managed by service profile sp2 to the Mobility Profile tulip WX4400 set service prof sp2 attr mobility profile tulip success change accepted The following command limits the days and times when users accessing the SSID managed by service profile sp2 can access the network to 5 p m to 2 a m every weekday and all day Saturday and Sunday WX1200 set service prof sp2 attr time of day Wk1700 0200 Sa Su success change accepted set service profile auth dot1x 373 See Also a display service profile on page 321 display sessions network on page 525 set service profile auth dot1x Disables or reenables 802 1X authentication of Wi Fi Protected Access WPA clients by MAP radios when the WPA information element IE is enabled in the service profile that is mapped to the radio profile that the radios are using Syntax set service profile name auth dot1lx enable disable name Service profile name enable Enables 802 1X authentication of WPA clients disable Disables 802 1X authentication of WPA clients Defaults When the WPA IE is enabled 802 1X authentication of WPA clients is enabled by default If the WPA IE is disabled the auth dot1x setting has no effect Access Enabled History Introduced in MSS Version 3 0 Usage This command does not disable dynamic WEP for non WPA clients To disabl
151. the documentation for your RADIUS server 448 CHAPTER 14 SECURITY ACL COMMANDS Syntax clear security acl map acl name all vlan vlan id port port list tag tag value dap dap num in out acl name Name of an existing security ACL to clear ACL names start with a letter and are case insensitive all Removes security ACL mapping from all physical ports virtual ports and VLANs on a WX switch vlan vlan id VLAN name or number MSS removes the security ACL from the specified VLAN port port list Port list MSS removes the security ACL from the specified WX physical port or ports tag tag value Tag value that identifies a virtual port in a VLAN Specify a value from 1 through 4095 MSS removes the security ACL from the specified virtual port dap dap num One or more Distributed MAPs based on their connection IDs Specify a single connection ID or specify a comma separated list of connection IDs a hyphen separated range or any combination with no spaces MSS removes the security ACL from the specified Distributed MAPs in Removes the security ACL from traffic coming into the WX switch out Removes the security ACL from traffic going out of the WX switch Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage To clear a security ACL map type the name of the ACL with the VLAN physical port or ports virtual port tag
152. the devices in the ignore list Syntax display rfdetect ignore Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following example displays the list of ignored devices WX4400 display rfdetect ignore Total number of entries 2 Ignore MAC aa bb cc 11 22 33 aa bb cc 44 55 66 See Also Clear rfdetect ignore on page 535 set rfdetect ignore on page 558 display rfdetect mobility domain Displays the rogues detected by all WX switches in the Mobility Domain during RF detection scans Syntax display rfdetect mobility domain ssid ssid name bssid mac addr a ssid ssid name Displays rogues that are using the specified SSID bssid mac addr Displays rogues that are using the specified BSSID Defaults None Access Enabled History Introduced in MSS Version 3 0 Bssid and ssid options added Vendor Type and Flag fields added in MSS Version 4 0 display rfdetect mobility domain 547 Usage This command is valid only on the seed switch of the Mobility Domain To display rogue information for an individual switch use the display rfdetect data command on that switch Only rogues are listed To display all devices detected including 3Com radios use the display rfdetect data command Examples The following example displays information about the BSSIDs detected in the Mobility Domain managed by the seed switch WX1200 display rfde
153. to be on the network The device has an entry in a WX switch s FDB and is therefore on the network a intfr Wireless device that is not part of your network but is not a rogue The device does not have an entry in a WX switch s FDB and is not actually on the network but might be causing RF interference with MAP radios known Device that is a legitimate member of the network Port Radio Channel Port number radio number and channel number of the radio that detected the rogue For a Distributed MAP the connection number is labeled dap This stands for distributed ap Flags Classification and encryption information for the rogue a Thei a or u flag indicates the classification The other flags indicate the encryption used by the rogue For flag definitions see the key in the command output RSSI Received signal strength indication RSSI the strength of the RF signal detected by the MAP radio in decibels referred to 1 milliwatt dBm Age Age of the rogue listing in seconds Rogues age out of the rogue list after one minute SSID See Also Service set identifier SSID associated with the BSSID display rfdetect mobility domain on page 546 display rfdetect visible on page 552 546 CHAPTER 19 RF DETECTION COMMANDS display rfdetect ignore Displays the BSSIDs of third party devices that MSS ignores during RF scans MSS does not generate log messages or traps for
154. traffic CAUTION f you change the Telnet port number from a Telnet session MSS immediately ends the session To open a new management session you must Telnet to the WX switch with the new Telnet port number Syntax set ip telnet port num a port num TCP port number Defaults The default Telnet port number is 23 Access Enabled 172 CHAPTER 7 IP SERVICES COMMANDS History Introduced in MSS Version 3 0 Examples The following command changes the Telnet port number on a WX switch to 5000 WX4400 set ip telnet 5000 success change accepted See Also Clear ip telnet on page 131 display ip https on page 145 display ip telnet on page 148 setip https server on page 167 setip telnet server on page 172 set ip telnet server AN Enables the Telnet server on a wireless LAN switch CAUTION If you disable the Telnet server Telnet access to the WX switch is also disabled Syntax set ip telnet server enable disable enable Enables the Telnet server disable Disables the Telnet server Defaults The Telnet server is disabled by default Access Enabled Usage The maximum number of Telnet sessions supported on a WX switch is eight If SSH is also enabled the WX switch can have up to eight Telnet or SSH sessions in any combination and one console session Examples The following command enables the Telnet server on a WX switch WX4400 set ip telnet
155. type the following command WX1200 set mobility profile mode enable success change accepted 258 CHAPTER 8 AAA COMMANDS See Also Clear mobility profile on page 215 display mobility profile on page 224 set mobility profile on page 255 set user Configures a user profile in the local database on the WX switch for a user with a password To configure a user profile in RADIUS see the documentation for your RADIUS server Syntax set user username password encrypted string username Username of a user with a password encrypted Indicates that the password string you entered is already in its encrypted form If you use this option MSS does not encrypt the displayed form of the password string and instead displays the string exactly as you entered it If you omit this option MSS does encrypt the displayed form of the string password string Password of up to 32 alphanumeric characters with no spaces Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage Although MSS allows you to configure a user password for the special last resort guest user the password has no effect Last resort users can never access a WX in administrative mode and never require a password Examples The following command creates a user profile for user Nin in the local database and assigns the password goody WX4400 set user Nin password goody success
156. user SNMPv3 does not use community strings Syntax set snmp community comm string access read only read notify notify only read write notify read write comm string Name of the SNMP community Specify between 1 and 32 alphanumeric characters with no spaces read only Allows an SNMP management application using the string to get read object values on the switch but not to set write them 176 CHAPTER 7 IP SERVICES COMMANDS xread notify Allows an SNMP management application using the string to get object values on the switch but not to set them The switch can use the string to send notifications notify only Allows the switch to use the string to send notifications xread write Allows an SNMP management application using the string to get and set object values on the switch notify read write Allows an SNMP management application using the string to get and set object values on the switch The switch also can use the string to send notifications Defaults None Access Enabled History Introduced in MSS Version 3 0 Default community strings changed from public for read only and private for read write to blank in MSS Version 3 1 Default strings removed and new access types added for SNMPv3 read notify notify only notify read write in MSS Version 4 0 Usage SNMP community strings are passed as clear text in SNMPv1 and SNMPv2c 3Com recommends that
157. vian num name name a vlan num VLAN number You can specify a number from 2 through 4093 name String up to 16 alphabetic characters long Defaults VLAN 1 is named default by default No other VLANs have default names Access Enabled History Introduced in MSS Version 3 0 Usage You must assign a name to a VLAN other than the default VLAN before you can add ports to the VLAN 3Com recommends that you do not use the name default This name is already used for VLAN 1 3Com also recommends that you do not rename the default VLAN You cannot use a number as the first character ina VLAN name 3Com recommends that you do not use the same name with different capitalizations for VLANs For example do not configure two separate VLANs with the names red and RED VLAN names are case sensitive for RADIUS authorization when a client roams to a wireless LAN switch If the WX switch is not configured with the VLAN the client is on but is configured with a VLAN that has the same spelling but different capitalization authorization for the client fails For example if the client is on VLAN red but the WX switch to which the client roams has VLAN RED instead RADIUS authorization fails Examples The following command assigns the name marigold to VLAN 3 WX4400 set vlan 3 name marigold success change accepted See Also set vian port on page 117 set vlan port 117 set vlan port Assigns one or more n
158. wpa ie on page 391 set service profile Enables dynamic Wired Equivalent Privacy WEP with 40 bit keys in a cipher wep40 service profile Syntax set service profile name cipher wep40 enable disable name Service profile name enable Enables 40 bit WEP encryption for WPA clients disable Disables 40 bit WEP encryption for WPA clients Defaults 40 bit WEP encryption is disabled by default Access Enabled History Introduced in MSS Version 3 0 Usage To use 40 bit WEP with WPA clients you must also enable the WPA IE When 40 bit WEP in WPA is enabled in the service profile radios managed by a radio profile that is mapped to the service profile can also support non WPA clients that use dynamic WEP To support WPA clients that use 104 bit dynamic WEP you must enable WEP with 104 bit keys in the service profile Use the set service profile cipher wep104 command Microsoft Windows XP does not support WEP with WPA To configure a service profile to provide dynamic WEP for XP clients leave WPA disabled and use the set service profile wep commands To support non WPA clients that use static WEP you must configure static WEP keys Use the set service profile wep key index command set service profile psk phrase 381 Examples The following command configures service profile so2 to use 40 bit WEP encryption WxX4400 set service profile sp2 cipher wep40 enable success change accepte
159. 0 Vendor Type and Flag fields added in MSS Version 4 0 Usage You can enter this command on any WX switch in the Mobility Domain The output applies only to the switch on which you enter the command To display all devices that a specific 3Com radio has detected even if the radio is managed by another WX switch use the display rfdetect visible command To display rogue information for the entire Mobility Domain use the display rfdetect mobility domain command on the seed switch Only one MAC address is listed for each 3Com radio even if the radio is beaconing multiple SSIDs Examples The following command shows the devices detected by this WX switch during the most recent RF detection scan WX1200 display rfdetect data Total number of entries 7 BSSID Port Rad Chan RSSI Age SSID 00 06 25 09 39 4a 5 1 3720 15 rack29 hostap 00 06 25 51 e9 ff 4 1 10 85 15 Arrow OO 062525168954 541 10 84 15 Arrow 00 0b 0e 00 00 00 4 1 1 78 15 gary eng 00 0b 0e 00 02 00 4 1 Tas 76 15 public 00 0b 0e 00 02 00 ay pik 11 74 15 public 00 0b 0e 00 02 01 4 1 56 68 15 public Table 98 describes the fields in this display display rfdetect data 545 Table 98 display rfdetect data Output Field Description BSSID BSSID detected by a MAP radio on this WX switch Vendor Company that manufactures or sells the rogue device Type Classification of the rogue device a rogue Wireless device that is not supposed
160. 00 set dap 1 serial id M9DE48B012F00 model ap2750 success change accepted The following command removes Distributed MAP 1 WX4400 clear dap 1 This will clear specified DAP devices Would you like to continue y n nly See Also Clear dap on page 64 setport 83 Clear port type on page 68 set port type ap on page 91 set radio profile 11g only on page 347 set system countrycode on page 56 set port Administratively disables or reenables a port Syntax set port enable disable port list enable Enables the specified ports disable Disables the specified ports port list List of physical ports MSS disables or reenables all the specified ports Defaults All ports are enabled Access Enabled History Introduced in MSS Version 3 0 Usage A port that is administratively disabled cannot send or receive packets This command does not affect the link state of the port Examples The following command disables port 6 WX1200 set port disable 6 success set disable on port 6 The following command reenables the port WX1200 set port enable 6 success set enable on port 6 See Also reset port on page 81 84 CHAPTER 4 PORT COMMANDS set port group Configures a load sharing port group All ports in the group function as a single logical link Syntax set port group name group name port list mode on off name group name Alp
161. 02 01 attr time of day mo1900 1159 tu0000 0700 we1900 1159 th0000 0700 success change accepted See Also Clear mac user attr on page 212 display aaa on page 219 set mac usergroup attr Creates a user group in the local database on the WX switch for users who are authenticated by a MAC address and assigns authorization attributes for the group To configure a user group and assign authorization attributes through RADIUS see the documentation for your RADIUS server Syntax set mac usergroup group name attr attribute name value group name Name of a MAC user group Specify a name of up to 32 alphanumeric characters with no spaces attribute name valu Name and value of an attribute you are using to authorize all MAC users in the group for a particular service or session characteristic For a list of authorization attributes see Table 44 on page 249 Defaults None Access Enabled History Introduced in MSS Version 3 0 set mobility profile 255 Usage To change the value of an attribute enter set mac usergroup attr with the new value To delete an attribute use clear mac usergroup attr You can assign attributes to individual MAC users and to MAC user groups If attributes are configured for a MAC user and also for the group the MAC user is in the attributes assigned to the individual MAC user take precedence for that user For example if the start date attribute configured for a
162. 09 Defaults By default authentication control for individual wired authentication is enabled Access Enabled History Introduced in MSS Version 3 0 Usage This command applies only to wired authentication ports Examples To enable per port 802 1X authentication on wired authentication ports type the following command WX4400 set dotlx authcontrol enable success dotlx authcontrol enabled See Also display dot1x on page 505 set dot1x port control on page 512 set dot1x bonded period Changes the Bonded Auth bonded authentication period which is the number of seconds MSS retains session information for an authenticated machine while waiting for the 802 1X client on the machine to start re authentication for the user You must set the bonded period to longer than 0 seconds to enable bonded authentication Syntax set dotlx bonded period seconds a seconds Number of seconds MSS retains session information for an authenticated machine while waiting for a client to re authenticate on the same machine You can change the bonded authentication period to a value from 1 to 300 seconds Defaults The default bonded period is O seconds which disables the feature Access Enabled History Introduced in MSS Version 3 0 510 CHAPTER 17 802 1X MANAGEMENT COMMANDS Usage Normally the Bonded Auth period needs to be set only if the network has Bonded Auth clients that use dynamic
163. 1 24 IP 0 Direct vlan 2 ip 10 0 2 1 32 IP 0 Direct vlan 2 ip 10 0 1 1 24 10 0 2 255 32 IP 0 Direct vlan 2 ip 10 0 1 1 24 224 0 0 0 4 IP 0 Local MULTICAST Table 37 describes the fields in this display Table 37 Output of display ip route Field Description Destination Mask IP address and subnet mask of the route destination The 244 0 0 0 route is automatically added by MSS and supports the IGMP snooping feature Proto Protocol that added the route to the IP route table The protocol can be one of the following a IP MSSS added the route Static An administrator added the route Metric Cost for using the route 148 CHAPTER 7 IP SERVICES COMMANDS Table 37 Output of display ip route continued Field Description NH Type Next hop type a Local Route is for a local interface MSS adds the route when you configure an IP address on the WX switch a Direct Route is for a locally attached subnet MSS adds the route when you add an interface in the same subnet to the WX switch a Router Route is for a remote destination A WX switch forwards traffic for the destination to the gateway router Gateway Next hop router for reaching the route destination This field applies only to static routes VLAN Interface See Also Destination VLAN protocol type and IP address of the route Because direct routes are for local interfaces a destination IP address is not listed
164. 10 14 00 02 04 06 08 0e 258 237 2092999290 5 10 10 10 12 00 02 04 06 08 0c 258 5 10 10 10 10 00 02 04 06 08 0a 258 Querier information Querier for vlan orange Port Querier IP Querier MAC TTL 1 193 122 135 178 00 0b cc d2 e9 b4 23 IGMP vlan member ports 1 2 3 IGMP static ports none IGMP statistics for vlan orange General Queries 0 0 0 GS Queries 0 0 0 Report V1 0 0 0 Report V2 5 T 4 Leave 0 0 0 router Adv 0 0 0 router Term 0 0 0 router Sol 50 101 0 DVMRP 4 4 0 PIM V1 0 0 0 PIM V2 0 0 0 Topology notifications 0 Packets with unknown IGMP type 0 Packets with bad length 0 Packets with bad checksum 0 Packets dropped 4 Table 75 describes the fields in this display 424 CHAPTER 13 IGMP SNOOPING COMM ANDS Table 75 Output for display igmp Field Description VLAN VLAN name MSS displays information separately for each VLAN IGMP is enabled disabled Proxy reporting IGMP state Proxy reporting state Mrouter solicitation Multicast router solicitation state Querier functionality Pseudo querier state Configuration values Query interval qi Configuration values Other querier present interval oqi Configuration values Query response interval ari Configuration values Last member query interval Imqi Configuration values Robustness value rvalue Multicast router List of multicast routers and active m
165. 17 9DE48B123600 10 3 8 1 HIGH 9DE48B123600 10 4 3 2 LOW 18 9DE48B123700 10 3 8 1 LOW 9DE48B123700 10 4 3 2 HIGH Table 61 describes the fields in this display Table 61 Output for display dap global Field Description DAP Connection ID you assigned to the Distributed MAP Note DAP numbers are listed only for Distributed MAPs configured on this WX switch If the field contains a hyphen the Distributed MAP configuration displayed in the row of output is on another WX switch Serial Id Serial ID of the Distributed MAP WX IP Address System IP address of the WX switch on which the Distributed MAP is configured A separate row of output is displayed for each WX switch on which the Distributed MAP is configured Bias Bias of the WX switch for the Distributed MAP a Low 316 CHAPTER 11 MANAGED ACCESS POINT COMMANDS See Also display ap dap config on page 290 display dap connection on page 313 display dap unconfigured on page 316 set dap on page 81 set ap dap bias on page 328 display dap unconfigured Displays Distributed MAPs that are physically connected to the network but that are not configured on any WX switches Syntax display dap unconfigured Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage This command also displays a MAP that is directly connected to a WX switch if the WX port to
166. 1x on page 505 set dot1x wep rekey on page 517 18 SESSION MANAGEMENT COMMANDS Use session management commands to display and clear administrative and network user sessions Commands by Usage This chapter presents session management commands alphabetically Use Table 88 to locate commands in this chapter based on their use Table 88 Session Management Commands by Usage Type Command Administrative Sessions display sessions on page 522 clear sessions on page 519 Network Sessions display sessions network on page 525 clear sessions network on page 521 clear sessions Clears all administrative sessions or clears administrative console or Telnet sessions Syntax clear sessions admin console telnet client session id admin Clears sessions for all users with administrative access to the WX switch through a Telnet or SSH connection or a console plugged into the switch console Clears sessions for all users with administrative access to the WX switch through a console plugged into the switch telnet Clears sessions for all users with administrative access to the WX switch through a Telnet connection a telnet client session id Clears all Telnet client sessions from the CLI to remote devices or clears an individual session identified by session ID 520 CHAPTER 18 SESSION MANAGEMENT COMMANDS Defaults None Access Enabled History Introduced i
167. 23 lt gt amp The quick brown fox jumps over the lazy sl success change accepted See Also set mac user attr on page 249 set service profile auth psk on page 375 set service profile psk raw on page 382 set service profile wpa ie on page 391 set service profile psk raw Configures a raw hexadecimal preshared key PSK to use for authenticating WPA clients in a service profile Radios use the PSK as a pairwise master key PMK to derive unique pairwise session keys for individual WPA clients Syntax set service profile name psk raw hex a name Service profile name hex A 64 bit ASCII string representing a 32 digit hexadecimal number Enter the two character ASCII form of each hexadecimal number Defaults None Examples Enabled History Introduced in MSS Version 3 0 Usage MSS converts the hexadecimal number into a 256 bit binary number for system use MSS also stores the hexadecimal key in the WX switch s configuration The binary number is never displayed in the configuration To use PSK authentication you must enable it and you also must enable the WPA IE set service profile rsn ie 383 Examples The following command configures service profile so3 to use a raw PSK with PSK clients WX4400 set service profile sp3 psk raw c25d3fe4483e867 d1ldf96eaacd 8b02451 a0836162e758100f5 6b87965e59d success change accepted See Also set mac user attr on page 249
168. 28 Time and Date set timedate on page 193 set timezone on page 194 set summertime on page 191 display timedate on page 155 display timezone on page 155 display summertime on page 154 clear timezone on page 136 clear summertime on page 135 NTP set ntp on page 173 set ntp server on page 174 set ntp update interval on page 175 display ntp on page 149 clear ntp server on page 131 clear ntp update interval on page 132 ARP set arp on page 158 set arp agingtime on page 159 display dhcp client on page 138 SNMP set snmp protocol on page 186 set snmp security on page 187 set snmp community on page 175 set snmp usm on page 188 clear interface 127 Table 28 IP Services Commands by Usage continued Type Command set snmp notify profile on page 177 set snmp notify target on page 181 set ip snmp server on page 169 display snmp status on page 153 display snmp community on page 151 display snmp usm on page 154 display snmp notify profile on page 152 display snmp notify target on page 152 display snmp counters on page 152 clear snmp community on page 133 clear snmp usm on page 134 clear snmp notify profile on page 133 clear snmp notify target on page 134 Ping ping on page 156 Telnet Client telnet on page 195 Traceroute traceroute on page 197 DHCP ser
169. 30 b6 3e 5c a8 9 2 vlan 2 Y O 04 04 04 04 04 04 0 Table 24 describes the fields in the display Table 24 Output for display security 12 restrict Field Description VLAN VLAN number Name VLAN name En Enabled state of the feature for the VLAN a Y Enabled Forwarding of Layer 2 traffic from clients is restricted to the MAC address es listed under Permit MAC a N Disabled Layer 2 forwarding is not restricted Drops Number of packets dropped because the destination MAC address was not one of the addresses listed under Permit MAC Permit MAC MAC addresses to which clients in the VLAN are allowed to send traffic at Layer 2 110 CHAPTER 5 VLAN COMMANDS Table 24 Output for display security 12 restrict Field Description Hits Number of packets whose source MAC address was a client in this VLAN and whose destination MAC address was one of those listed under Permit MAC See Also Clear security 12 restrict on page 99 Clear security 12 restrict counters on page 100 a set security I2 restrict on page 114 display tunnel Shows the tunnels from the wireless LAN switch where you type the command Syntax display tunnel Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples To display all tunnels from a WX switch to other WX switches in the Mobility Domain type the following command WX4400 display tunnel VLAN Local Address Remote Address
170. 4 2005 3Com Corporation All rights build 67 TOP 2005 07 21 04 41 00 4 1 0 67 072105 Mx20 d Ol WX FPGA version 24 version 24 revision 3 750 Revision 3 1 version 1 FPGA version 6 0321300013 4 1 0 14 md0a 3 0 0 20 Fri May 20 17 43 51 PDT 2005 4 10 4 1 0 Serial Versions 0424902948 H W A F W1 5 6 F W2 5 6 S W 4 1 0 67 072105 0432 AP BOOT S W 4 0 3 15 062705 0107 AP Table 106 describes the fields in the display version output Table 106 Output for display version Field Description Build Information Factory timestamp of the image file Label Software version and build date Build Suffix Build suffix Model Build model 578 CHAPTER 20 FILE MANAGEMENT COMMANDS Table 106 Output for display version continued Field Description Hardware Version information for the WX switch s motherboard and Power over Ethernet PoE board Serial number Serial number of the WX switch Flash Flash memory version Kernel Kernel version BootLoader Boot code version Port DAP Port number connected to a MAP access point AP Model MAP model number Serial MAP serial number Versions MAP hardware firmware and software versions See Also display boot on page 573 load config AN Loads configuration commands from a file and replaces the WX switch s running configuration with the commands in the loaded file CAUTION
171. 4 1 Usage You must have generated a self signed certificate or obtained a certificate from a certificate authority before displaying information about the certificate Examples To display information about a cryptographic certificate type the following command WX4400 display crypto certificate eap Table 84 describes the fields of the display display crypto key ssh 483 Table 84 crypto certificate Output Fields Description Version Version of the X 509 certificate Serial Number A unique identifier for the certificate or signature Subject Name of the certificate owner Signature Algorithm Algorithm that created the signature such as RSA MD5 or RSA SHA Issuer Certificate authority that issued the certificate or signature Validity Time period for which the certificate is valid See Also crypto generate self signed on page 476 display crypto ca certificate on page 481 display crypto key ssh Displays SSH authentication key information This command displays the checksum also called a fingerprint of the public SSH authentication key When you connect to the WX switch with an SSH client you can compare the SSH key checksum displayed by the WX switch with the one displayed by the client to verify that you really are connected to the WX switch and not another device Generally SSH clients remember the encryption key after the first connection so you need to check the key only once
172. 43 set system contact on page 55 set system name on page 60 set system name Changes the name of the WX switch from the default system name and also provides content for the CLI prompt if you do not specify a prompt Syntax set system name string string Alphanumeric string up to 256 characters long with no blank spaces Use a unique name for each WX switch Defaults By default the system name and command prompt have the same value The factory default for both is the model number WX7200 for the 3Com Wireless LAN Switch WX1200 WxX4400 for the 3Com Wireless LAN Controller WX4400 Access Enabled History Introduced in MSS Version 3 0 Usage Entering set system name with no string resets the system name to the factory default To view the system name string type the display system command Examples The following example sets the system name to a name that identifies the WX switch WX4400 set system name WxX bldg3 success change accepted WX bldg3 set system name 61 See Also clear system on page 40 display system on page 43 set prompt on page 54 set system contact on page 55 set system location on page 59 62 CHAPTER 3 SYSTEM SERVICE COMMANDS PORT COMMANDS Use port commands to configure and manage individual ports and load sharing port groups Commands by Usage This chapter presents port commands alphabetically Use Table 9 to locate commands in this cha
173. 5 Clear dot1x reauth max on page 503 set dot1x reauth period 515 set dot1x reauth period Sets the number of seconds that must elapse before the WX switch attempts reauthentication Syntax set dotlx reauth period seconds seconds Specify a value between 60 1 minute and 1 641 600 19 days Defaults The default is 3600 seconds 1 hour Access Enabled History Introduced in MSS Version 3 0 Examples Type the following command to set the number of seconds to 100 before reauthentication is attempted WX4400 set dotlx reauth period 100 success dotlx auth server timeout set to 100 See Also display dot1x on page 505 Clear dot1x reauth period on page 503 set dot1x timeout auth server Sets the number of seconds that must elapse before the WX switch times out a request to a RADIUS authentication server Syntax set dotlx timeout auth server seconds seconds Specify a value between 1 and 65 535 Defaults The default is 30 seconds Access Enabled History Introduced in MSS Version 3 0 Examples Type the following command to set the authentication server timeout to 60 seconds WX4400 set dotlx timeout auth server 60 success dotlx auth server timeout set to 60 516 CHAPTER 17 802 1X MANAGEMENT COMMANDS See Also display dot1x on page 505 Clear dot1x timeout auth server on page 504 set dot1x timeout supplicant Sets the number of sec
174. 5 21 18 20 50 set vlan 1 port 1 See Also load config on page 578 save config on page 584 display version Displays software and hardware version information for an WX switch and optionally for any attached MAP access points Syntax display version details details Includes additional software build information and information about the MAP access points configured on the WX switch Defaults None Access All History Introduced in MSS Version 3 0 Examples The following command displays version information for a WX switch WX1200 display version Mobility System Software Version 4 1 0 QA 67 Copyright c 2002 2003 2004 2005 3Com Corporation All rights reserved Build Information build 67 TOP 2005 07 21 04 41 00 Model WX Hardware Mainboard version 24 revision 3 FPGA version 24 PoE board version 1 FPGA version 6 Serial number 0321300013 Flash Kernel BootLoader display version 577 4 1 0 14 md0a 3 0 0 20 Fri May 20 17 43 51 PDT 2005 4 10 4 1 0 The following command displays additional software build information and MAP access point information WX1200 display version details Mobility System Software c 2002 Copyright reserved Build Information Label Build Suffix Model Hardware Mainboard CPU Model PoE board Serial number Flash Kernel BootLoader Port DAP AP Model MP 352 Version 4 1 0 QA 67 2003 200
175. 54 The MSS CLI uses standard syntax notation a Bold monospace font identifies the command and keywords you must type For example set enablepass a Italics indicate a placeholder for a value For example you replace vian id in the following command with a virtual LAN VLAN ID clear interface vlan id ip a Curly brackets indicate a mandatory parameter and square brackets indicate an optional parameter For example you must enter dynamic or port and a port list in the following command but a VLAN ID is optional clear fdb dynamic port port list vlan vlan id Text Entry Conventions and Allowed Characters MAC Address Notation CLI Conventions 25 A vertical bar separates mutually exclusive options within a list of possibilities For example you enter either enable or disable not both in the following command set port enable disable port list Unless otherwise indicated the MSS CLI accepts standard ASCII alphanumeric characters except for tabs and spaces and is case insensitive The CLI has specific notation requirements for MAC addresses IP addresses and masks and allows you to group usernames MAC addresses virtual LAN VLAN names and ports in a single command 3Com recommends that you do not use the same name with different capitalizations for VLANs or access control lists ACLs For example do not configure two separate VLANs with the names red and RED The CLI does n
176. 5z2kfjBbV FObOMyC5S7K htsw7T4SwmCij55qfUHxsRelggYcw6vJtr57jI7wF SMd8C50NcbJLF1InYC9OKkB hW 5gDPAOZdOnnr591XKz3Z2zyvyrktv00rcld8Fo2RtTQ3AOTICUZQGIVelO85GXIT o END CERTIFICATE REQUEST See Also crypto certificate on page 471 crypto generate key on page 473 crypto generate self signed Generates a self signed certificate for either an administrative certificate for use with 3WXM or an EAP certificate for use with 802 1X wireless users Syntax crypto generate self signed admin eap web admin Generates an administrative certificate to authenticate the WX switch to 3WXM or Web Manager eap Generates an EAP certificate to authenticate the WX switch to 802 1X supplicants clients web Generates a WebAAA certificate to authenticate the WX switch to WebAAA clients After you type the command you are prompted for the following variables Country Name string Optional Specify the abbreviation for the country in which the WX switch is operating in 2 alohanumeric characters with no spaces State Name string Optional Specify the abbreviation for the name of the state in 2 alphanumeric characters with no spaces Locality Name string Optional Specify the name of the locality in up to 80 alphanumeric characters with no spaces Organizational Name string Optional Specify the name of the organization in up to 80 a
177. 63 Kbytes free Boot Filename Size Created boot0 mx040100 020 9780 KB Aug 23 2005 15 54 08 boot1l mx040100 020 9796 KB Aug 28 2005 21 09 56 Boot0O Total 9780 Kbytes used 2460 Kbytes free Bootl Total 9796 Kbytes used 2464 Kbytes free temporary files Filename Size Created core command audit cur 37 bytes Aug 28 2005 21 11 41 Total 37 bytes used 91707 Kbytes free The following command displays the files in the old subdirectory WX4400 dir old file Filename Size Created file configuration txt 3541 bytes Sep 22 2003 22 55 44 file configuration xml 24 KB Sep 22 2003 22 55 44 Total 27 Kbytes used 207824 Kbytes free 572 CHAPTER 20 FILE MANAGEMENT COMMANDS The following command limits the output to the contents of the user files area WX4400 dir file file Filename Size Created file configuration 48 KB Jal r2 2005 154023 32 file corp2 corp2cnfig 17 KB ar 14 2005 22 20 04 corp_a 512 bytes ay 21 2004 19 15 48 file dangcfg 14 KB ar 14 2005 22 20 04 dangdir 512 bytes ay 16 2004 17 23 44 file pubsconfig april062005 40 KB ay 09 2005 21 08 30 file sysa_bak 12 KB ae 15 2005 9 18 44 file testback 28 KB Apr 19 2005 6 37 18 Total 159 Kbytes used 207663 Kbytes free The following command limits the output to the contents of the tmp core subdirectory WX4400 dir core file Filename Size Created core command_ audit cur 37 bytes Aug 28 2005 21 11 41 Total 37 bytes used 91707 Kbytes fre
178. 7 ssid ssid name Displays all network sessions for an SSID vlan vlan glob Displays all network sessions on a single VLAN or a set of VLANs Specify a VLAN name use the double asterisk wildcard character to specify all VLAN names or use the single asterisk wildcard character to specify a set of VLAN names up to or following the first delimiter character either an at sign or a period For details see VLAN Globs on page 28 session id local session id Displays the specified network session To find local session IDs use the display sessions command The verbose option is not available with this form of the display sessions network command wired Displays all network sessions on wired authentication ports verbose Provides detailed output for all network sessions or ones displayed by username MAC address or VLAN name Defaults None Access All 526 CHAPTER 18 SESSION MANAGEMENT COMMANDS History Introduced in MSS Version 3 0 Output added to the display network sessions verbose command to indicate the user s authorization attributes and whether they were supplied through AAA or through configured SSID defaults in a service profile in MSS Version 4 1 Usage MSS displays information about network sessions in three types of displays See the following tables for field descriptions Summary display See Table 91 on page 528 Verbose display See Table 92 o
179. 7 clear port type 68 display port counters 69 display port group 70 display port poe 71 display port preference 72 display port status 73 display port media type 75 monitor port counters 76 reset port 81 setdap 81 set port 83 set port group 84 set port media type 85 set portname 86 set port negotiation 86 set port poe 87 set port preference 88 set port speed 89 set port trap 90 set port typeap 91 set port type wired auth 94 VLAN COMMANDS Commands by usage 97 clear fdo 98 clear security 12 restrict 99 clear security 12 restrict counters 100 clear vlan 101 display fdo 102 display fdb agingtime 104 display fdb count 105 display roaming station 106 display roaming vlan 108 display security 12 restrict 109 display tunnel 110 display vlan config 111 setfdb 113 set fdb agingtime 114 set security I2 restrict 114 set vlan name 116 set vlan port 117 set vlan tunnel affinity 118 QUALITY OF SERVICE COMMANDS Commands by Usage 119 clear qos 120 set gos cos to dscp map 121 set gos dscp to cos map 122 display qos 123 display qos dscp table 124 IP SERVICES COMMANDS Commands by Usage 125 clear interface 127 clear ip alias 128 clear ip dns domain 129 clear ip dns server 129 clear ip route 130 clear ip telnet 131 clear ntp server 131 clear ntp update interval 132 clear snmp community 133 clear snmp notify profile 133 clear snmp notify target 134 clear snmp usm 134 clear summe
180. 9 Access Enabled History Introduced in MSS Version 3 0 Option auto added for configuration of the MAP configuration profile Usage High bias is preferred over low bias Bias applies only to WX switches that are indirectly attached to the MAP through an intermediate Layer 2 or Layer 3 network A MAP always attempts to boot on MAP port 1 first and if an WX switch is directly attached on MAP port 1 the MAP always boots from it If MAP port 1 is indirectly connected to WX switches through the network the MAP boots from the switch with the high bias for the MAP If the bias for all connections is the same the MAP selects the switch that has the greatest capacity to add more active MAPs For example if a MAP is dual homed to two WX4400 wireless LAN switches and one of the switches has 50 active MAPs while the other switch has 60 active MAPs the new MAP selects the switch that has only 50 active MAPs If the boot request on MAP port 1 fails the MAP attempts to boot over its port 2 using the same process described above MAP selection of a WX switch is sticky After a MAP selects a WX switch to boot from the MAP continues to use that switch for its active data link even if another switch configured with high bias for the MAP becomes available Examples The following command changes the bias for a Distributed MAP to low WxX4400 set dap 1 bias low success change accepted See Also display ap dap config on
181. 9 display rfdetect mobility domain Output Field Description BSSID MAC address of the SSID used by the detected device Vendor Company that manufactures or sells the rogue device Type Classification of the rogue device rogue Wireless device that is not supposed to be on the network The device has an entry in a WX switch s FDB and is therefore on the network a intfr Wireless device that is not part of your network but is not a rogue The device does not have an entry in a WX switch s FDB and is not actually on the network but might be causing RF interference with MAP radios known Device that is a legitimate member of the network Flags Classification and encryption information for the rogue Thei a or u flag indicates the classification The other flags indicate the encryption used by the rogue For flag definitions see the key in the command output SSID SSID used by the detected device Table 100 display rfdetect mobility domain ssid or bssid Output Field Description BSSID MAC address of the SSID used by the detected device Vendor Company that manufactures or sells the rogue device SSID SSID used by the detected device Type Classification of the rogue device rogue Wireless device that is on the network but is not supposed to be on the network a intfr Wireless device that is not part of your network and is not a rogue but might be caus
182. A clients cipher tkip enable When the WPA IE is enabled uses Temporal Key Integrity Protocol TKIP to encrypt traffic sent to WPA clients cipher wep 104 disable Does not use Wired Equivalent Privacy WEP with 104 bit keys to encrypt traffic sent to WPA clients cipher wep40 disable Does not use WEP with 40 bit keys to encrypt traffic sent to WPA clients psk phrase No passphrase Uses dynamically generated keys rather defined han statically configured keys to authenticate WPA clients psk raw No preshared Uses dynamically generated keys rather key defined han statically configured keys to authenticate WPA clients rsn ie disable Does not use the RSN IE in transmitted rames shared key auth disable Does not use shared key authentication This parameter does not enable PSK authentication for WPA To enable PSK encryption for WPA use the set radio profile auth psk command ssid name private Uses the SSID name private ssid type crypto Encrypts wireless traffic for the SSID tkip mc time 60000 Uses Michael countermeasures for 60 000 ms 60 seconds following detection of a second MIC failure within 60 seconds 368 CHAPTER 11 MANAGED ACCESS POINT COMMANDS Table 67 Defaults for Service Profile Parameters continued Radio Behavior When Parameter Set Parameter Default Value to Default Value web aaa form Not configured For WebAAA users serves the default login web page or if configured the SSID specific login web
183. AAA for third party AP users has additional configuration requirements See the Configuring AAA for Users of Third Party APs section in the Configuring AAA for Network Users chapter of the Wireless LAN Switch and Controller Configuration Guide Enter a separate command for each SSID and its tag value you want the WX to support 494 CHAPTER 16 RADIUS AND SERVER GROUP COMMANDS Examples The following command maps SSID mycorp to packets received on port 3 or 4 using 802 1Q tag value 104 WX4400 set radius proxy port 3 4 tag 104 ssid mycorp success change accepted See Also Clear radius proxy port on page 488 set authentication proxy on page 241 set radius proxy client on page 492 set radius server Configures RADIUS servers and their parameters By default the WX switch automatically sets all these values except the password key Syntax set radius server server name address ip address auth port port number acct port port number timeout seconds retransmit number deadtime minutes key string author password password a server name Unique name for this RADIUS server Enter an alphanumeric string of up to 32 characters with no blanks address ip address P address of the RADIUS server Enter the address in dotted decimal notation a auth port port number UDP port that the WX switch uses for authentication and authorization acct port port number UDP port tha
184. AC Port Radio Chan RSSI SSID 11 22 33 44 55 66 dap 2 1 11 53 rogue ssid See Also Clear rfdetect attack list on page 534 set rfdetect attack list on page 554 display rfdetect black list Displays information abut the clients in the client black list Syntax display rfdetect black list Defaults None Access Enabled History Introduced in MSS Version 4 0 Examples The following example shows the client black list on WX switch WX1200 display rfdetect black list Total number of entries 1 Blacklist MAC Type Port TTL 11 22 33 44 55 66 configured 11 23 34 45 56 67 assoc req flood 3 25 See Also Clear rfdetect black list on page 535 set rfdetect black list on page 555 display rfdetect clients 539 display rfdetect Displays the wireless clients detected by a WX switch clients Syntax display rfdetect clients mac mac addr mac mac addr Displays detailed information for a specific client Defaults None Access Enabled History Introduced in MSS Version 4 0 Examples The following command shows information about all wireless clients detected by a WX switch s MAPs WX4400 display rfdetect clients Total number of entries 30 Client MAC Client AP MAC AP Port Radio NoL Type Last Vendor Vendor Channel seen 00 03 7f bf 16 70 Unknown Unknown dap 1 1 6 1 intfr 207 00 04 23 77 e6 e5 Intel Unknown dap 1 1 2 1 intfr 155 00 05 5d 79 ce 0f D Link Unknown dap 1 1 149
185. ACL to the specified virtual port or ports dap dap num One or more Distributed MAPs based on their connection IDs Specify a single connection ID or specify a comma separated list of connection IDs a hyphen separated range or any combination with no spaces MSS assigns the security ACL to the specified Distributed MAPs in Assigns the security ACL to traffic coming into the WX switch out Assigns the security ACL to traffic coming from the WX switch Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage Before you can map a security ACL you must use the commit security acl command to save the ACL in the running configuration and nonvolatile storage For best results map only one input security ACL and one output security ACL to each VLAN physical port virtual port or Distributed MAP to filter a flow of packets If more than one security ACL filters the same traffic MSS applies only the first ACL match and ignores any other matches Examples The following command maps security ACL acl_133 to port 4 for incoming packets WxX4400 set security acl map acl_133 port 4 in success change accepted 466 CHAPTER 14 SECURITY ACL COMMANDS See Also a Clear security acl map on page 447 commit security acl on page 449 set mac user attr on page 249 set mac usergroup attr on page 254 set security acl on page 459 set user attr on page 259 set usergrou
186. Clears IGMP statistics counters on one VLAN or all VLANs on a wireless LAN switch and resets them to 0 Syntax clear igmp statistics vlan vlan id vlan vlan id VLAN name or number If you do not specify a VLAN IGMP statistics are cleared for all VLANs Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command clears IGMP statistics for all VLANs WX1200 clear igmp statistics IGMP statistics cleared for all vlans See Also display igmp statistics on page 431 display igmp Displays IGMP configuration information and statistics Syntax display igmp vlan vlan id vlan vlan id VLAN name or number If you do not specify a VLAN MSS displays IGMP information for all VLANs Defaults None Access All History Introduced in MSS Version 3 0 Examples The following command displays IGMP information for VLAN orange WX1200 display igmp vlan orange VLAN orange IGMP is enabled Proxy reporting is on Mrouter solicitation is on Querier functionality is off Configuration values qi 125 oqi 300 qri 100 Ilmqi 10 rvalue 2 Multicast display igmp 423 router information Port Mrouter IPaddr Mrouter MAC Type TTL 1 192 28 7 5 00 01 02 03 04 05 dvmrp 17 Group Port Receiver IP Receiver MAC TTL 224 0 0 2 none none none undef 2372 e250 42 994295 5 10 10 10 11 00 02 04 06 08 0b 258 5 10 10 10 13 00 02 04 06 08 0d 258 5 10 10
187. Drop 0 LastPktRxSigStrength 54 MultiBytDrop 0 LastPktSigNoiseRatio 40 User Sessions 5 TKIP Pkt Transfer Ct 0 MIC Error Ct 0 TKIP Pkt Replays 0 TKIP Decrypt Err 0 CCMP Pkt Decrypt Err 0 CCMP Pkt Replays 0 CCMP Pkt Transfer Ct 0 RadioResets 0 Radio Recv Phy Err Ct 0 Transmit Retries 60501 Radio Adjusted Tx Pwr 15 Noise Floor 93 802 3 Packet Tx Ct 0 802 3 Packet Rx Ct 0 No Receive Descriptor 0 TxUniPkt TxUniByte RxPkt RxByte UndcrptPkt TxMultiPkt TxMultiByte UndcrptByte PhyError 1 0 164492 O0 9631741 0 405041 8913512 0 0 13963 2 00 603 0 248716 0 191103 4608065 0 0 30547 5 5 370594 52742 27616521 4445625 2427 133217 0 0 723 6 0 0 0 0 0 0 0 0 0 5I 9 0 0 0 0 0 1 172 0 0 53 11 0 8016 0 2590353 0 85479 3897587 0 0r 1195 12 508 0 0 0 0 0 0 0 0 26 18 0 0 0 0 0 0 0 0 0 38 24 0 0 0 0 0 0 0 0 0 47 36 0 0 0 0 0 0 0 0 0 1 48 0 0 0 0 0 1 68 0 0 29 54 0 0 0 0 0 0 0 0 0 5 TOTL 543705 52742 40087331 4445625 684050 17552381 0 0 46441 295 296 CHAPTER 11 MANAGED ACCESS POINT COMMANDS Table 52 describes the fields in this display Table 52 Output for display ap counters Field Description DAP Distributed MAP number Port WX port number if the MAP is directly connected to the WX and the WX port is configured as a MAP access point radio Radio number LastPktXferRate NumCntInPwrSave Data transmit rate in Mbps of the last packet received by the MAP access point Number of clients cu
188. EE X management commands to modify the default settings for IEEE 802 1X sessions on an WX switch For best results change the settings only if you are aware of a problem with the WX switch s 802 1X performance CAUTION 802 1X parameter settings are global for all SSIDs configured on the switch Commands by Usage This chapter presents 802 1X commands alphabetically Use Table 86 to locate commands in this chapter based on their use For information about configuring 802 1X commands for user authentication see AAA Commands on page 201 Table 86 802 1X Commands by Usage Type Command Wired Authentication Port set dot1x port control on page 512 Control clear dot1x port control on page 501 set dot1x authcontrol on page 508 Keys set dot1x key tx on page 510 set dot1x tx period on page 516 clear dot1x tx period on page 505 set dot1x wep rekey on page 517 set dot1x wep rekey period on page 518 Bonded Authentication clear dot1x bonded period on page 500 set dot1x bonded period on page 509 Reauthentication set dot1x reauth on page 513 set dot1x reauth max on page 514 500 CHAPTER 17 802 1X MANAGEMENT COMMANDS Table 86 802 1X Commands by Usage continued Type Command Reauthentication cont clear dot1x reauth max on page 503 set dot1x reauth period on page 515 clear dot1x reauth period on page 503 Retransmission set dot1x max req on page 511
189. HCP server WX1200 display dhcp server VLAN Name Address MAC Lease Remaining sec 1 default 10 10 20 2 00 01 02 03 04 05 12345 1 default 10 10 20 3 00 01 03 04 06 07 2103 2 red vlan 192 168 1 5 00 01 03 04 06 08 102 2 red vlan 192 168 1 7 00 01 03 04 06 09 16789 The following command displays configuration and status information for each VLAN on which the DHCP server is configured WX1200 display dhcp server verbose Interface 0O Direct AP Status UP Address Range 10 0 0 1 104 0 0 253 Interface default 1 Status UP Address Range 10 10 20 2 10 10 20 254 DHCP Clients Hardware Address 00 01 02 03 04 05 State BOUND Lease Allocation 43200 seconds Lease Remaining 12345 seconds IP Address 10 10 20 2 Subnet Mask 2959523925970 display dhcp server 141 Default Gateway 10 10 20 1 DNS Servers 10 10 20 4 10 10 20 5 DNS Domain Name mycorp com Table 31 and Table 32 describe the fields in these displays Table 31 Output for display dhcp server Field Description VLAN VLAN number Name VLAN name Address IP address leased by the server MAC Address MAC address of the device that holds the least for the address Lease Remaining Number of seconds remaining before the address lease expires Table 32 Output for display dhcp server verbose Field Description Interface VLAN name and number Status Status of the interface UP a DOWN Address Range Hardware Address R
190. History Introduced in MSS Version 3 0 Usage After typing the set enablepass command press Enter If you are entering the first enable password on this WX switch press Enter at the Enter old password prompt Otherwise type the old password Then type a password of up to 32 alphanumeric characters with no spaces and reenter it at the Retype new password prompt CAUTION Be sure to use a password that you will remember If you lose the enable password the only way to restore it causes the system to return to its default settings and wipes out the configuration Examples The following example illustrates the prompts that the system displays when the enable password is changed The passwords you enter are not displayed WX1200 set enablepass Enter old password old password Enter new password new password Retype new password new password Password changed See Also disable on page 33 enable on page 34 36 CHAPTER 2 ACCESS COMMANDS SYSTEM SERVICE COMMANDS Use system services commands to configure and monitor system information for a WX switch Commands by Usage This chapter presents system service commands alphabetically Use Table 6 to locate commands in this chapter based on their use Table 6 System Services Commands by Usage Type Command Configuration quickstart on page 48 Auto Config set auto config on page 48 Display clear banner motd on page 38 quickstart on page 48 d
191. However to cause MSS to stop classifying the device as a rogue you must add the device s MAC address to the ignore list After you add a device that has been classified as a rogue to the ignore list the device remains classified as a rogue for at least 10 minutes After 10 minutes MSS reclassifies the device as an interfering device set rfdetect log 559 Examples The following command configures MSS to ignore BSSID aa bb cc 17 22 33 during RF scans WX1200 set rfdetect ignore aa bb cc 11 22 33 success MAC aa bb cc 11 22 33 is now ignored See Also Clear rfdetect ignore on page 535 display rfdetect ignore on page 546 set rfdetect log Disables or reenables generation of log messages when rogues are detected or when they disappear Syntax set rfdetect log enable disable enable Enables logging of rogues disable Disables logging of rogues Defaults RF detection logging is enabled by default Access Enabled History Introduced in MSS Version 3 0 Usage This command is valid only on the seed switch of the Mobility Domain The log messages for rogues are generated only on the seed and appear only in the seed s log message buffer Use the display log buffer command to display the messages in the seed switch s log message buffer Examples The following command enables RF detection logging for the Mobility Domain managed by this seed switch WX1200 set rfdetect log en
192. IGMP SNOOPING COMMANDS 14 SECURITY ACL COMMANDS Use security ACL commands to configure and monitor security access control lists ACLs Security ACLs filter packets to restrict or permit network usage by certain users or traffic types and can assign to packets a class of service CoS to define the priority of treatment for packet filtering Security ACLs are different from the location policy on a WX switch which helps you locally control user access For location policy commands see AAA Commands on page 201 Security ACL Commands by Usage This chapter presents security ACL commands alphabetically Use Table 80 to locate commands in this chapter based on their use Table 80 Security ACL Commands by Usage Type Command Create Security ACLs set security acl on page 459 display security acl on page 450 display security acl info on page 452 clear security acl on page 446 Commit Security ACLs commit security acl on page 449 rollback security acl on page 458 Map Security ACLs set security acl map on page 464 display security acl map on page 453 clear security acl map on page 447 Monitor Security ACLs display security acl hits on page 451 set security acl hit sample rate on page 466 display security acl resource usage on page 454 446 CHAPTER 14 SECURITY ACL COMMANDS clear security acl Clears a specified security ACL an access control entry ACE or
193. IP address and subnet mask length in CIDR format for example 10 10 10 10 24 gateway IP address DNS hostname or alias of the next hop router Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command removes the route to destination 10 10 10 68 24 through gateway router 10 10 10 1 WX1200 clear ip route 10 10 10 68 24 10 10 10 1 success change accepted See Also a display ip route on page 146 set ip route on page 167 clear ip telnet 131 clear ip telnet Resets the Telnet server s TCP port number to its default value A WX switch listens for Telnet management traffic on the Telnet server port Syntax clear ip telnet Defaults The default Telnet port number is 23 Access Enabled History Introduced in MSS Version 3 0 Examples The following command resets the TCP port number for Telnet management traffic to its default WX4400 clear ip telnet success change accepted See Also display ip https on page 145 display ip telnet on page 148 setip https server on page 167 setip telnet on page 171 setip telnet server on page 172 clear ntp server Removes an NTP server from a WX switch configuration Syntax clear ntp server ip addr all ip addr IP address of the server to remove in dotted decimal notation all Removes all NTP servers from the configuration Defaults None Access
194. Introduced in MSS Version 3 0 Usage To simplify configuration and avoid confusion between a port s number and its name 3Com recommends that you do not use numbers as port names Examples The following command sets the name of port 7 to adminpool WX1200 set port 7 name adminpool success change accepted See Also Clear port name on page 66 display port status on page 73 set port negotiation Disables or reenables autonegotiation on gigabit Ethernet or 10 100 Ethernet ports Syntax set port negotiation port list enable disable a port list List of physical ports MSS disables or reenables autonegotiation on all the specified ports enable Enables autonegotiation on the specified ports disable Disables autonegotiation on the specified ports Defaults Autonegotiation is enabled on all Ethernet ports by default setport poe 87 Access Enabled History Introduced in MSS Version 3 0 Usage WX1200 10 100 Ethernet ports support half duplex and full duplex operation Examples The following command disables autonegotiation on ports 3 and 5 WX1200 set port negotiation 3 5 disable The following command enables autonegotiation on port 2 WX1200 set port negotiation 2 enable set port poe AN Enables or disables Power over Ethernet PoE on ports connected to MAP access points CAUTION When you set the port type for MAP use you can enable PoE on the p
195. Introduced in MSS Version 3 0 display aaa 219 Examples The following command removes the members of the user group cardiology from a network access time restriction by deleting the Time Of Day attribute from the group WX4400 clear usergroup cardiology attr time of day success change accepted See Also Clear usergroup on page 217 display aaa on page 219 set usergroup on page 261 display aaa Displays all current AAA settings Syntax display aaa Defaults None Access Enabled History Introduced in MSS Version 3 0 Web Portal section added to indicate the state of the WebAAA feature in MSS Version 4 0 Examples To display all current AAA settings type the following command WX4400 display aaa Default Values authport 1812 acctport 1813 timeout 5 acct timeout 5 retrans 3 deadtime 0 key null author pass null Radius Servers Server Addr Ports T o Tries Dead State rs 3 198 162 1 1 1821 1813 5 3 0 UP rs 4 198 168 1 2 1821 1813 77 LI 2 UP rs 5 198 162 1323 1821 1813 42 23 0 UP Server groups sgl rs 3 sg2 rs 4 sg3it rs 5 Web Portal enabled 220 set aut set aut set aut set aut set aut set aut set set set aut hentication hentication hentication hentication hentication hentication CHAPTER 8 AAA COMMANDS admin Jose sg3 console none mac ssid mycorp local dotlx ssid mycorp Geetha eap tls dotlx ssid mycorp peap mschapv2 sgl sg2 sg3 dotlx
196. LAN Port Number of the physical port through which the WX can reach the router Mrouter IPaddr IP address of the multicast router Mrouter MAC MAC address of the multicast router Type How the WX learned that the port is a multicast router port conf Static multicast port configured by an administrator a madv Multicast advertisement a quer IGMP query a dvmrp Distance Vector Multicast Routing Protocol DVMRP a pimv1 Protocol Independent Multicast PIM version 1 a pimv2 PIM version 2 TIL Number of seconds before this entry ages out if unused For static multicast router entries the TTL value is undef Static multicast router entries do not age out See Also display igmp mrouter on page 426 set igmp mrouter on page 435 display igmp querier Shows information about the active multicast querier on one VLAN or all VLANs Queriers are listed separately for each VLAN Each VLAN can have only one querier Syntax display igmp querier vlan vlan id vlan vlan id VLAN name or number If you do not specify a VLAN MSS displays querier information for all VLANs Defaults None Access Enabled 428 CHAPTER 13 IGMP SNOOPING COMMANDS History Introduced in MSS Version 3 0 Examples The following command displays querier information for VLAN orange WX1200 display igmp querier vlan orange Querier for vlan orange Port Querier IP Querier
197. MAC TTL 1 193 122 135 178 00 0b cc d2 e9 b4 23 The following command shows the information MSS displays when the querier is the WX itself WX1200 display igmp querier vlan default Querier for vlan default I am the querier for vlan default time to next query is 20 The output indicates how many seconds remain before the pseudo querier on the WX switch broadcasts the next general query report to IP address 224 0 0 1 the multicast all systems group If IGMP snooping does not detect a querier the output indicates this finding as shown in the following example WX1200 display igmp querier vlan red Querier for vlan red There is no querier present on vlan red This condition does not necessarily indicate a problem For example election of the querier might be in progress Table 77 describes the fields in this display Table 76 on page 427 describes the fields in the display when a querier other than the WX is present Table 77 Output for display igmp mrouter Field Description Querier for vlan VLAN containing the querier Information is listed separately for each VLAN Querier IP IP address of the querier interface Querier MAC MAC address of the querier interface TTL Number of seconds before this entry ages out if the WX does not receive a query message from the querier display igmp receiver table 429 See Also set igmp querier on page 441 display igmp receiver table Displays the receivers t
198. MAC address is also used as the BSSID of the first SSID configured on the radio New option added terse new option added for display dap status all new field added fingerprint MAP WX security status added to State field in MSS Version 4 0 External antenna information added after the radio state information to indicate when an antenna has been detected and to indicate the configured antenna model number auto flag added to indicate operational channel or power settings that are configured by RF Auto Tuning in MSS Version 4 1 display ap dap status 305 Examples The following command displays the status of a Distributed MAP WX4400 display dap status 1 Dap 1 IP addr 10 2 34 56 vlan vlan corp MAP model AP2750 manufacturer 3Com name DAPO1 fingerprint b4 9 2a 52 37 58 4 d0 10 75 43 2f 45 09 52 c3 State operational CPU info IBM PPC speed 266666664 Hz version 405GPr id 0x28f10158a47f0408 ram 33554432 s n 0332600444 hw_rev A3 Uptime 21 hours 27 minutes 51 seconds Radio 1 type 802 1llg state configure succeed Enabled operational channel 64 operational power 14 base mac 00 0b 0e 00 d2 cl bssidl 00 0b 0e 00 d2 94 ssid private The following command displays the status of a directly connected MAP WX1200 display ap status 1 Port 1 AP model AP2750 manufacturer 3Com name MAPO1 State operational CPU info IBM PPC speed 266666664 Hz version 405GPr id 0x28b08ale047f1d0f ram
199. MANDS Examples The following command shows octet statistics for port 3 WX1200 gt display port counters octets port 3 Pert Status Rx Octets Tx Octets 3 Up 27965420 34886544 This command s output has the same fields as the monitor port counters command For descriptions of the fields see Table 17 on page 78 See Also Clear port counters on page 65 a monitor port counters on page 76 display port group Shows port group information Syntax display port group all name group name all Shows information for all port groups name group name Shows information for the specified port group Defaults None Access All History Introduced in MSS Version 3 0 Examples The following command displays the configuration of port group server2 WX1200 display port group name server2 Port group server2 is up Ports Syo Table 11 describes the fields in the display port group output Table 11 Output for display port group Field Description Port group Name and state enabled or disabled of the port group Ports Ports contained in the port group display port poe 71 See Also Clear port group on page 65 set port group on page 84 display port poe Displays status information for ports on which Power over Ethernet PoE is enabled Syntax display port poe port list a port list List of physical ports If you do not specify a port list
200. MSS Version 3 0 Usage This command has no effect if the WX switch is not configured as part of a Mobility Domain Examples To clear a Mobility Domain from a WX switch within the domain type the following command WX1200 clear mobility domain success change accepted See Also Clear mobility domain member on page 266 set mobility domain member on page 269 set mobility domain mode member seed ip on page 270 set mobility domain mode seed domain name on page 271 clear mobility domain member On the seed WX switch removes the identified member from the Mobility Domain Syntax clear mobility domain member ip addr ip addr IP address of the Mobility Domain member in dotted decimal notation Defaults None Access Enabled History Introduced in MSS Version 3 0 display mobility domain config 267 Usage This command has no effect if the WX switch member is not configured as part of a Mobility Domain or the current WX switch is not the seed Examples The following command clears a Mobility Domain member with the IP address 192 168 0 1 WX1200 clear mobility domain member 192 168 0 1 See Also set mobility domain member on page 269 display mobility domain config Displays the configuration of the Mobility Domain Syntax display mobility domain config Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The foll
201. Mobility Domain for roaming and for accessing a sample network plan in 3WXM for advanced configuration and management Documentation Comments 21 Wireless LAN Switch Manager Reference Manual This manual shows you how to plan configure deploy and manage a Mobility System wireless LAN WLAN using the 3Com Wireless LAN Switch Manager 3WXM Wireless LAN Switch Manager User s Guide This manual shows you how to plan configure deploy and manage the entire WLAN with the 3WXM tool suite Read this guide to learn how to plan wireless services how to configure and deploy 3Com equipment to provide those services and how to optimize and manage your WLAN a Wireless LAN Switch and Controller Hardware Installation Guide This guide provides instructions and specifications for installing a WX wireless switch in a Mobility System WLAN a Wireless LAN Switch and Controller Configuration Guide This guide provides instructions for configuring and managing the system through the Mobility System Software MSS CLI a Wireless LAN Switch and Controller Command Reference This reference provides syntax information for all MSS commands supported on WX switches Documentation Comments Your suggestions are very important to us They will help make our documentation more useful to you Please e mail comments about this document to 3Com at pddtechpubs_comments 3com com Please include the following information when contacting us a Do
202. N mp 37 JP mp 620 MAP access point model poe enable disable Power over Ethernet PoE state xadiotype 11a 11b 11g Radio type 11a 802 11a 11b 802 11b 11g 802 11g This option does not apply to single radio models Defaults All WX ports are network ports by default 92 CHAPTER 4 PORT COMMANDS MAP access point models AP2750 MP 241 and MP 341 have a single radio that can be configured for 802 11a or 802 11b g Other MAP models have two radios On two radio models one radio is always 802 11a The other radio is 802 11b g but can be configured for 802 11b or 802 1 1g exclusively If the country of operation specified by the set system countrycode command does not allow 802 119 the default is 802 11b MAP radios configured for 802 11g also allow associations from 802 1 1b clients by default To disable support for 802 11b associations use the set radio profile 11g only command on the radio profile that contains the radio The radios in models MP 620 require external antennas and model MP 262 requires an external antenna for the 802 11b g radio The following models have internal antennas but also have connectors for optional use of external antennas instead AP2750 AP3750 AP7250 AP8250 AP8750 MP 372 MP 372 CN and MP 372 JP Antenna support on a specific model is limited to the antennas certified for use with that model To specify the antenna model use the set ap dap
203. Network Domain seed configuration from the WX switch member Clears the Network Domain member configuration from the WX switch Defaults None Access Enabled History Introduced in MSS 4 1 Usage This command has no effect if the WX switch is not configured as part of a Network Domain Examples The following command clears the Network Domain member configuration from the WX switch WX1200 clear network domain mode member success change accepted The following command clears the Network Domain seed configuration from the WX switch WX1200 clear network domain mode seed success change accepted See Also set network domain mode member seed ip on page 280 set network domain mode seed domain name on page 282 276 CHAPTER 10 NETWORK DOMAIN COMMANDS clear network domain peer Removes the configuration of a Network Domain peer from a WX switch configured as a Network Domain seed Syntax clear network domain peer ip addr all ip addr IP address of the Network Domain peer in dotted decimal notation all Clears the Network Domain peer configuration for all peers from the WX switch Defaults None Access Enabled History Introduced in MSS 4 1 Usage This command has no effect if the WX switch is not configured as a Network Domain seed Examples The following command clears the Network Domain peer configuration for peer 192 168 9 254 from the W
204. OMMANDS Network Domain Commands by Usage 273 clear network domain 274 clear network domain mode 275 clear network domain peer 276 11 clear network domain seed ip 277 display network domain 278 set network domain mode member seed ip 280 set network domain peer 281 set network domain mode seed domain name 282 MANAGED ACCESS POINT COMMANDS MAP Access Point Commands by Usage 283 clear ap dap radio 286 clear radio profile 288 clear service profile 289 display ap dap config 290 display ap dap counters 294 display ap dap gos stats 300 display ap dap etherstats 301 display ap dap group 303 display ap dap status 304 display auto tune attributes 309 display auto tune neighbors 311 display dap connection 313 display dap global 314 display dap unconfigured 316 display radio profile 317 display service profile 321 reset ap dap 324 set dap auto 325 set dap auto radiotype 326 set dap auto mode 327 set ap dap bias 328 set ap dap blink 330 set dap fingerprint 331 set ap dap group 332 set ap dap name 333 set ap dap radio antennatype 334 set ap dap radio auto tune max power 335 set ap dap radio auto tune max retransmissions 337 set ap dap radio channel 339 ee a set ap dap set ap dap set ap dap set ap dap set dap securi set ap dap set radio prof set radio prof set radio pro set radio pro set radio pro set radi
205. Oper Config Actual Type Media 1 1 up up auto 100 full network 10 100BaseT 24 2 up up auto 100 full ap 10 100BaseTx 3 3 up up auto 100 full network 10 100BaseTx 4 4 up down auto network 10 100BaseT SEES up down auto network 10 100BaseT 6 6 up down auto network 10 100BaseT oh up down auto network 10 100BaseT 8 8 up down auto network 10 100BaseT Table 14 describes the fields in this display Table 14 Output for display port status Field Description Port Port number Name Port name If the port does not have a name the port number is listed Admin Administrative status of the port up The port is enabled a down The port is disabled Oper Operational status of the port up The port is operational down The port is not operational Config Port speed configured on the port 10 10 Mbps 100 100 Mbps 1000 1000 Mbps auto The port sets its own speed Actual Speed and operating mode in effect on the port Type Port type ap MAP access point port a network Network port wa Wired authentication port display port media type 75 Table 14 Output for display port status continued Field Description Media Link type 10 100BaseTX 10 100BASE T GBIC 1000BASE SX or 1000BASE LX GBIC 1000BaseT 1000BASE T No connector GBIC slot is empty See Also Clear port type on page 68 set port on pag
206. P 1 WX4400 clear dap 1 This will clear specified DAP devices Would you like to continue y n nly See Also set dap on page 81 set port type ap on page 91 clear port counters 65 clear port counters Clears port statistics counters and resets them to 0 Syntax clear port counters Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command clears all port statistics counters and resets them to 0 WX4400 clear port counters success cleared port counters See Also display port counters on page 69 monitor port counters on page 76 clear port group Removes a port group Syntax clear port group name name name name Name of the port group Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command clears port group server1 WX4400 clear port group name serverl success change accepted See Also set port group on page 84 display port group on page 70 66 CHAPTER 4 PORT COMMANDS clear port media type Disables the copper interface and reenables the fiber interface on an WX4400 gigabit Ethernet port Syntax clear port media type port list a port list List of physical ports MSS disables the copper interface and reenables the fiber interface on all the specified ports Defaults The GBIC fiber interface is enabled and the copper interf
207. PDU s received port VLAN 21825 43649 tcn BPDU s xmitted port VLAN o 0 tcn BPDU s received port VLAN 2 2 forward transition count port VLAN 1 1 scp failure count 0 root inc trans count port VLAN 1 1 inhibit loopguard FALSE loop inc trans count o 0 Status of Port Timers forward delay timer INACTIVE forward delay timer value 15 message age timer ACTIVE message age timer valu 0 topology change timer INACTIVE topology change timer value hold timer hold timer value delay root port timer delay root port timer value delay root port timer restarted is display spantree statistics 405 INACTIVE INACTIVE FALSI m VLAN based information amp statistics spanning tree type spanning tree multicast address bridge priority bridge MAC address bridge hello time bridge forward delay topology change initiator last topology change occured topology change topology change time topology change detected topology change count topology change last recvd from Other port specific info dynamic max age transition port BPDU ok count msg age expiry count link loading BPDU in processing num of similar BPDU s to process received inferior bpdu next state src MAC count total src MAC count curr src mac next_src_mac ieee 01 00 0c cc cc cd 32768 00 Ob 0e 12 34 56 2 T5 0 Tue Jul 01 2003 22 33 36 FALSE 35 FALSE 1 00 Ob 0e 02 76 f 6
208. PoE information is displayed for all ports Defaults None Access All History Introduced in MSS Version 3 0 Examples The following command displays PoE information for all ports on a WX1200 switch WX1200 display port poe Link Port PoE PoE Port Name Status Type config Draw 1 1 up disabled off 2 2 down disabled off 33 a3 down disabled off 4 4 down MAP enabled 1 44 Di I down disabled off 6 6 down disabled off Table 12 describes the fields in this display Table 12 Output for display port poe Field Description Port Port number Name Port name If the port does not have a name the port number is listed 72 CHAPTER 4 PORT COMMANDS Table 12 Output for display port poe continued Field Description Link status Link status of the port up the port is connected a down tThe port is not connected Port type Port type MAP The port is a MAP access port a The port is not a MAP access port PoE config PoE state enabled disabled PoE Draw Power draw on the port in watts For 10 100 Ethernet ports on which PoE is disabled this field displays off For gigabit Ethernet ports this field displays invalid because PoE is not supported on gigabit Ethernet ports The value overcurrent indicates a PoE problem such as a short in the cable See Also set port poe on page 87 display port preference Displays the interface pref
209. QV 3C0M Wireless LAN Mobility System Wireless LAN Switch and Controller Command Reference WX4400 3CRWX440095A WX1200 3CRWX120695A WXR100 3CRWXR10095A http www 3com com Part No 10015086 Published April 2006 3Com Corporation 350 Campus Drive Marlborough MA USA 01752 3064 Copyright 2006 3Com Corporation All rights reserved No part of this documentation may be reproduced in any form or by any means or used to make any derivative work such as translation transformation or adaptation without written permission from 3Com Corporation 3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change 3Com Corporation provides this documentation without warranty term or condition of any kind either implied or expressed including but not limited to the implied warranties terms or conditions of merchantability satisfactory quality and fitness for a particular purpose 3Com may make improvements or changes in the product s and or the program s described in this documentation at any time If there is any software on removable media described in this documentation it is furnished under a license agreement included with the product as a separate document in the hard copy documentation or on the removable media in a directory file named LICENSE TXT or LICENSE TXT If y
210. S COMMANDS Examples To display the offset from UTC type the following command WX4400 display timezone Timezone set to pst offset from UTC is 8 hours See Also clear summertime on page 135 Clear timezone on page 136 display summertime on page 154 display timedate on page 155 set summertime on page 191 set timedate on page 193 set timezone on page 194 ping Tests IP connectivity between a wireless LAN switch and another device MSS sends an Internet Control Message Protocol ICMP echo packet to the specified WX switch and listens for a reply packet Syntax Ping host count num packets dnf flood interval time size size source ip ip addr vlan name host IP address MAC address hostname alias or user to ping count num packets Number of ping packets to send You can specify from O through 2 147 483 647 If you enter 0 MSS pings continuously until you interrupt the command dnf Enables the Do Not Fragment bit in the ping packet to prevent the packet from being fragmented a flood Sends new ping packets as quickly as replies are received or 100 times per second whichever is greater Use the flood option sparingly This option creates a lot of traffic and can affect other traffic on the network interval time Time interval between ping packets in milliseconds You can specify from 100 through 10 000 a size size Packet size in bytes
211. S SNMP engine expects the target to acknowledge notifications sent to the target by the WX switch Use inform if you want acknowledgements Use trap if you do not want acknowledgements The inform option is applicable to SNMP version v2c or usm only Examples The following command configures a notification target for acknowledged notifications WX1200 set snmp notify target 1 10 10 40 9 usm inform user securesnmpmgrl snmp engine id ip success change accepted This command configures target 1 at IP address 10 10 40 9 The target s SNMP engine ID is based on its address The MSS SNMP engine will send notifications based on the default profile and will require the target to acknowledge receiving them The following command configures a notification target for unacknowledged notifications WX1200 set snmp notify target 2 10 10 40 10 v1 trap success change accepted See Also Clear snmp notify target on page 134 set ip snmp server on page 169 set snmp community on page 175 setsnmp notify profile on page 177 186 CHAPTER 7 IP SERVICES COMMANDS set snmp protocol on page 186 set snmp security on page 187 set snmp usm on page 188 display snmp notify target on page 152 set snmp protocol Enables an SNMP protocol MSS supports SNMPv1 SNMPv2c and SNMPv3 Syntax set snmp protocol v1 v2c usm all enable disable a v1 SNMPv1 a V2c SNMPv2c a usm SNMPv3 with the user
212. S server or WX switch local user database assigned the user display roaming station 107 Table 22 Output for display roaming station continued Field Description State State of the session See Also Setup Station is attempting to roam to this WX switch This switch has asked the WX from which the station is roaming for the station s session information and is waiting for a reply Up MSS has established a tunnel between the WX switches and the station has successfully roamed to this WX over the tunnel Chck This WX switch is in the process of accepting a reassociation request from the roaming peer WX switch for a station currently roaming to the peer switch TChck This WX switch is in the process of accepting a reassociation request from the roaming peer WX switch for a station currently roaming to this switch Wind This WX switch is waiting for network congestion to clear before sending the roaming indication to the roaming peer WX switch WResp This WX switch is waiting for network congestion to clear before sending the roaming response to the roaming peer WX switch display roaming vlan on page 108 108 CHAPTER 5 VLAN COMMANDS display roaming vlan Shows all VLANs in the mobility domain the WX switches servicing the VLANs and their tunnel affinity values configured on each switch for the VLANS Syntax display roaming vlan Defaults None Access Enabled
213. Specify a username use the double asterisk wildcard character to specify all usernames or use the single asterisk wildcard character to specify a set of usernames up to or following the first delimiter character either an at sign or a period For details see User Globs on page 26 methodl method2 method3 method4 At least one of up to four methods that MSS uses to handle authentication Specify one or more of the following methods in priority order MSS applies multiple methods in the order you enter them A method can be one of the following local Uses the local database of usernames and user groups on the WX switch for authentication a server group name Uses the defined group of RADIUS servers for authentication You can enter up to four names of existing RADIUS server groups as methods none For users with administrative access only MSS performs no authentication but prompts for a username and password and accepts any combination of entries including blanks The authentication method none you can specify for administrative access is different from the fallthru authentication type none which applies only to network access The authentication method none allows access to the WX switch by an administrator The fallthru authentication type none denies access to a network user See set service profile auth fallthru on page 374 232 CHAPTER 8 AAA COMMANDS Defaults B
214. Specify one or more of the following methods in priority order If the first method does not succeed MSS tries the second method and so on A method can be one of the following local Stores accounting records in the local database on the WX switch When the local accounting storage space is full MSS overwrites older records with new ones server group name Stores accounting records on one or more Remote Authentication Dial In User Service RADIUS servers You can also enter the names of existing RADIUS server groups as methods Defaults Accounting is disabled for all users by default Access Enabled History Introduced in MSS Version 3 0 Usage For network users with start stop accounting whose records are sent to a RADIUS server MSS sends interim updates to the RADIUS server when the user roams Examples The following command issues start and stop accounting records at the local WX database for administrator Natasha when she accesses the switch using Telnet or Web Manager WX4400 set accounting admin Natasha start stop local success change accepted See Also Clear accounting on page 203 display accounting statistics on page 222 set accounting dot1x mac web last resort 227 set accounting dot1x mac web last resort Sets up accounting services for specified wireless users with network access and defines the accounting records and where they are sent Syntax
215. State Port LVID RVID vlan eng 192 168 14 2 192 168 14 4 DORMANT 1024 4096 130 Table 25 describes the fields in the display Table 25 Output for display tunnel Field Description VLAN VLAN name Local Address IP address of the local end of the tunnel This is the system IP address of the wireless access switch where you enter the command display vlan config display vlan config 111 Table 25 Output for display tunnel continued Field Description Remote Address IP address of the remote end of the tunnel This is the system IP address of another WX switch in the mobility domain State Tunnel state Up a Dormant Port Tunnel port ID LVID Local VLAN ID RVID Remote VLAN ID See Also display vlan config on page 111 Shows VLAN information Syntax display vlan config vlan id vilan id VLAN name or number If you do not specify a VLAN information for all VLANs is displayed Defaults None Access All History Introduced in MSS Version 3 0 Examples The following command displays information for VLAN burgundy WX1200 display vlan config burgundy VLAN Name 2 burgundy 4094 web aaa Admin VLAN Tunl Port Status State Affin Port Tag State Up Up 5 2 none Up 3 none Up 4 none Up 6 none Up Up Up 0 2 4094 Up t 10 10 40 4 none Up 112 CHAPTER 5 VLAN COMMANDS Table 26 describes the fields in this display Table 26 Output for display vlan
216. TH United Arab Emirates AE United Kingdom GB United States US set system countrycode Defaults The factory default country code is None Access Enabled History Introduced in MSS Version 3 0 57 Usage You must set the system county code to a valid value before using any set ap commands to configure a MAP 58 CHAPTER 3 SYSTEM SERVICE COMMANDS Examples To set the country code to Canada type the following command WX1200 set system country code CA success change accepted See Also display config on page 574 set system idle timeout Specifies the maximum number of seconds a CLI management session with the switch can remain idle before MSS terminates the session Syntax set system idle timeout seconds a seconds Number of seconds a CLI management session can remain idle before MSS terminates the session You can specify from O to 86400 seconds one day If you specify 0 the idle timeout is disabled Defaults 3600 seconds one hour Access Enabled History Introduced in MSS Version 4 1 Usage This command applies to all types of CLI management sessions console Telnet and SSH The timeout change applies to existing sessions and new sessions Examples The following command sets the idle timeout to 1800 seconds one half hour WX1200 set system idle timeout 1800 success change accepted See Also Clear system on page 40 display system on page 43
217. Table 4 Keyboard Shortcuts Keyboard Shortcut s Function Ctrl A Jumps to the first character of the command line Ctrl B or Left Arrow key Moves the cursor back one character Ctrl C Escapes and terminates prompts and tasks Ctrl D Deletes the character at the cursor Ctrl E Jumps to the end of the current command line Ctrl F or Right Arrow key Moves the cursor forward one character Ctrl K Deletes from the cursor to the end of the command line Ctrl L or Ctrl R Repeats the current command line on a new line Ctrl N or Down Arrow key Enters the next command line in the history buffer Ctrl P or Up Arrow key Enters the previous command line in the history buffer 30 CHAPTER 1 USING THE COMMAND LINE INTERFACE History Buffer Tabs Single Asterisk Wildcard Character Double Asterisk Wildcard Characters Table 4 Keyboard Shortcuts continued Keyboard Shortcut s Function Ctrl U or Ctrl X Deletes characters from the cursor to the beginning of the command line Ctrl W Deletes the last word typed Esc B Moves the cursor back one word Esc D Deletes characters from the cursor forward to the end of the word Delete key or Backspace key Erases mistake made during command entry Reenter the command after using this key The history buffer stores the last 63 commands you entered during a terminal session You can use the Up Arrow and Down Arrow keys to sel
218. The destination for the IP multicast route is MULTICAST For static routes the value Down means the WX switch does not have an interface to the destination s next hop router To provide an interface configure an IP interface that is in the same IP subnet as the next hop router The IP interface must be on a VLAN containing the port that is attached to the gateway router Clear ip route on page 130 display interface on page 142 display vlan config on page 111 set interface on page 160 set ip route on page 167 display ip telnet Shows information about the Telnet management port Syntax display ip telnet Defaults None Access All History Introduced in MSS Version 3 0 display ntp 149 Examples The following command shows the status and port number for the Telnet management interface to the WX switch WX4400 gt display ip telnet Server Status Port Enabled 23 Table 38 describes the fields in this display Table 38 Output for display ip telnet Field Description Server Status State of the HTTPS server a Enabled a Disabled Port TCP port number on which the WX switch listens for Telnet management traffic See Also Clear ip telnet on page 131 display ip https on page 145 setip https server on page 167 setip telnet on page 171 setip telnet server on page 172 display ntp Shows NTP client information Syntax display ntp Defaults N
219. Total number of security ACL data entries Fragmentation control Control value for handling fragmented IP packets Note The current MSS version filters only the first packet of a fragmented IP packet and passes the remaining fragments UC switchdest Control value for handling fragmented IP packets Note The current MSS version filters only the first packet of a fragmented IP packet and passes the remaining fragments Port number Control value for handling fragmented IP packets Note The current MSS version filters only the first packet of a fragmented IP packet and passes the remaining fragments Number of action types Number of actions that can be performed by ACLs This value is always 2 because ACLs can either permit or deny display security acl resource usage 457 Table 81 Output of display security acl resource usage continued Field Description LUdef in use Number of the lookup definition LUdef table currently in use for packet handling Default action pointer Memory address used for packet handling from which default action data is obtained when necessary L4 global Security ACL mapping on the WX switch True Security ACLs are mapped a False No security ACLs are mapped No rules Security ACE rule mapping on the WX switch a True No security ACEs are mapped a False Security ACEs are mapped Non IP rules Non IP security ACE m
220. VLANs or ports on the WX switch a True No security ACLs are mapped to VLANs or ports a False Security ACLs are mapped to VLANs or ports No VPORT mapping Application of security ACLs to WX virtual ports on the WX switch a True No security ACLs are mapped to virtual ports a False Security ACLs are mapped to virtual ports Clears changes made to the security ACL edit buffer since it was last saved The ACL is rolled back to its state after the last commit security acl command was entered All uncommitted ACLs in the edit buffer are cleared Syntax rollback security acl acl name all Defaults None Access Enabled acl name Name of an existing security ACL to roll back ACL names must start with a letter and are case insensitive a11 Rolls back all security ACLs in the edit buffer clearing all uncommitted ACEs History Introduced in MSS Version 3 0 set security acl 459 Examples The following commands show the edit buffer before a rollback clear any changes in the edit buffer to security acl_122 and show the edit buffer after the rollback WX4400 display security acl info all editbuffer ACL edit buffer information for all set security acl ip acl_122 ACEs 3 add 3 del 0 modified 0 1 permit IP source IP 20 0 1 11 0 0 0 255 destination IP any enable hits 2 deny IP source IP 20 0 2 11 0 0 0 0 destination IP any 3 deny SRC source IP 192 168 1 234 255 255 255
221. WX4400 display ip alias Name IP Address HR1 192 168 1 2 payroll LOD V 682 sS radiusl 192 168 7 2 144 CHAPTER 7 IP SERVICES COMMANDS Table 34 describes the fields in this display Table 34 Output for display ip alias Field Description Name Alias string IP Address IP address associated with the alias See Also Clear ip alias on page 128 setip alias on page 164 display ip dns Shows the DNS servers the wireless LAN switch is configured to use Syntax display ip dns Defaults None Access All History Introduced in MSS Version 3 0 Examples The following command displays the DNS information WX4400 display ip dns Domain Name example com DNS Status enabled IP Address Type LOK Aye Lal PRIMARY 1044 2 SECONDARY TOs TaZ aL SECONDARY Table 35 describes the fields in this display Table 35 Output for display ip dns Field Description Domain Name Default domain name configured on the WX switch display ip https 145 Table 35 Output for display ip dns continued Field Description DNS Status Status of the WX switch s DNS client a Enabled a Disabled IP Address IP address of the DNS server Type Server type a PRIMARY a SECONDARY See Also Clear ip dns domain on page 129 Clear ip dns server on page 129 setip dns on page 164 setip dns domain on page 165 set ip dns server on page 166 display ip https Shows information abo
222. X switch WX1200 clear network domain peer 192 168 9 254 success change accepted The following command clears the Network Domain peer configuration for all peers from the WX switch WX1200 clear network domain peer all success change accepted See Also set network domain peer on page 281 clear network domain seed ip 277 clear network domain seed ip Removes the specified Network Domain seed from the WX switch s configuration When you enter this command the Network Domain TCP connections between the WX switch and the specified Network Domain seed are closed Syntax clear network domain seed ip ip addr ip addr IP address of the Network Domain seed in dotted decimal notation Defaults None Access Enabled History Introduced in MSS 4 1 Usage This command has no effect if the WX switch is not configured as part of a Network Domain or if the WX switch is not configured as a member of a Network Domain that uses the specified Network Domain seed The following command removes the Network Domain seed with IP address 192 168 9 254 from the WX switch s configuration WX1200 clear network domain seed ip 192 168 9 254 success change accepted See Also set network domain mode member seed ip on page 280 278 CHAPTER 10 NETWORK DOMAIN COMMANDS display network domain Displays the status of Network Domain seeds and members Syntax display network domain Defaults None
223. You can specify from 56 through 65 507 WX120 PING 64 by 64 by 64 by 64 by 64 by COS COS COS Ces COS from from from from from ping 157 Because the WX switch adds header information the ICMP packet size is 8 bytes larger than the size you specify source ip ip addr IP address in dotted decimal notation to use as the source IP address in the ping packets source ip vlan name VLAN name to use as the ping source MSS uses the IP address configured on the VLAN as the source IP address in the ping packets Defaults count 5 dnf Disabled interval 100 one tenth of a second size 56 Access Enabled History Introduced in MSS Version 3 0 Usage To stop a ping command that is in progress press Ctrl C Examples The following command pings a WX switch that has IP address 10 1 1 1 O ping 10 1 1 1 POs kal 10 1 1 1 from 10 9 4 34 56 84 bytes of data 10 10 10 10 10 PRPRPRP PR ede errre errre AG icmp _seq 1 ttl 255 time 0 769 ms icmp seq 2 ttl 255 time 0 628 ms icmp seq 3 ttl 255 time 0 676 ms icmp seq 4 ttl 255 time 0 619 ms icmp seq 5 ttl 255 time 0 608 ms 10 1 1 1 ping statistics 5 pac kets transmitted 5 packets received 0 errors 0 packet loss See Also traceroute on page 197 158 CHAPTER 7 IP SERVICES COMMANDS set arp Adds an ARP entry to the ARP table Syntax set arp perma
224. a noise burst temporarily floods the air and the MAP attempts to buffer the noise as packets Buffer overruns are normal while a MAP is booting However if they occur over an extended period of time when the MAP is fully active this can indicate RF interference PktTxCount Number of packets transmitted by the radio MultiPktDrop Number of multicast packets dropped by the radio due to a buffer overflow on the MAP This counter increments if there is too much multicast traffic or there is a problem with the multicast packets Normally this counter should be 0 MultiBytDrop Number of multicast bytes dropped by the radio due to a buffer overflow on the MAP See the description for MultiPktDrop 298 CHAPTER 11 MANAGED ACCESS POINT COMMANDS Table 52 Output for display ap counters continued Field Description User Sessions Number of clients currently associated with the radio Generally this counter is equal to the number of sessions listed for the radio in display sessions output However the counter can differ from the counter in display sessions output if a client is associated with the radio but has not yet completed 802 1X authentication In this case the client is counted by this counter but not in the display sessions output Although there is no specific normal range for this counter a high or low number relative to other radios can mean the radio is underutilized or overutilized rela
225. able success rfdetect logging is enabled See Also display log buffer on page 610 560 CHAPTER 19 RF DETECTION COMMANDS set rfdetect signature Enables MAP signatures A MAP signature is a set of bits ina management frame sent by a MAP that identifies that MAP to MSS If someone attempts to spoof management packets from a 3Com MAP MSS can detect the spoof attempt Syntax set rfdetect signature enable disable enable Enables MAP signatures disable Disables MAP signatures Defaults MAP signatures are disabled by default Access Enabled History Introduced in MSS Version 4 0 Usage The command applies only to MAPs managed by the WX switch on which you enter the command To enable signatures on all MAPs in a Mobility Domain enter the command on each WX switch in the Mobility Domain You must use the same MAP signature setting enabled or disabled on all WX switches in a Mobility Domain Examples The following command enables MAP signatures on a WX switch WX1200 set rfdetect signature enable success signature is now enabled set rfdetect ssid list Adds an SSID to the permitted SSID list The permitted SSID list specifies the SSIDs that are allowed on the network If MSS detects packets for an SSID that is not on the list the AP that sent the packets is classified as a rogue MSS issues countermeasures against the rogue if they are enabled Syntax set rfdetect ssi
226. ac user 01 02 03 04 05 06 group eastcoasters success change accepted See Also Clear mac user on page 211 display aaa on page 219 set mac user attr 249 set mac user attr Assigns an authorization attribute in the local database on the WX switch to a user who is authenticated by a MAC address To assign authorization attributes through RADIUS see the documentation for your RADIUS server Syntax set mac user mac addr attr attribute name value mac addr MAC address of the user in hexadecimal numbers separated by colons You can omit leading zeros a attribute name valu Name and value of an attribute you are using to authorize the MAC user for a particular service or session characteristic For a list of authorization attributes and values that you can assign to local users see Table 44 Table 44 Authentication Attributes for Local Users Attribute Description Valid Value s encryption type Type of encryption One of the following numbers that required for access by identifies an encryption algorithm the client Clients who attempt to use an unauthorized encryption method are rejected 1 AES_CCM Advanced Encryption Standard using Counter with CBC MAC 2 Reserved 4 TKIP Temporal Key Integrity Protocol 8 WEP_104 the default Wired Equivalent Privacy protocol using 104 bits of key strength 16 WEP_4O Wired Equivalent Privacy protocol using 40 bits of key strength
227. ace is disabled by default Access Enabled History Introduced in MSS Version 4 0 Usage This command applies only to the WX4400 This command does not affect a link that is already active on the port Examples The following command disables the copper interface and reenables the fiber interface on port 2 Wx4400 clear port media type 2 See Also set port media type on page 85 display port media type on page 75 clear port name Removes the name assigned to a port Syntax clear port port list name port list List of physical ports MSS removes the names from all the specified ports Defaults None Access Enabled History Introduced in MSS Version 3 0 clear port preference 67 Examples The following command clears the names of ports 1 through 3 WX4400 clear port 1 3 name See Also display port status on page 73 set port name on page 86 clear port preference Resets a gigabit Ethernet port on a WX4400 to use the GBIC fiber interface for the active link Syntax clear port preference port list a port list List of physical ports MSS clears the preference on all the specified ports Defaults When both the copper and fiber interfaces of a gigabit Ethernet port are connected the GBIC fiber interface is the active link The RJ 45 copper link is unused Access Enabled History Introduced in MSS Version 3 0 Usage This co
228. ackets that receive CoS 5 upon ingress will be marked with a DSCP value equivalent to CoS 6 upon egress See Also set gos dscp to cos map on page 122 display qos on page 123 122 CHAPTER 6 QUALITY OF SERVICE COMMANDS set qos dscp to cos map Changes the internal QoS value to which MSS maps a packet s DSCP value when classifying inbound packets Syntax set qos dscp to cos map dscp range cos level a dscp range You can specify the values as decimal numbers Valid decimal values are O to 63 To specify a range use the following format 40 56 Specify the lower number first cos level Internal QoS value You can specify a number from 0 to 7 Defaults The defaults are listed by the display qos command Access Enabled History Introduced in MSS Version 4 1 Examples The following command maps DSCP values 40 56 to internal CoS value 6 WX1200 set qos dscp to cos map 40 56 cos 6 warning cos 5 is marked with dscp 63 which will be classified as cos 7 warning cos 7 is marked with dscp 56 which will be classified as cos 6 As shown in this example if the change results in a change to CoS MSS displays a warning message indicating the change See Also set gos cos to dscp map on page 121 display qos on page 123 display qos 123 display qos Displays the switch s QoS settings Syntax display qos default default Displays the default mappings Defaults None
229. adio Phy Errors Count See Also Number of frames received by the MAP radio that had physical layer errors on the active channel Phy errors can indicate interference from a non 802 11 device display auto tune neighbors on page 311 display radio profile on page 317 set ap dap radio auto tune max power on page 335 set ap dap radio auto tune max retransmissions on page 337 set radio profile auto tune channel config on page 349 set radio profile auto tune channel holddown on page 350 display auto tune neighbors 311 set radio profile auto tune channel interval on page 351 set radio profile auto tune power backoff timer on page 352 set radio profile auto tune power config on page 353 set radio profile auto tune power interval on page 354 display auto tune neighbors Displays the other 3Com radios and third party 802 11 radios that a 3Com radio can hear Syntax display auto tune neighbors ap map num radio 1 2 all Syntax display auto tune neighbors dap dap num radio 1 2 all map num MAP port connected to the MAP access point for which to display neighbors dap num Number of a Distributed MAP for which to display neighbors radio 1 Shows neighbor information for radio 1 radio 2 Shows neighbor information for radio 2 This option does not apply to single radio models radio all Shows neighbor information for both radios Defaults
230. adio advertises support This command does not apply to 802 11a Syntax set radio profile name preamble length long short name Radio profile name long Advertises support for long preambles short Advertises support for short preambles Defaults The default is short Access Enabled History Introduced in MSS Version 3 0 set radio profile rts threshold 365 Usage Changing the preamble length value affects only the support advertised by the radio Regardless of the preamble length setting short or long an 802 11b g radio accepts and can generate 802 1 1b g frames with either short or long preambles If a client associated with an 802 11b g radio uses long preambles for unicast traffic the MAP access point still accepts frames with short preambles but does not transmit frames with short preambles This change also occurs if the access point overhears a beacon from an 802 11b g radio on another access point that indicates the radio has clients that require long preambles You must disable all radios that use a radio profile before you can change parameters in the profile Use the set radio profile mode command Examples The following command configures 802 11b g radios that use the radio profile ro_ ong to advertise support for long preambles instead of short preambles Wx4400 set radio profile rp_long preamble length long success change accepted See Also display radio pro
231. age 133 setsnmp notify profile on page 177 display snmp notify target Displays SNMP notification targets Syntax display snmp notify target Defaults None Access Enabled History Introduced in MSS Version 4 0 display snmp status 153 See Also Clear snmp notify target on page 134 set snmp notify target on page 181 display snmp status Displays SNMP version and status information Syntax display snmp status Defaults None Access Enabled History Introduced in MSS Version 4 0 See Also set snmp community on page 175 set snmp notify target on page 181 setsnmp notify profile on page 177 set snmp protocol on page 186 set snmp security on page 187 set snmp usm on page 188 display snmp community on page 151 display snmp counters on page 152 display snmp notify profile on page 152 display snmp notify target on page 152 display snmp usm on page 154 154 CHAPTER 7 IP SERVICES COMMANDS display snmp usm Displays information about SNMPv3 users Defaults None Access Enabled History Introduced in MSS Version 4 0 See Also Clear snmp usm on page 134 display snmp usm on page 154 display Shows a wireless LAN switch s offset from its real time clock summertime Syntax display summertime Defaults There is no summertime offset by default Access All History Introduced in MSS Version 3 0 Examples To d
232. air From anywhere in these regions call 44 0 1442 435529 640 APPENDIX A OBTAINING SUPPORT FOR YOUR PRODUCT Country Telephone Number Country From the following countries you may use the numbers shown Austria 01 7956 7124 Luxembourg Belgium 070 700 770 Netherlands Denmark 7010 7289 Norway Finland 01080 2783 Poland France 0825 809 622 Portugal Germany 01805 404 747 South Africa Hungary 06800 12813 Spain Ireland 1407 3387 Sweden Israel 1800 945 3794 Switzerland Italy 199 161346 U K You can also obtain support in this region using the following URL http emea 3com com support email html Telephone Number 342 0808128 0900 777 7737 815 33 047 00800 441 1357 707 200 123 0800 995 014 9 021 60455 07711 14453 08488 50112 0870 909 3266 Latin America Telephone Technical Support and Repair Antigua 1 800 988 2112 Guatemala Argentina 0 810 444 3COM Haiti Aruba 1 800 998 2112 Honduras Bahamas 1 800 998 2112 Jamaica Barbados 1 800 998 2112 Martinique Belize 52 5 201 0010 Mexico Bermuda 1 800 998 2112 Nicaragua Bonaire 1 800 998 2112 Panama Brazil 0800 13 3COM Paraguay Cayman 1 800 998 2112 Peru Chile AT amp T 800 998 2112 Puerto Rico Colombia AT amp T 800 998 2112 Salvador Costa Rica AT amp T 800 998 2112 Trinidad and Tobago Curacao 1 800 998 2112 Uruguay Ecuador AT amp T 800 998 2112 Venezuela Dominican Republic AT amp T 800 998 2112 Virgin Islands You can also obtain support in this region using the fol
233. all security ACLs from the edit buffer When used with the command commit security acl clears the ACE from the running configuration Syntax clear security acl acl name all editbuffer index acl name Name of an existing security ACL to clear ACL names start with a letter and are case insensitive all Clears all security ACLs a editbuffer index Number that indicates which access control entry ACE in the security ACL to clear If you do not specify an ACE all ACEs are cleared from the ACL Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage This command deletes security ACLs only in the edit buffer You must use the commit security acl command with this command to delete the ACL or ACE from the running configuration and nonvolatile storage The clear security acl command deletes a security ACL but does not stop its current filtering function if the ACL is mapped to any virtual LANs VLANs ports or virtual ports or if the ACL is applied in a Filter Id attribute to an authenticated user or group of users with current sessions Examples The following commands display the current security ACL configuration clear acl_133 in the edit buffer commit the deletion to the running configuration and redisplay the ACL configuration to display that it no longer contains ac _133 clear security acl map 447 WX4400 display security acl info all ACL information for
234. all set security acl ip acl_133 hits 1 0 deny IP source IP 192 168 1 6 0 0 0 0 destination IP any set security acl ip acl_134 hits 3 0 permit IP source IP 192 168 0 1 0 0 0 0 destination IP any enable hits set security acl ip acl_135 hits 2 0 deny IP source IP 192 168 1 1 0 0 0 0 destination IP any enable hits WxX4400 clear security acl acl_133 WxX4400 commit security acl acl_133 configuration accepted WX4400 display security acl info all ACL information for all set security acl ip acl_134 hits 3 0 1 permit IP source IP 192 168 0 1 0 0 0 0 destination IP any enable hits set security acl ip acl_135 hits 2 0 1 deny IP source IP 192 168 1 1 0 0 0 0 destination IP any enable hits See Also a Clear security acl map on page 447 a commit security acl on page 449 display security acl info on page 452 set security acl on page 459 clear security acl Deletes the mapping between a security ACL and a virtual LAN VLAN map one or more physical ports or a virtual port Or deletes all ACL maps to VLANs ports and virtual ports on a WX switch Security ACLs are applied to users or groups dynamically via the Filter ld D attribute To delete a security ACL from a user or group in the local WX database use the command clear user attr clear mac user attr clear usergroup attr or clear mac usergroup attr To delete a security ACL from a user or group on an external RADIUS server see
235. ame active scan enable disable name Radio profile name enable Configures radios to actively scan for rogues disable Configures radios to scan only passively for rogues by listening for beacons and probe responses set radio profile auto tune channel config 349 Defaults Active scanning is enabled by default Access Enabled History Introduced in MSS Version 4 0 Usage You can enter this command on any WX switch in the Mobility Domain The command takes effect only on that switch Examples The following command disables active scan in radio profile radprof3 wx4400 set radio profile radprof3 active scan disable success change accepted set radio profile auto tune channel config Disables or reenables dynamic channel tuning RF Auto Tuning for the MAP radios in a radio profile Syntax set radio profile name auto tune channel config enable disable name Radio profile name enable Configures radios to dynamically select their channels when the radios are started a disable Configures radios to use their statically assigned channels or the default channels if unassigned when the radios are started Defaults Dynamic channel assignment is enabled by default Access Enabled History Introduced in MSS Version 3 0 Usage If you disable RF Auto Tuning for channels MSS does not dynamically set the channels when radios are first enabled and a
236. ame group Examples The following example disables proxy reporting on VLAN orange WX1200 set igmp proxy report disable vlan orange success change accepted See Also setigmp rv on page 442 setigmp qi 439 set igmp qi Changes the IGMP query interval timer on one VLAN or all VLANs on a WX Syntax set igmp qi seconds vlan vlan id qi seconds Number of seconds that elapse between general queries sent by the WX when the WX switch is the querier for the subnet You can specify a value from 1 through 65 535 vlan vlan id VLAN name or number If you do not specify a VLAN the timer change applies to all VLANs Defaults The default query interval is 125 seconds Access Enabled History Introduced in MSS Version 3 0 Usage The query interval is applicable only when the WX is querier for the subnet For the WX switch to become the querier the pseudo querier feature must be enabled on the WX and the WX must have the lowest IP address among all the WX switches eligible to become a querier To enable the pseudo querier feature use the set igmp querier command Examples The following command changes the query interval on VLAN orange to 100 seconds WX1200 set igmp qi 100 vlan orange success change accepted See Also set igmp Imai on page 434 setigmp oqi on page 437 setigmp qri on page 440 setigmp querier on page 441 set igmp mrouter on page 435 setigmp rv on
237. an 802 11 acknowledgement for a packet sent to the radio If the radio receives only a single copy of a packet that is transmitted multiple times by a client the packet is not counted by the radio as a retransmission For example if a packet is corrupted and the radio does not receive it but the second copy of the packet does reach the radio the radio does not count the packet as a retransmission since the radio received only one recognizable copy of the packet 338 CHAPTER 11 MANAGED ACCESS POINT COMMANDS The interval is 1000 packets If more than the specified percentage of packets within a group of 1000 packets received by the radio are retransmissions the radio increases power When the percentage of retransmissions exceeds the max retransmissions threshold the radio does not immediately increase power Instead if the data rate at which the radio is sending packets to the client is above the minimum data rate allowed the radio lowers the data rate by one setting If the retransmissions still exceed the maximum allowed the radio continues to lower the data rate one setting at a time until either the retransmissions fall within the allowed percentile or the minimum allowed data rate is reached If the retransmissions still exceed the threshold after the minimum allowed data rate is reached the radio increases power by 1 dBm The radio continues increasing the power in 1 dBm increments until the retransmissions fall below the
238. anagement cont change on page 623 delete on page 625 Diagnostics diag on page 627 test on page 635 autoboot Displays or changes the state of the autoboot option The autoboot option controls whether a WX switch automatically boots a system image after initializing the hardware following a system reset or power cycle Syntax autoboot ON on OFF off ON Enables the autoboot option on Same effect as on a OFF Disables the autoboot option off Same effect as OFF Defaults The autoboot option is enabled by default Access Boot prompt History Introduced in MSS Version 3 0 Examples The following command displays the current setting of the autoboot option boot gt autoboot The autoboot flag is on See Also boot on page 621 boot 621 boot Loads and executes a system image file Syntax boot BT type DEV device FN filename HA ip addr FL num OPT option OPT option BT type Boot type c Compact flash Boots using nonvolatile storage or a flash card a n Network Boots using a TFIP server DEV device Location of the system image file a c Nonvolatile storage area containing boot partition O d Nonvolatile storage area containing boot partition 1 a e Primary partition of the flash card in the flash card slot a f Secondary partition of the flash card in the flash card slot boot0 b
239. and for services among servers Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage Deleting a server group removes the server group from the configuration However the members of the server group remain 490 CHAPTER 16 RADIUS AND SERVER GROUP COMMANDS Examples To remove the server group sg 77 type the following command WX4400 clear server group sg 77 success change accepted To disable load balancing in a server group shorebirds type the following command WX4400 set server group shorebirds load balance disable success change accepted See Also set server group on page 496 set radius Configures global defaults for RADIUS servers that do not explicitly set these values themselves By default the WX switch automatically sets all these values except the password key Syntax set radius deadtime minutes key string retransmit number timeout seconds deadtime minutes Number of minutes the WX switch waits after declaring an unresponsive RADIUS server unavailable before retrying the RADIUS server You can specify from O to 1440 minutes a key string Password shared secret key used to authenticate to the RADIUS server You must provide the same password that is defined on the RADIUS server The password can be 1 to 32 characters long with no spaces or tabs retransmit number Number of transmission attempts the WX switch makes before decla
240. and remains in the database even after a reboot reset or power cycle static Displays static entries A static entry does not age out but is removed from the database after a reboot reset or power cycle dynamic Displays dynamic entries A dynamic entry is automatically removed through aging or after a reboot reset or power cycle system Displays system entries A system entry is added by MSS For example the authentication protocols can add entries for wired and wireless authentication users a11 Displays all entries in the database or all the entries that match a particular port or ports or a particular VLAN port port list Destination port s for which to display entries Defaults None display fdb 103 Access All History Introduced in MSS Version 3 0 Usage To display the entire forwarding database enter the display fdb command without options To display only a portion of the database use optional parameters to specify the types of entries you want to display Examples The following command displays all entries in the forwarding database WX4400 display fdb all Static VLAN TAG Dest MAC Route Des 00 01 97 aa bb cc 00 0b 0e Total Matching FDB E T Entry Permanent Entry System Entry CoS Destination Ports Protocol Type 13 0bp 1f ji ALL dd ee ff X 3 ALL 202 76 5 1 ALL Entries Displayed The top l
241. ange from which the server can lease addresses MAC address of the DHCP client Lease Remaining Number of seconds remaining before the address lease expires State State of the address lease SUSPEND MSSS is checking for the presence of another DHCP server on the subnet This is the initial state of the MSS DHCP server The MSS DHCP server remains in this state if another DHCP server is detected a CHECKING MSS is using ARP to verify whether the address is available a OFFERING MSS offered the address to the client and is waiting for the client to send a DHCPREQUEST for the address a BOUND The client accepted the address HOLDING The address is already in use and is therefore unavailable Lease Allocation Duration of the address lease in seconds Lease Remaining Number of seconds remaining before the address lease expires 142 CHAPTER 7 IP SERVICES COMMANDS Table 32 Output for display dhcp server verbose Field Description IP Address IP address leased to the client Subnet Mask Network mask of the IP address leased to the client Default Gateway Default gateway IP address included in the DHCP Offer to the client DNS Server DNS server IP address es included in the DHCP Offer to the client DNS Domain Default DNS domain name included in the DHCP Offer to the Name client See Also set interface dhcp server on page 162 display interface Shows the IP
242. ap dap radio radio profile on page 343 set radio profile mode on page 362 clear service profile Removes a service profile or resets one of the profile s parameters to its default value Syntax clear service profile name name Service profile name Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage If the service profile is mapped to a radio profile you must remove it from the radio profile first After disabling all radios that use the radio profile use the clear radio profile name service profile name command 290 CHAPTER 11 MANAGED ACCESS POINT COMMANDS Examples The following commands disable the radios that are using radio profile ro6 remove service profile svcprof6 from rp6 then clear svcprof from the configuration WX4400 set radio profile rp6 mode disable WX4400 clear radio profile rp6 service profile svcprof6 success change accepted WX4400 clear service profile svcprof6 success change accepted See Also Clear radio profile on page 288 set radio profile mode on page 362 display ap dap config Displays global and radio specific settings for a MAP access point Syntax display ap config port list radio 1 2 Syntax display dap config dap num radio 1 2 a port list List of ports connected to the MAP access point s for which to display configuration settings dap num Number of a Distr
243. apping on the WX switch a True Non IP security ACEs are mapped a False Only IP security ACEs are mapped Note The current MSS version supports security ACEs for IP only Root in first Leaf buffer allocation True Enough primary leaf buffers are allocated in nonvolatile memory to accommodate all leaves a False Insufficient primary leaf buffers are allocated in nonvolatile memory to accommodate all leaves Static default action Definition of a default action True A default action types is defined False No default action type is defined No per user MAC mapping Per user application of a security ACL with the Filter Id attribute on the WX switch a True No security ACLs are applied to users a False Security ACLs are applied to users Out mapping Application of security ACLs to outgoing traffic on the WX switch True Security ACLs are mapped to outgoing traffic a False No security ACLs are mapped to outgoing traffic 458 CHAPTER 14 SECURITY ACL COMMANDS rollback security acl Table 81 Output of display security acl resource usage continued Field Description In mapping Application of security ACLs to incoming traffic on the WX switch True Security ACLs are mapped to incoming traffic a False No security ACLs are mapped to incoming traffic No VLAN or PORT mapping Application of security ACLs to WX
244. ar crypto a name Service profile name clear Wireless traffic for the service profile s SSID is not encrypted a crypto Wireless traffic for the service profile s SSID is encrypted Defaults The default SSID type is crypto Access Enabled History Introduced in MSS Version 3 0 Examples The following command changes the SSID type for service profile clear_wian to clear Wx4400 set service profile clear wlan ssid type clear success change accepted See Also set service profile ssid name on page 384 386 CHAPTER 11 MANAGED ACCESS POINT COMMANDS set service profile tkip mc time Changes the length of time that MAP radios use countermeasures if two message integrity code MIC failures occur within 60 seconds When countermeasures are in effect MAP radios dissociate all TKIP and WPA WEP clients and refuse all association and reassociation requests until the countermeasures end Syntax set service profile name tkip mc time wait time a name Service profile name a wait time Number of milliseconds ms countermeasures remain in effect You can specify from O to 60 000 Defaults The default countermeasures wait time is 60 000 ms 60 seconds Access Enabled History Introduced in MSS Version 3 0 Usage Countermeasures apply only to TKIP and WEP clients This includes WPA WEP clients and non WPA WEP clients CCMP clients are not affected The TKIP cipher
245. ar and display commands Use set commands to change parameters Use clear commands to reset parameters to their defaults In many cases you can overwrite a parameter with another set command Use display commands to show the current configuration and monitor the status of network operations The wireless LAN switches support two connection modes a Administrative access mode which enables the network administrator to connect to the WX switch and configure the network Network access mode which enables network users to connect through the WX switch to access the network 24 CHAPTER 1 USING THE COMMAND LINE INTERFACE CLI Conventions Command Prompts Syntax Notation Be aware of the following MSS CLI conventions for command entry Command Prompts on page 24 a Syntax Notation on page 24 a Text Entry Conventions and Allowed Characters on page 25 User Globs MAC Address Globs and VLAN Globs on page 26 Port Lists on page 28 Virtual LAN Identification on page 29 By default the MSS CLI provides the following prompt for restricted users The mmmm portion shows the wireless LAN switch model number for example 7200 WXmmmm gt After you become enabled as an administrative user by typing enable and supplying a suitable password MSS displays the following prompt WX mmmm For information about changing the CLI prompt on a wireless LAN switch see set prompt on page
246. ated nor encrypted Defaults By default MSS allows nonsecure unsecured SNMP message exchanges Access Enabled History Introduced in MSS Version 4 0 Usage SNMPv1 and SNMPv2c do not support authentication or encryption If you plan to use SNMPv1 or SNMPv2c leave the minimum level of SNMP security set to unsecured Examples The following command sets the minimum level of SNMP security allowed to authentication and encryption WX1200 set snmp security encrypted success change accepted 188 CHAPTER 7 IP SERVICES COMMANDS See Also set ip snmp server on page 169 set snmp community on page 175 setsnmp notify target on page 181 set snmp notify profile on page 177 set snmp protocol on page 186 set snmp usm on page 188 display snmp status on page 153 set snmp usm gt Creates a USM user for SNMPv3 This command does not apply to SNMPv1 or SNMPv2c For these SNMP versions use the set snmp community command to configure community strings Syntax set snmp usm usm username snmp engine id ip ip addr local hex hex string access read only read notify notify only read write notify read write auth type none md5 sha auth pass phrase string auth key hex string encrypt type none des 3des aes encrypt pass phrase string encrypt key hex string usm username Name of the SNMPv3 user Specify between 1 and 32 alphanumeric characters with
247. ateway address as a result the observer must also be in the same subnet Without a default gateway the MAP cannot find the observer setsnoop 601 a The MAP that is running a snoop filter forwards snooped packets directly to the observer This is a one way communication from the MAP to the observer If the observer is not present the MAP still sends the snoop packets which use bandwidth If the observer is present but is not listening to TZSP traffic the observer continuously sends ICMP error indications back to the MAP These ICMP messages can affect network and MAP performance Examples The following command configures a snoop filter named snoop that matches on all traffic and copies the traffic to the device that has IP address 10 10 30 2 WX1200 set snoop snoopl observer 10 10 30 2 snap length 100 The following command configures a snoop filter named snoop2 that matches on all data traffic between the device with MAC address aa bb cc dd ee ff and the device with MAC address 11 22 33 44 55 66 and copies the traffic to the device that has IP address 10 10 30 3 WX1200 set snoop snoop2 frame type eq data mac pair aa bb cc dd ee ff 11 22 33 44 55 66 observer 10 10 30 3 snap length 100 See Also Clear snoop on page 598 set snoop map on page 602 set snoop mode on page 603 display snoop info on page 604 display snoop stats on page 606 602 CHAPTER 22 SNOOP COMMANDS set snoop map Maps a snoop filter
248. atus 163 ip alias 164 ip dns 164 ip dns domain 165 ip dns server 166 ip https server 167 ip route 167 se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se t t t t on t t t t ip snmp server 169 ip ssh 170 ip ssh server 171 ip telnet 171 ip telnet server 172 ength 53 license 53 ocation policy 244 og 614 log buffer 614 log console 614 og current 614 og mark 616 log server 614 log sessions 614 log trace 614 mac user 248 mac user attr 249 mac usergroup attr 254 mobility profile 255 mobility domain member 269 mobility domain mode member seed ip 270 mobility domain mode seed domain name 271 mobility profile mode 257 network domain mode member seed ip 280 network domain mode seed domain name 282 network domain peer 281 ntp 173 ntp server 174 ntp update interval 175 port 83 port media type 85 port name 86 port negotiation 86 port poe 87 port preference 88 port speed 89 port trap 90 port type ap 91 port type wired auth 94 port group 84 prompt 54 qos cos to dscp map 121 qos dscp to cos map 122 radio profile auto tune channel config 349 radio profile auto tune channel holddown 350 radio profile auto tune channel interval 351 radio profile auto tune power backoff timer 352 radio profile a
249. aults Shared key authentication is disabled by default Access Enabled History Introduced in MSS Version 3 0 Examples The following command enables shared key authentication in service profile sp4 WX4400 set service profile sp4 shared key auth enable success change accepted See Also display radio profile on page 317 set radio profile mode on page 362 set service profile ssid name Configures the SSID name in a service profile Syntax set service profile name ssid name ssid name name Service profile name ssid name Name of up to 32 alphanumeric characters You can include blank spaces in the name if you delimit the name with single or double quotation marks You must use the same type of quotation mark either single or double on both ends of the string Defaults The default SSID name is private set service profile ssid type 385 Access Enabled History Introduced in MSS Version 3 0 Support added for blank spaces in the SSID name in MSS Version 4 0 Examples The following command applies the name guest to the SSID managed by service profile clear_wilan WxX4400 set service profile clear wlan ssid name guest success change accepted See Also set service profile ssid type on page 385 set service profile ssid type Specifies whether the SSID managed by a service profile is encrypted or unencrypted Syntax set service profile name ssid type cle
250. ax clear boot backup configuration Defaults None Access Enabled History Introduced in MSS Version 4 1 Examples The following command clears the name specified as the backup configuration file from the configuration of the WX switch WX4400 clear boot backup configuration success Backup boot config filename was cleared See Also set boot backup configuration on page 585 display boot on page 573 Resets to the factory default the configuration that MSS loads during a reboot Syntax clear boot config Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following commands back up the configuration file on an WX switch reset the switch to its factory default configuration and reboot the switch WX4400 copy configuration tftp 10 1 1 1 backupcfg success sent 365 bytes in 0 401 seconds 910 bytes sec WX4400 clear boot config success Reset boot config to factory defaults copy 567 WX4400 reset system force ope Page rebooting See Also display config on page 574 reset system on page 582 copy Performs the following copy operations Copies a file from a TFP server to nonvolatile storage Copies a file from nonvolatile storage or temporary storage to a TFTP server a Copies a file from one area in nonvolatile storage to another Copies a file to a new filename in nonvolatile storage Syntax copy source u
251. ay sessions network session id session id command for each client on the radio After you identify the client that is causing the errors disable and reenable the client wireless NIC display ap dap counters 297 Table 52 Output for display ap counters continued Field Description CCMP Pkt Transfer Ct Total number of CCMP packets sent and received by the radio Radio Recv Phy Err Ct Number of times radar caused packet errors If this counter increments rapidly there is a problem in the RF environment This counter increments only when radar is detected Rate specific Phy errors are instead counted in the PhyError columns for individual data rates Radio Adjusted Tx Pwr Current power level set on the radio If RF Auto Tuning of power is enabled this value is the power set by RF Auto Tuning If RF Auto Tuning is disabled this value is the statically configured power level 802 3 Packet Tx Ct Number of raw 802 3 packets transmitted by the radio These are LocalTalk AppleTalk frames This counter increments only if LocalTalk traffic is present No Receive Descriptor Number of packets for which the MAP could not create a descriptor A descriptor describes a received packet s size and its location in MAP memory The MAP buffers descriptors and clears them during interframe spaces This counter increments if the MAP runs out of buffers for received packets This condition can occur when
252. ber of seconds for the user s session Number between 0 and 4 294 967 296 seconds approximately 136 2 years ssid network access SSID the user is allowed to access after authentication Name of the SSID you want the user to use The SSID must be configured in a service profile and the service profile mode only must be used by a radio profile assigned to MAP radios in the Mobility Domain start date Date and time at which Date and time in the following the user becomes eligible to access the network MSS does not authenticate the user unless the attempt to access the network occurs at or after the specified date and time but before the end date if specified format YY MM DD HH MM You can use start date alone or with end date You also can use start date end date or both in conjunction with time of day 252 CHAPTER 8 AAA COMMANDS Table 44 Authentication Attributes for Local Users continued time of day network access mode only Day s and time s during which the user is permitted to log into the network After authorization the user s session can last until either the Time Of Day range or the Session Timeout duration if set expires whichever is shorter One of the following never Access is always denied any Access is always allowed al Access is always allowed One or more ranges of values that consist of one of the following day designations
253. ber of packets sent by the radio that match the filter Number of packets that matched the filter but that were not copied to the observer due to memory or network problems Filter state a running enabled stopped disabled number of packets lf the filter is running and the stop after option was used to stop the filter this field displays the number of packets that still need to match before the filter is stopped 608 CHAPTER 22 SNOOP COMMANDS 23 Commands by Usage SYSTEM LOG COMMANDS Use the system log commands to record information for monitoring and troubleshooting MSS system logs are based on RFC 3164 which defines the log protocol This chapter present system log commands alphabetically Use Table 110 to locate commands in this chapter based on their use Table 110 System Log Commands by Usage Type Command System Logs set log on page 614 set log mark on page 616 display log config on page 612 display log buffer on page 610 display log trace on page 613 clear log on page 609 clear log Clears the log messages stored in the log buffer or removes the configuration for a syslog server and stops sending log messages to that server Syntax clear log buffer server ip addr buffer Deletes the log messages stored in nonvolatile storage a server ip addr Deletes the configuration for and stops sending log messages to the syslog server at this IP address
254. ble success change accepted See Also display log config on page 612 618 CHAPTER 23 SYSTEM LOG COMMANDS 24 BOOT PROMPT COMMANDS Boot prompt commands enable you to perform basic tasks including booting a system image file from the boot prompt boot gt A CLI session enters the boot prompt if MSS does not boot successfully or you intentionally interrupt the boot process To interrupt the boot process press q followed by Enter return CAUTION Generally boot prompt commands are used only for troubleshooting 3Com recommends that you use these commands only when working with 3Com Technical Support to diagnose a system issue In particular commands that change boot parameters can interfere with a WX switch s ability to boot successfully Boot Prompt Commands by Usage This chapter presents boot prompt commands alphabetically Use Table 111 to locate commands in this chapter based on their use Table 111 Boot Prompt Commands by Usage Type Command Command Information Is on page 632 help on page 631 Booting boot on page 621 reset on page 634 autoboot on page 620 dhcp on page 626 File Management dir on page 627 fver on page 630 version on page 636 620 CHAPTER 24 BOOT PROMPT COMMANDS Table 111 Boot Prompt Commands by Usage continued Type Command Boot Profile Management display on page 628 create on page 624 Boot Profile next on page 633 M
255. ce for that user For example if the start date attribute configured for a user is sooner than the start date configured for the user group the user is in the user s network access can begin as soon as the user start date The user does not need to wait for the user group s start date Examples The following command adds the user group cardiology to the local database and assigns all the group members to VLAN crimson WX4400 set usergroup cardiology attr vlan name crimson success change accepted See Also Clear usergroup on page 217 Clear usergroup attr on page 218 display aaa on page 219 Globally enables or disables WebAAA on a WX switch Syntax set web portal enable disable enable Enables WebAAA on the switch disable Disables WebAAA on the switch Defaults Enabled Access Enabled History Introduced in MSS Version 3 0 Command name changed from set web aaa to set web portal to match change to portal based implementation in MSS Version 4 0 Usage This command disables or reenables support for WebAAA However WebAAA has additional configuration requirements For information see the Configuring AAA for Network Users chapter in the Wireless LAN Switch and Controller Configuration Guide Examples To disable WebAAA type the following command WX4400 set web portal disable success change accepted set web portal 263 See Also Clear authentication proxy o
256. ceived by the radio UndcrptPkt Number of undecryptable packets received by the radio It is normal for this counter to increment even in stable networks and does not necessarily indicate an attack For example a client might be sending incorrect key information However if the counter increments rapidly there might be a problem in the network UndcrptByte Number of undecryptable bytes received by the radio See the description for UndcrptPkt PhyError Number of packets that could not be decoded by the MAP This condition can have any of the following causes Collision of an 802 11 packet Packet whose source is too far away thus rendering the packet unintelligible by the time it reaches the MAP a Interference caused by an 802 11b g phone or other source It is normal for this counter to be about 10 percent of the total RxByte count It is also normal for higher data rates to have higher Phy error counts than lower data rates 300 CHAPTER 11 MANAGED ACCESS POINT COMMANDS See Also display sessions network on page 525 display ap dap qos stats Displays statistics for MAP forwarding queues Syntax display dap qos stats dap num Syntax display ap qos stats port list dap num Number of a Distributed MAP for which to display QoS Statistics counters port list List of ports connected to the MAP access point s for which to display QoS statistics counters Defaults None
257. ch to display neighboring BSSIDs dap num Number of a Distributed MAP for which to display neighboring BSSIDs radio 1 Shows neighbor information for radio 1 radio 2 Shows neighbor information for radio 2 This option does not apply to single radio models Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage If a 3Com radio is supporting more than one SSID each of the corresponding BSSIDs is listed separately To display rogue information for the entire Mobility Domain use the display rfdetect mobility domain command on the seed switch Examples The following command displays the devices detected by 3Com radio 00 0b 0e 00 0a 6a WX1200 display rfdetect visible 00 0b 0e 00 0a 6a ap 3 radio 1 Total number of entries 104 Flags i infrastructure a ad hoc c CCMP t TKIP 1 104 bit WEP 4 40 bit WEP w WEP non WPA Transmit MAC Vendor Type Ch RSSI Flags SSID display rfdetect visible 553 0070750749 CCE Cisco intfr 6 60 i w r27 ciscol200 2 0020750052 der 78 Cisco intfr 6 82 i w r116 ciscol200 2 00 09 b7 7b 8a 54 Cisco intfr Qe ASDA eae 00 0a 5e 4b 4a c0 3Com antir 1i 59visss lt public 00 0a 5e 4b 4a c2 3Com intfr 11 86 i tl 3Comwlan 00 0a 5e 4b 4a c4 3Com intfr 11 85 ic 3com ccmp 00 0a 5e 4b 4a c6 3Com intfr 11 85 i t 3com tkip 00 0a 5e 4b 4a c8 3Com intfr 11 83 i w 3com voip 00 0a 5e 4b 4a ca 3Com intf
258. ckets received that were from 1024 through 1518 bytes long transmit etherstats Tx 64 Number of packets transmitted that were 64 bytes long Tx 127 Number of packets transmitted that were from 65 through 127 bytes long Tx 255 Number of packets transmitted that were from 128 through 255 bytes long Tx 511 Number of packets transmitted that were from 256 through 511 bytes long Tx 1023 Number of packets transmitted that were from 512 through 1023 bytes long Tx 1518 Number of packets transmitted that were from See Also 1024 through 1518 bytes long display port counters on page 69 reset port 81 reset port Resets a port by toggling its link state and Power over Ethernet PoE state Syntax reset port port list port list List of physical ports MSS resets all the specified ports Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage The reset command disables the port s link and PoE if applicable for at least 1 second then reenables them This behavior is useful for forcing a MAP access point that is connected to two WX switches to reboot over the link to the other switch Examples The following command resets port 5 WX1200 reset port 5 See Also set port on page 83 set dap Configures a Distributed MAP for a MAP access point that is indirectly Vv WY connected to the WX switch through an intermediate Layer 2 or Layer 3 network Before configuring a Distribut
259. command deletes the MAC user group eastcoasters from the local database WX4400 clear mac usergroup eastcoasters success change accepted 214 CHAPTER 8 AAA COMMANDS See Also Clear mac usergroup attr on page 214 display aaa on page 219 set mac usergroup attr on page 254 clear mac usergroup attr Removes an authorization attribute from a MAC user group in the local database on the WX switch for a group of users who are authenticated by a MAC address To unconfigure an authorization attribute in RADIUS see the documentation for your RADIUS server Syntax clear mac usergroup group name attr attribute name group name Name of an existing MAC user group attribute name Name of an attribute used to authorize the MAC users in the user group for a particular service or session characteristic For a list of authorization attributes see Table 44 on page 249 Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage To remove the group itself use the clear mac usergroup command Examples The following command removes the members of the MAC user group eastcoasters from a VLAN assignment by deleting the VLAN Name attribute from the group WX4400 clear mac usergroup eastcoasters attr vlan name success change accepted See Also Clear mac usergroup on page 213 display aaa on page 219 set mac usergroup attr on page 254 clear mobility profile 215
260. commit the creation or deletion of a security ACL it is stored in an edit buffer and is not enforced After you commit a security ACL it is removed from the edit buffer A single commit security acl all command commits the creation and or deletion of whatever display security acl info all editbuffer shows to be currently stored in the edit buffer 450 CHAPTER 14 SECURITY ACL COMMANDS Examples The following commands commit all the security ACLs in the edit buffer to the configuration display a summary of the committed ACLs and show that the edit buffer has been cleared WX4400 commit security acl all configuration accepted WX4400 display security acl ACL table ACL Type Class Mapping acl 123 IP Static acl 124 IP Static WX4400 display security acl info all editbuffer acl editbuffer information for all See Also Clear security acl on page 446 a display security acl on page 450 a display security acl info on page 452 rollback security acl on page 458 set security acl on page 459 display security acl Displays a summary of security ACLs that are committed saved in the running configuration and nonvolatile storage or a summary of ACLs in the edit buffer Syntax display security acl editbuffer Defaults None Access Enabled History Introduced in MSS Version 3 0 display security acl hits 451 Examples To display a summary of the committed security ACLs on a WX s
261. configuration file WX4400 load config Reloading configuration may result in lost of connectivity do you wish to continue y n nly success Configuration reloaded The following command loads configuration file testconfig1 WX4400 load config testconfigl Reloading configuration may result in lost of connectivity do you wish to continue y n nly success Configuration reloaded See Also display boot on page 573 display config on page 574 save config on page 584 580 CHAPTER 20 FILE MANAGEMENT COMMANDS md5 Calculates the MD5 checksum for a file in the switch s nonvolatile storage Syntax md5 boot0 boot1 filename boot0 boot1 Boot partition into which you copied the file a filename Name of the file Defaults None Access Enabled History Introduced in MSS Version 4 0 Usage You must include the boot partition name in front of the filename If you specify only the filename the CLI displays a message stating that the file does not exist Examples The following command calculates the checksum for image file WX040003 020 in boot partition 0 pubs md5 boot0 MK040003 020 MD5 boot0 MX040003 020 b9c 7 527 74608e50c70e8 b896392a See Also copy on page 567 dir on page 570 mkdir Creates a new subdirectory in nonvolatile storage Syntax mkdir subdirname subdirname Subdirectory name Specify between 1 and 32 alphanumeric characters with no s
262. configuration file loaded during the most recent reboot In this example the filename used during the most recent reboot is configuration WX4400 save config Configuration saved to configuration The following command saves the running configuration to a file named testconfig1 WX4400 save config testconfigl Configuration saved to testconfigl See Also display boot on page 573 display config on page 574 load config on page 578 set boot backup configuration Specifies the name of a backup configuration file to be used in the event that MSS cannot read the WX switch s configuration file at boot time Syntax set boot backup configuration filename filename Name of the file to use as a backup configuration file if MSS cannot read the WX switch s configuration file Defaults By default there is no backup configuration file Access Enabled 586 CHAPTER 20 FILE MANAGEMENT COMMANDS History Introduced in MSS Version 4 1 Examples The following command specifies a file called backup cfg as the backup configuration file on the WX switch WX1200 set boot backup configuration backup cfg success backup boot config filename set See Also Clear boot backup configuration on page 566 display boot on page 573 set boot configuration file Changes the configuration file to load after rebooting Syntax set boot configuration file filename filename Filename Specify b
263. crypting multicast frames active multicast index Syntax set service profile name wep active multicast index num name Service profile name a num WEP key number You can enter a value from 1 through 4 Defaults If WEP encryption is enabled and WEP keys are defined MAP radios use WEP key 1 to encrypt multicast frames by default Access Enabled History Introduced in MSS Version 3 0 Usage Before using this command you must configure values for the WEP keys you plan to use Use the set service profile wep key index command Examples The following command configures service profile so2 to use WEP key 2 for encrypting multicast traffic WX4400 set service profile sp2 wep active multicast index 2 success change accepted set service profile wep active unicast index 389 See Also set service profile wep active unicast index on page 389 set service profile wep key index on page 390 set service profile wep active unicast index Specifies the static Wired Equivalent Privacy WEP key one of four to use for encrypting unicast frames Syntax set service profile name wep active unicast index num name Service profile name a num WEP key number You can enter a value from 1 through 4 Defaults If WEP encryption is enabled and WEP keys are defined MAP radios use WEP key 1 to encrypt unicast frames by default Access Enabled History Introduced in MSS V
264. cted MAP access points in watts See Also Clear system on page 40 set system contact on page 55 set system countrycode on page 56 set system idle timeout on page 58 set system location on page 59 set system name on page 60 help WX4400 help Commands clear commit copy Displays a list of commands that can be used to configure and monitor the WX switch Syntax help Defaults None Access All History Introduced in MSS Version 3 0 Examples Use this command to see a list of available commands If you have restricted access you see fewer commands than if you have enabled access To show a list of CLI commands available at the enabled access level type the following command at the enabled access level Clear use clear help for more information Commit the content of the ACL table Copy from filename or url to filename or url crypto delete dir disable display exit help history hit sample rate load history 47 Crypto use crypto help for more information Delete url Show list of files on flash device Disable privileged mode Display use display help for more information Exit from the Admin session Show this help screen Show contents of history substitution buffer Set NP hit counter sample rate Load use load help for more information logout Exit from the Admin session monitor onitor use monitor help for more informa
265. ctive boot profile type the following command at the boot prompt boot gt display BOOT Index 0 BOOT TYPE DEVICE boot1 FILENAME default FLAGS 00000000 OPTIONS run nos boot 0 Table 112 describes the fields in the display Table 112 Output of display command Field Description BOOT Index Boot profile slot which can be a number from 0 to 3 BOOT TYPE Boot type a c Compact flash Boots using nonvolatile storage or a flash card a n Network Boots using a TFTP server 630 CHAPTER 24 BOOT PROMPT COMMANDS Table 112 Output of display command continued Field Description DEVICE Location of the system image file a c Nonvolatile storage area containing boot partition O a d Nonvolatile storage area containing boot partition 1 e Primary partition of the flash card in the flash card slot a f Secondary partition of the flash card in the flash card slot a boot0 boot partition 0 a boot1 boot partition 1 FILENAME System image file name FLAGS Number representing the bit settings of boot flags to pass to the booted system image OPTIONS String up to 128 bytes of boot options to pass to the booted system image See Also change on page 623 create on page 624 delete on page 625 next on page 633 fver Displays the version of a system image file installed in a specific location on a WX switch Syntax fver c d e
266. cument title a Document part number and revision on the title page a Page number if appropriate Example a Wireless LAN Switch and Controller Configuration Guide a Part number 730 9502 0071 Revision B a Page 25 22 ABOUT THIS GUIDE 3Com product documentation at this e mail address Questions related to Technical Support or sales should be directed in the first instance to your network supplier i gt Please note that we can only respond to comments and questions about Overview USING THE COMMAND LINE INTERFACE This chapter discusses the 3Com Wireless Switch Manager 3WXM command line interface CLI Described are a CLI conventions see CLI Conventions on page 24 Editing on the command line see Command Line Editing on page 29 Using the CLI help feature see Using CLI Help on page 31 a Information about the command descriptions in this reference see Understanding Command Descriptions on page 32 Mobility System Software MSS operates a 3Com Mobility System wireless LAN WLAN consisting of 3Com Wireless Switch Manager 3WXM software and 3Com Wireless LAN Switch or 3Com Wireless LAN Controller WX switch and 3Com Wireless LAN Managed Access Point MAP hardware There is a command line interface CLI on the WX switch that you can use to configure and manage the WX and its attached access points You configure the wireless LAN switches and access points primarily with set cle
267. d See Also set service profile cipher ccmp on page 377 a set service profile cipher tkip on page 378 set service profile cipher wep104 on page 379 set service profile wep key index on page 390 set service profile wpa ie on page 391 set service profile psk phrase Configures a passphrase for preshared key PSK authentication to use for authenticating WPA clients in a service profile Radios use the PSK as a pairwise master key PMK to derive unique pairwise session keys for individual WPA clients Syntax set service profile name psk phrase passphrase name Service profile name passphrase An ASCII string from 8 to 63 characters long The string can contain blanks if you use quotation marks at the beginning and end of the string Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage MSS converts the passphrase into a 256 bit binary number for system use and a raw hexadecimal key to store in the WX switch s configuration Neither the binary number nor the passphrase itself is ever displayed in the configuration To use PSK authentication you must enable it and you also must enable the WPA IE 382 CHAPTER 11 MANAGED ACCESS POINT COMMANDS Examples The following command configures service profile so3 to use passphrase 1234567890123 lt gt amp The quick brown fox jumps over the lazy sl WX4400 set service profile sp3 psk phrase 12345678901
268. d Controller Configuration Guide 486 CHAPTER 16 RADIUS AND SERVER GROUP COMMANDS clear radius Resets parameters that were globally configured for RADIUS servers to their default values Syntax clear radius deadtime key retransmit timeout deadtime Number of minutes to wait after declaring an unresponsive RADIUS server unavailable before retrying the RADIUS server key Password shared secret key used to authenticate to the RADIUS server retransmit Number of transmission attempts made before declaring an unresponsive RADIUS server unavailable timeout Number of seconds to wait for the RADIUS server to respond before retransmitting Defaults Global RADIUS parameters have the following default values deadtime 0 zero minutes The WX switch does not designate unresponsive RADIUS servers as unavailable key No key a retransmit 3 the total number of attempts including the first attempt timeout 5 seconds Access Enabled History Introduced in MSS Version 3 0 Usage To override the globally set values on a particular RADIUS server use the set radius server command Examples To reset all global RADIUS parameters to their factory defaults type the following commands WX4400 clear radius deadtime success change accepted WX4400 clear radius key success change accepted WX4400 clear radius retransmit success change accepted
269. d list ssid name ssid name SSID name you want to add to the permitted SSID list set rfdetect vendor list 561 Defaults The permitted SSID list is empty by default and all SSIDs are allowed However after you add an entry to the list MSS allows traffic only for the SSIDs that are on the list Access Enabled History Introduced in MSS Version 4 0 Usage The permitted SSID list applies only to the WX switch on which the list is configured WX switches do not share permitted SSID lists If you add a device that MSS has classified as a rogue to the permitted SSID list but not to the ignore list MSS can still classify the device as a rogue Adding an entry to the permitted SSID list merely indicates that the device is using an allowed SSID However to cause MSS to stop classifying the device as a rogue you must add the device s MAC address to the ignore list Examples The following command adds SSID mycorp to the list of permitted SSIDs WX1200 set rfdetect ssid list mycorp success ssid mycorp is now in ssid list See Also Clear rfdetect ssid list on page 536 display rfdetect ssid list on page 550 set rfdetect vendor list Adds an entry to the permitted vendor list The permitted vendor list specifies the third party AP or client vendors that are allowed on the network MSS does not list a device as a rogue or interfering device if the device s OUI is in the permitted vendor list Syntax
270. d the most recent update from an NTP server NTP Server IP address of the NTP server display snmp community 151 Table 39 Output for display ntp continued Field Description Peer state State of the NTP session from the point of view of the NTP server CORRECT a REJECT SELCAND SYNCCAND SYSPEER Local state State of the NTP session from the point of view of the WX switch s NTP client a INITED START a SYNCED See Also Clear ntp server on page 131 Clear summertime on page 135 Clear timezone on page 136 display timezone on page 155 set ntp on page 173 set ntp server on page 174 set summertime on page 191 set timezone on page 194 display snmp Displays the configured SNMP community strings community Syntax display snmp community Defaults None Access Enabled History Introduced in MSS Version 4 0 152 CHAPTER 7 IP SERVICES COMMANDS See Also Clear snmp community on page 133 set snmp community on page 175 display snmp counters Displays SNMP statistics counters Syntax display snmp counters Defaults None Access Enabled History Introduced in MSS Version 4 0 display snmp notify profile Displays SNMP notification profiles Syntax display snmp notify profile Defaults None Access Enabled History Introduced in MSS Version 4 0 See Also Clear snmp notify profile on p
271. d too frequently through any bridge port hold timer value Current value of the hold timer in seconds delay root port timer Status of the delay root port timer which enables fast convergence when uplink fast convergence is enabled delay root port timer value Current value of the delay root port timer delay root port timer restarted is Whether the delay root port timer has been restarted spanning tree type Type of spanning tree The type is always IEEE spanning tree multicast address Destination address used to send out configured BPDUs on a bridge port bridge priority STP priority of this WX switch bridge MAC address MAC address of this WX switch bridge hello time Value of the hello timer interval in seconds when this WX switch is the root or is attempting to become the root bridge forward delay Value of the forwarding delay interval in seconds when this WX switch is the root or is attempting to become the root topology change Port number that initiated the most recent topology initiator change last topology change System time when the most recent topology change occurred occurred topology change Value of the topology change flag in configuration BPDUs to be transmitted by this WX switch on VLANs for which the switch is the designated bridge topology change time Time period in seconds during which BPDUs are transmi
272. d tt name tty2 d WX1200 See Also Clear sessions on page 519 display sessions on page 522 traceroute 197 traceroute Traces the route to an IP host Syntax traceroute host dnf no dns port port num queries num size size ttl hops wait ms host IP address hostname or alias of the destination host Specify the IP address in dotted decimal notation dnf Sets the Do Not Fragment bit in the ping packet to prevent the packet from being fragmented no dns Prevents MSS from performing a DNS lookup for each hop to the destination host port port num TCP port number listening for the traceroute probes queries num Number of probes per hop size size Probe packet size in bytes You can specify from 40 through 1 460 ttl hops Maximum number of hops which can be from 1 through 255 wait ms Probe wait in milliseconds You can specify from 1 through 100 000 Defaults dnf Disabled no dns Disabled port 33434 queries 3 size 38 tth 30 wait 5000 Access All History Introduced in MSS Version 3 0 Usage To stop a traceroute command that is in progress press Ctrl C 198 CHAPTER 7 IP SERVICES COMMANDS Examples The following example traces the route to host server1 WX4400 traceroute serverl tracerout to serverl example com 192 168 22 7 30 hops max 38 byte packets 1 engineering l example c
273. detect log 559 set rfdetect signature 560 set rfdetect ssid list 560 set rfdetect vendor list 561 FILE MANAGEMENT COMMANDS Commands by Usage 563 backup 564 clear boot backup configuration 566 clear boot config 566 copy 567 delete 569 dir 570 display boot 573 display config 574 display version 576 load config 578 md5 580 mkdir 580 reset system 582 restore 583 rmdir 584 save config 584 21 22 23 set boot backup configuration 585 set boot configuration file 586 set boot partition 587 TRACE COMMANDS Commands by Usage 589 clear log trace 590 clear trace 590 display trace 591 save trace 592 set trace authentication 592 set trace authorization 593 set trace dot1x 594 set tracesm 595 SNOOP COMMANDS Commands by Usage 597 clear snoop 598 clear snoop map 598 set snoop 599 setsnoop map 602 set snoop mode 603 display snoop 604 display snoop info 604 display snoop map 605 display snoop stats 606 SYSTEM LOG COMMANDS Commands by Usage 609 clear log 609 display log buffer 610 display log config 612 display log trace 613 setlog 614 set log mark 616 24 BooT PROMPT COMMANDS Boot Prompt Commands by Usage 619 autoboot 620 boot 621 change 623 create 624 delete 625 dhcp 626 diag 627 dir 627 display 628 fver 630 help 631 Is 632 next 633 reset 634 test 635 version 636 OBTAINING SUPPORT FOR YOUR PRODUCT Register Your Product 637 Purchase Va
274. dress of the Mobility Domain member in dotted decimal notation Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command sets the current WX switch as a nonseed member of the Mobility Domain whose seed has the IP address 192 168 1 8 WX4400 set mobility domain mode member seed ip 192 168 1 8 mode is member seed IP is 192 168 1 8 See Also Clear mobility domain on page 266 display mobility domain config on page 267 set mobility domain mode seed domain name 271 set mobility domain mode seed domain name Creates a Mobility Domain by setting the current WX switch as the seed device and naming the Mobility Domain Syntax set mobility domain mode seed domain name mob domain name mob domain name Name of the Mobility Domain Specify between 1 and 16 characters with no spaces Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage Before you use this command the current WX switch must have its IP address set with the set system ip address command After you enter this command all Mobility Domain traffic is sent and received from the specified IP address You must explicitly configure only one WX switch per domain as the seed All other WX switches in the domain receive their Mobility Domain information from the seed Examples The following command creates a Mobility Domain named Pleasanton with t
275. dress used in unsolicited communications such as AAA accounting reports and SNMP traps Examples The following command configures IP interface 10 10 10 10 24 on VLAN default WX1200 set interface default ip 10 10 10 10 24 SUCCESS set ip address 10 10 10 10 netmask 255 255 255 0 on vlan default The following command configures IP interface 10 10 20 10 255 255 255 0 on VLAN mauve WX1200 set interface mauve ip 10 10 20 10 255 255 255 0 SUCCESS set ip address 10 10 20 10 netmask 255 255 255 0 on vlan mauve set interface dhcp client 161 See Also a Clear interface on page 127 display interface on page 142 set interface dhcp client on page 161 set interface dhcp client Configures the DHCP client on a VLAN to allow the VLAN to obtain its IP interface from a DHCP server Syntax set interface vlan id ip dhcp client enable disable Vlan id VLAN name or number enable Enables the DHCP client on the VLAN disable Disables the DHCP client on the VLAN Defaults The DHCP client is enabled by default on an unconfigured WXR100 when the factory reset switch is pressed and held during power on The DHCP client is disabled by default on all other switch models and is disabled on a WXR100 if the switch is already configured or the factory reset switch is not pressed and held during power on Access Enabled History Introduced in MSS Version 4 0 Usage You can enable th
276. ds Access Enabled History Introduced in MSS Version 3 0 Examples Type the following command to reset the 802 1X quiet period to the default WX4400 clear dotlx quiet period success change accepted See Also display dot1x on page 505 set dot1x quiet period on page 513 clear dot1x reauth max 503 clear dot1x reauth max Resets the maximum number of reauthorization attempts to the default setting Syntax clear dotlx reauth max Defaults The default is 2 attempts Access Enabled History Introduced in MSS Version 3 0 Examples Type the following command to reset the maximum number of reauthorization attempts to the default WX4400 clear dotlx reauth max success change accepted See Also display dot1x on page 505 set dot1x reauth max on page 514 clear dot1x reauth period Resets the time period that must elapse before a reauthentication attempt to the default time period Syntax clear dotlx reauth period Defaults The default is 3600 seconds 1 hour Access Enabled History Introduced in MSS Version 3 0 Examples Type the following command to reset the default reauthentication time period WX4400 clear dotlx reauth period success change accepted See Also display dot1x on page 505 set dot1x reauth period on page 515 504 CHAPTER 17 802 1X MANAGEMENT COMMANDS clear dot1x timeout auth server Resets to the default sett
277. ds a permanent entry A permanent entry does not age out and remains in the database even after a reboot reset or power cycle a static Adds a static entry A static entry does not age out but is removed from the database after a reboot reset or power cycle mac addr Destination MAC address of the entry Use colons to separate the octets for example 00 11 22 aa bb cc a port port list List of physical destination ports for which to add the entry A separate entry is added for each port you specify vlan vlan id Name or number of a VLAN of which the port is a member The entry is added only for the specified VLAN tag tag value VLAN tag value that identifies a virtual port You can specify a number from 1 through 4095 If you do not specify a tag value an entry is created for an untagged interface only If you specify a tag value an entry is created only for the specified tagged interface Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage You cannot add a multicast or broadcast address as a permanent or static FDB entry Examples The following command adds a permanent entry for MAC address 00 11 22 aa bb cc on ports 3 and 5 in VLAN blue WX1200 set fdb perm 00 11 22 aa bb cc port 3 5 vlan blue success change accepted The following command adds a static entry for MAC address 00 2b 3c 4d 5e 6f on port 1 in the default VLAN WX4400 set fdb static 00
278. ds to manage system files and to display software and boot information Commands by Usage This chapter presents file management commands alphabetically Use Table 102 to locate commands in this chapter based on their use Table 102 File Management Commands by Usage Type Command Software Version reset system on page 582 display version on page 576 Boot Settings set boot partition on page 587 set boot configuration file on page 586 set boot backup configuration on page 585 display boot on page 573 clear boot config on page 566 clear boot backup configuration on page 566 File Management dir on page 570 copy on page 567 md5 on page 580 delete on page 569 mkdir on page 580 rmdir on page 584 Configuration File save config on page 584 load config on page 578 display config on page 574 564 CHAPTER 20 FILE MANAGEMENT COMMANDS Table 102 File Management Commands by Usage continued Type Command System Backup backup on page 564 and Restore restore on page 583 backup Creates an archive of WX system files and optionally user file in Unix tape archive tar format Syntax backup system tftp ip addr filename all critical Defaults All Access Enabled History Usage You can create an archive located on a TFTP server or in the switch s nonvolatile storage If you specify a TFTP server as part of th
279. e for authenticating the WX switch to 3WXM or Web Manager eap Unpacks a PKCS 12 object file for an EAP certificate and key pair and optionally the certificate authority s own certificate for authenticating the WX switch to 802 1X supplicants clients web Unpacks a PKCS 12 object file for a WebAAA certificate and key pair and optionally the certificate authority s own certificate for authenticating the WX switch to WebAAA clients file location ur1 Location of the PKCS 12 object file to be installed Specify a location of between 1 and 128 alphanumeric characters with no spaces 480 CHAPTER 15 CRYPTOGRAPHY COMMANDS Defaults The password you enter with the crypto otp command must be the same as the one protecting the PKCS 12 file Access Enabled History Introduced in MSS Version 3 0 Webaaa option renamed to web in MSS Version 4 1 Usage To use this command you must have already created a one time password with the crypto otp command You must also have the PKCS 12 object file available You can download a PKCS 12 object file via TFTP from a remote location to the local nonvolatile storage system on the WX switch Examples The following commands copy a PKCS 12 object file for an EAP certificate and key pair and optionally the certificate authority s own certificate from a TFTP server to nonvolatile storage on the WX switch create the one time password ha
280. e Displays statistics about the resources used by security ACL filtering on the WX switch Syntax display security acl resource usage Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage Use this command with the help of 3Com to diagnose an ACL resource problem To obtain 3Com Technical Support see Obtaining Support for your Product on page 637 display security acl resource usage 455 Examples To display security ACL resource usage type the following command WX4400 display security acl resource usage ACL resources Number of rules Number of leaf nodes Stored rule count Leaf chain count Longest leaf chain Number of non leaf nodes Uncompressed Rule Count aximum node depth Sub chain count max 512 max 9728 max 151 max 12096 PSCBs in primary memory PSCBs in secondary memory Leaves in primary ONDGWGOOFRFNONEFN E NHN Leaves in secondary Sum node depth Hae Information on Network Processor status Fragmentation control 25610 UC switchdest a 30 ACL resources Port number 23410 Number of action types z2 LUdef in use ie Default action pointer c8007dc L4 global True No rules False Non IP rules False Root in first True Static default action False No per user MAC mapping True Out mapping False In mapping True No VLAN or PORT mapping False No VPORT mapping True Table 81 explains the fields in the disp
281. e The following command limits the output to the contents of the booto partition WX4400 dir boot0 file Filename Size Created boot0 mx040100 020 9780 KB Aug 23 2005 15 54 08 Total 9780 Kbytes used 207663 Kbytes free Table 104 describes the fields in the dir output display boot 573 Table 104 Output for dir Field Description Filename Filename or subdirectory name For files the directory name is shown in front of the filename for example file configuration The file directory is the root directory For subdirectories a forward slash is shown at the end of the subdirectory name for example old In the boot partitions list Boot an asterisk indicates the boot partition from which the currently running image was loaded and the mage filename Size Size in Kbytes or bytes S Created System time and date when the file was created or copied onto the switch Total Number of kilobytes in use to store files and the number that are still free See Also copy on page 567 delete on page 569 display boot Displays the system image and configuration filenames used after the last reboot and configured for use after the next reboot Syntax display boot Defaults None Access Access History Introduced in MSS Version 3 0 New fields Configured boot version and Backup boot configuration added in MSS Version 4 0 Examples The following command shows th
282. e filename the archive is copied directly to the TFTP server and not stored locally on the switch Use the critical option if you want to back up or restore only the system critical files required to operate and communicate with the switch Use the all option if you also want to back up or restore WebAAA pages backup configuration files image files and any other files stored in the user files area of nonvolatile storage The maximum supported file size is 32 MB If the file size of the tarball is too large delete unnecessary files such as unneeded copies of system image files and try again or use the critical option instead of the all option Neither option archives image files or any other files listed in the Boot section of dir command output The all option archives image files only if they are present in the user files area Archive files created by the all option are larger than files created by the critical option The file size depends on the files in the user area and the file can be quite large if the user area contains image files backup 565 The backup command places the boot configuration file into the archive The boot configuration file is the Configured boot configuration in the display boot command s output If the running configuration contains changes that have not been saved these changes are not in the boot configuration file and are not archived To make sure the archive contains the configuration that is cu
283. e port types to the list of multicast ports based on multicast traffic Examples The following command adds port 6 as a static multicast router port WX1200 set igmp mrouter port 6 enable success change accepted The following command removes port 6 from the static multicast router port list WX1200 set igmp mrouter port 6 disable success change accepted See Also display igmp statistics on page 431 436 CHAPTER 13 IGMP SNOOPING COMMANDS set igmp mrsol Enables or disables multicast router solicitation by a WX Syntax set igmp mrsol enable disable vlan vlan id enable Enables multicast router solicitation disable Disables multicast router solicitation vlan vlan id VLAN name or number If you do not specify a VLAN multicast router solicitation is disabled or enabled on all VLANs Defaults Multicast router solicitation is disabled on all VLANs by default Access Enabled History Introduced in MSS Version 3 0 Examples The following command enables multicast router solicitation on VLAN orange WX1200 set igmp mrsol enable vlan orange success change accepted See Also set igmp mrsol mrsi on page 436 set igmp mrsol mrsi Changes the interval between multicast router solicitations by a WX on one VLAN or all VLANs Syntax set igmp mrsol mrsi seconds vlan vlan id a seconds Number of seconds between multicast router solicitations You can sp
284. e 229 set authentication dot1x on page 233 set authentication last resort on page 236 set authentication dotix 233 set authentication mac on page 239 set authentication web on page 242 set authentication dot1x Configures authentication and defines how and where it is performed for specified wireless or wired authentication clients who use an IEEE 802 1X authentication protocol to access the network through the WX switch Syntax set authentication dotlx ssid ssid name wired user glob bonded protocol method1 method2 method3 method4 ssid ssid name SSID name to which this authentication rule applies To apply the rule to all SSIDs type any wired Applies this authentication rule specifically to users connected to a wired authentication port user glob A single user or a set of users with 802 1X network access Specify a username use the double asterisk wildcard character to specify all usernames or use the single asterisk wildcard character to specify a set of usernames up to or following the first delimiter character either an at sign or a period For details see User Globs on page 26 bonded Enables Bonded Auth bonded authentication When this feature is enabled MSS authenticates the user only if the machine the user is on has already been authenticated protocol Protocol used for authentication Specify one of the following
285. e 3 4 or 5 Video Packets are queued in MAP forwarding queue 2 Use CoS level 4 or 5 for voice over IP VoIP packets other than SpectraLink Voice Priority SVP a 6 or 7 Voice Packets are queued in MAP forwarding queue 1 In MSS Version 3 0 use 6 or 7 only for VoIP phones that use SVP not for other types of traffic deny Blocks traffic that matches the conditions in the ACE protocol IP protocol by which to filter packets ip tcp udp icmp A protocol number between 0 and 255 For a complete list of IP protocol names and numbers see www iana org assignments protocol numbers source ip addr mask IP address and wildcard mask of the network or host from which the packet is being sent Specify both address and mask in dotted decimal notation For more information see Wildcard Masks on page 26 operator port port2 Operand and port number s for matching TCP or UDP packets to the number of the source or destination port on source ip addr or destination ip addr Specify one of the following operands and the associated port a eq Packets are filtered for only port number a gt Packets are filtered for all ports that are greater than port number a 1t Packets are filtered for all ports that are less than port number neq Packets are filtered for all ports except port number a range Packets are filtered for ports in the range between port and port2 T
286. e 383 set service profile shared key auth 384 set service profile ssid name 384 set service profile ssid type 385 set service profile tkip mc time 386 set service profile web portal form 387 set service profile wep active multicast index 388 set service profile wep active unicast index 389 set service profile wep key index 390 set service profile wpa ie 391 STP COMMANDS STP Commands by Usage 393 clear spantree portcost 394 clear spantree portpri 395 clear spantree portvlancost 395 clear spantree portvlanpri 396 clear spantree statistics 397 display spantree 398 display spantree backbonefast 400 display spantree blockedports 401 display spantree portfast 402 display spantree portvlancost 403 display spantree statistics 403 display spantree uplinkfast 409 set spantree 410 set spantree backbonefast 411 set spantree fwddelay 412 set spantree hello 412 set spantree maxage 413 set spantree portcost 414 set spantree portfast 415 set spantree portpri 416 set spantree portvlancost 417 set spantree portvlanpri 418 set spantree priority 419 set spantree uplinkfast 419 13 14 IGMP SNOOPING COMMANDS Commands by usage 421 clear igmp statistics 422 display igmp 422 display igmp mrouter 426 display igmp querier 427 display igmp receiver table 429 display igmp statistics 431 setigmp 433 set igmp Imqi 434 set igmp mrouter 435 set igmp mrsol 436 set igmp mrsol mrsi 436 setigmp oqi 437 set igmp prox
287. e 83 set port name on page 86 set port negotiation on page 86 set port speed on page 89 set port type ap on page 91 set port type wired auth on page 94 display port media type Displays the enabled interface types on a WX4400 switch s gigabit Ethernet ports See Also display port media type port list a port list List of physical ports MSS displays the enabled interface types for all the specified ports Defaults None Access All History Introduced in MSS Version 4 0 Usage This command applies only to the WX4400 Examples The following command displays the enabled interface types on all four ports of a WX4400 switch WX4400 display port media type Port Media Type 76 CHAPTER 4 PORT COMMANDS GBIC RJ45 GBIC GBIC A UNBE Table describes the fields in this display Table 15 Output for display port media type Field Description Port Port number Preference Preference setting GBIC The GBIC fiber interface is enabled RJ45 The RJ 45 copper interface is enabled See Also Clear port media type on page 66 set port media type on page 85 monitor port counters Displays and continually updates port statistics Syntax monitor port counters octets packets receive errors transmit errors collisions receive etherstats transmit etherstats octets Displays octet statistics first packets Displays pac
288. e DHCP client on one VLAN only You can configure the DHCP client on more than one VLAN but the client can be active on only one VLAN MSS also has a configurable DHCP server See set interface dhcp server on page 162 You can configure a DHCP client and DHCP server on the same VLAN but only the client or the server can be enabled The DHCP client and DHCP server cannot both be enabled on the same VLAN at the same time Examples The following command enables the DHCP client on VLAN corpvlan WX1200 set interface corpvlan ip dhcp client enable success change accepted 162 CHAPTER 7 IP SERVICES COMMANDS See Also Clear interface on page 127 display dhcp client on page 138 display interface on page 142 set interface dhcp server Configures the MSS DHCP server Use of the MSS DHCP server to allocate client addresses is intended for temporary demonstration deployments and not for production networks 3Com recommends that you do not use the MSS DHCP server to allocate client addresses in a production network Syntax set interface vlan id ip dhcp server enable disable start ip addril stop ip addr2 vlan id VLAN name or number enable Enables the DHCP server disable Disables the DHCP server a start ip addr1 Specifies the beginning address of the address range also called the address pooh stop ip addr2 Specifies the ending address of the address range Defaults
289. e Scan yes default clear Table 63 describes the fields in this display Table 63 Output for display radio profile Field Description Beacon Interval Rate in milliseconds at which each MAP radio in the profile advertises the beaconed SSID DTIM Interval Number of times after every beacon that each MAP radio in the radio profile sends a delivery traffic indication map DTIM Max Tx Lifetime Number of milliseconds that a frame received by a radio in the radio profile can remain in buffer memory Max Rx Lifetime Number of milliseconds that a frame scheduled to be transmitted by a radio in the radio profile can remain in buffer memory RTS Threshold Minimum length in bytes a frame can be for a radio in the radio profile to use the RTS CTS method to send the frame The RTS CTS method clears the air of other traffic to avoid corruption of the frame due to a collision with another frame Frag Threshold Maximum length in bytes a frame is allowed to be without being fragmented into multiple frames before transmission by a radio in the radio profile Short Retry Limit Number of times a radio in the radio profile can send a short unicast frame without receiving an acknowledgment display radio profile 319 Table 63 Output for display radio profile continued Field Description Long Retry Limit Number of times a radio in the radio profile can send a long unicast fram
290. e VLAN s you add the port to 802 1X No authorization Port groups None Internet Group Management Enabled as port is added to VLANs Protocol IGMP snooping Access point and radio Not applicable parameters Maximum user sessions Not applicable display port counters 69 Examples The following command clears port 5 WX1200 clear port type 5 This may disrupt currently authenticated users Are you sure y n nly success change accepted See Also set port type ap on page 91 set port type wired auth on page 94 display port counters Displays port statistics Syntax display port counters octets packets receive errors transmit errors collisions receive etherstats transmit etherstats port port list octets Shows octet statistics a packets Shows packet statistics a receive errors Shows errors in received packets a transmit errors Shows errors in transmitted packets collisions Shows collision statistics receive etherstats Shows Ethernet statistics for received packets transmit etherstats Shows Ethernet statistics for transmitted packets port port list List of physical ports If you do not specify a port list MSS shows statistics for all ports Defaults None Access All History Introduced in MSS Version 3 0 Usage You can specify one statistic type with the command 70 CHAPTER 4 PORT COM
291. e boot information for a WX switch WX1200 display boot Configured boot version 4 1 0 65 Configured boot image boot1 mx040100 020 Configured boot configuration file configuration Backup boot configuration file backup cfg Booted version 4 1 0 65 Booted image boot1 mx040100 020 574 CHAPTER 20 FILE MANAGEMENT COMMANDS Booted configuration file configuration Product model WX Table 105 describes the fields in the display boot output Table 105 Output for display boot Field Description Configured boot Software version the switch will run next time the software is version rebooted Configured boot Boot partition and image filename MSS will use to boot next image time the software is rebooted Configured boot Configuration filename MSS will use to boot next time the configuration software is rebooted Backup boot The name of the configuration file to be used in the event configuration that MSS cannot read the configured boot configuration file next time the software is rebooted Booted version Software version the switch is running Booted image Boot partition and image filename MSS used the last time the software was rebooted MSS is running this software image Booted configuration Configuration filename MSS used to load the configuration the last time the software was rebooted See Also a display version on page 576 reset system on page 582 set boot configuration file on page 586
292. e current MSS version mobility profile network access mode only Mobility Profile attribute Name of an existing Mobility Profile for the user For more information see set mobility profile on page 255 which can be up to 32 alphanumeric characters with no tabs or spaces If the Mobility Profile feature is enabled and a user is assigned the name of a Mobility Profile that does not exist on the WX switch the user is denied access set mac user attr 251 Table 44 Authentication Attributes for Local Users continued service type Type of access the user is requesting One of the following numbers 2 Framed for network user access 6 Ad ministrative for administrative access to the WX switch with authorization to access the enabled configuration mode The user must enter the enable command to access the enabled mode 7 NAS Prompt for administrative access to the nonenabled mode only In this mode the enable command is not available and the user cannot log in to the enabled mode For administrative sessions the WX switch will send 7 NAS Prompt unless the service type attribute has been configured for the user The RADIUS server can reply with one of the values listed above If the service type is not set on the RADIUS server administrative users receive NAS Prompt access and network users receive Framed access session timeout network access mode only Maximum num
293. e dynamic WEP for non WPA clients enable the WPA IE if not already enabled and disable the 40 bit WEP and 104 bit WEP cipher suites in the WPA IE if they are not already disabled To use 802 1X authentication for WPA clients you also must enable the WPA IE If you disable 802 1X authentication of WPA clients the only method available for authenticating the clients is preshared key PSK authentication To use this you must enable PSK support and configure a passphrase or key Examples The following command disables 802 1X authentication for WPA clients that use service profile wpa_clients Wx4400 set service profile wpa_clients auth dotlx disable success change accepted 374 CHAPTER 11 MANAGED ACCESS POINT COMMANDS See Also display service profile on page 321 set service profile auth psk on page 375 set service profile psk phrase on page 381 set service profile wpa ie on page 391 set service profile auth fallthru Specifies the authentication type for users who do not match an 802 1X or MAC authentication rule for an SSID managed by the service profile When a user tries to associate with an SSID MSS checks the authentication rules for that SSID for a userglob that matches the username If the SSID does not have an authentication rule that matches the username authentication for the user falls through to the fallthru method The fallthru method is a service profile parameter and applies to all radios
294. e in slot 1 on a WX switch that currently has only one boot profile in slot 0 boot gt create BOOT Index 1 BOOT TYPE Cc DEVICE pooti FILENAME default FLAGS 00000000 OPTIONS run nos boot 0 See Also change on page 623 delete on page 625 display on page 628 next on page 633 delete Removes the currently active boot profile For information about boot profiles see display on page 628 Syntax delete Defaults None Access Boot prompt History Introduced in MSS Version 3 0 626 CHAPTER 24 BOOT PROMPT COMMANDS Usage When you type the delete command the next lower numbered boot profile becomes the active profile For example if the currently active profile is number 3 profile number 2 becomes active after you type delete to delete profile 3 You cannot delete boot profile Examples To remove the currently active boot profile type the following command boot gt delete BOOT Index T BOOT TYPE g DEVICE boot1 FILENAME default FLAGS 00000000 OPTIONS run nos boot 0 See Also change on page 623 create on page 624 display on page 628 next on page 633 dhcp Displays or changes the state of the DHCP option The DHCP option controls whether a WX switch uses DCHP to obtain its IP address when it is booted using a TFTP server Syntax dhcp ON on OFF off on
295. e information If you do not specify a level level 5 is the default Defaults The default trace level is 5 Access Enabled History Introduced in MSS Version 3 0 set trace authorization 593 Examples The following command starts a trace for information about user jose s authentication WX4400 set trace authentication user jose success change accepted See Also Clear trace on page 590 display trace on page 591 set trace authorization Traces authorization information Syntax set trace authorization mac addr mac address port port num user username level level mac addr mac address Traces a MAC address Specify a MAC address using colons to separate the octets for example 00 11 22 aa bb cc port port num Traces on a WX a port number user username Traces a user Specify a username of up to 80 alphanumeric characters with no spaces level level Determines the quantity of information included in the output You can set the level with an integer from 1 to 10 where level 10 provides the most information Levels 1 through 5 provide user readable information If you do not specify a level level 5 is the default Defaults The default trace level is 5 Access Enabled History Introduced in MSS Version 3 0 Examples The following command starts a trace for information for authorization for MAC address 00 01 02 03 04 05 WX4400 set trace a
296. e network plan does not have a configuration with a matching model and serial number a verification warning appears in 3WXM The warning lists the switch s serial number and IP address The network administrator can upload the switch into the network plan configure switch parameters and deploy the configuration to the switch To use the auto config option with a new unconfigured WXR100 insert a paperclip or similar object into the WXR100 s factory reset hole to press the switch The factory reset switch must be held for about 3 seconds while the factory reset LED the right LED above port 1 is lit Normally this LED remains solidly lit for 3 seconds after power on However when the factory reset switch is pressed the LED flashes for 3 seconds instead If you want another WX switch model to be able to access a 3WXM server for a configuration you also must preconfigure the WX with the following information a IP address Gateway address Domain name and DNS server address You can enable the switch to use the MSS DHCP client to obtain this information from a DHCP server in the local network where the switch will be deployed Alternatively you can statically configure the information The IP address and DNS information are configured independently You can configure the combination of settings that work with the network resources available at the deployment site The following examples show some of the combinations you can confi
297. e on page 334 set ap dap radio channel on page 339 set ap dap radio radio profile on page 343 set ap dap radio tx power on page 344 294 CHAPTER 11 MANAGED ACCESS POINT COMMANDS display ap dap counters Displays MAP access point and radio statistics counters Syntax display ap counters port list radio 1 2 Syntax display dap counters dap num radio 1 2 port list List of ports connected to the MAP access point s for which to display statistics counters dap num Number of a Distributed MAP for which to display Statistics counters radio 1 Shows statistics counters for radio 1 a radio 2 Shows statistics counters for radio 2 This option does not apply to single radio models Defaults None Access All History Introduced in MSS Version 3 0 New fields added in MSS Version 4 0 Radio Recv Phy Err Ct Transmit Retries Radio Adjusted Tx Pwr Noise Floor 802 3 Packet Tx Ct 803 3 Packet Rx Ct a No Receive Descriptor Usage To display statistics counters and other information for individual user sessions use the display sessions network command Examples The following command shows statistics counters for Distributed MAP 7 display ap dap counters WX120 display dap counters 7 Port 6 radio 1 LastPktXferRate 2 PktTxCount 91594255 NumCntInPwrSave 4294966683MultiPkt
298. e power config on page 353 set radio profile auto tune power interval on page 354 set fap dap radio auto tune max retransmissions 337 set ap dap radio auto tune max retransmissions Sets the maximum percentage of client retransmissions a radio can experience before RF Auto Tuning considers changing the channel on the radio A high percentage of retransmissions is a symptom of interference on the channel Syntax set ap port list dap dap num auto radio 1 2 auto tune max retransmissions retransmissions ap port list List of ports connected to the MAP access points on which to set the channel dap dap num Number of a Distributed MAP on which to set the channel dap auto Sets the maximum retransmissions for radios configured by the MAP configuration profile See set dap auto on page 325 radio 1 Radio 1 of the MAP radio 2 Radio 2 of the MAP This option does not apply to single radio models a retransmissions Percentage of packets that can result in retransmissions without resulting in a channel change You can specify from 1 to 100 Defaults The default is 10 percent Access Enabled History Introduced in MSS Version 3 0 Option auto added for configuration of the MAP configuration profile Usage A retransmission is a packet sent from a client to a MAP radio that the radio receives more than once This can occur when the client does not receive
299. e without receiving an acknowledgment A long unicast frame is a frame that is equal to or longer than the RTS threshold Long Preamble Indicates whether an 802 11b radio that uses this radio profile advertises support for frames with long preambles only YES Advertises support for long preambles only NO Advertises support for long and short preambles Allow 802 119 Indicates whether the 802 11b g radios in the radio profile clients only restrict associations to 802 11g clients only a No 802 11b g radios allow associations with both 802 11b and 802 1 1g clients a No 802 11b g radios allow associations with 802 11g clients only Note This field applies only to 802 11b g radios Tune Channel Indicates whether RF Auto Tuning is enabled for dynamically setting and tuning channels Tune Power Indicates whether RF Auto Tuning is enabled for dynamically setting and tuning power levels Tune Channel Interval in seconds at which RF Auto Tuning decides Interval whether to change the channels on radios in a radio profile At the end of each interval MSS processes the results of the RF scans performed during the previous interval and changes radio channels if needed Tune Power Interval Interval in seconds at which RF Auto Tuning decides whether to change the power level on radios in a radio profile At the end of each interval MSS processes the results of the RF scans performed during the prev
300. ear spantree portvilancost 395 clear spantree portvlanpri 396 clear spantree statistics 397 clear summertime 135 clear system 40 clear system countrycode 40 clear system ip address 40 136 clear system location 40 clear system name 40 clear timezone 136 clear trace 590 clear user 215 clear user attr 216 clear user group 217 clear usergroup 217 clear usergroup attr 218 clear vlan 101 commit security acl 449 copy 567 create 624 crypto certificate 471 crypto certificate admin 471 crypto certificate eap 471 crypto generate key 473 crypto generate request 474 crypto generate request admin 474 crypto generate request eap 474 crypto generate self signed 476 crypto generate self signed admin 476 crypto generate self signed eap 476 crypto otp 478 crypto otp admin 478 crypto otp eap 478 crypto pkcs12 479 crypto pkcs12 admin 479 crypto pkcs12 eap 479 D delete 569 625 dhcp 626 iag 627 ir 570 627 isable 33 isplay 628 isplay ap dap config 290 391 isplay ap dap counters 294 isplay ap dap etherstats 301 isplay ap dap group 303 isplay ap dap status 304 isplay aaa 219 aor caa aca aoaaa isplay accounting statistics 222 isplay arp 137 isplay auto tune attributes 309 isplay auto tune neighbors 311 isplay banner motd 41 isplay base information 41 isplay boot 573 isplay config 574 isplay crypto ca certificate 481 isplay crypto certificate 482 isplay crypto key ssh 483 is
301. ecify a value from 1 through 65 535 vlan vlan id VLAN name or number If you do not specify a VLAN MSS changes the multicast router solicitation interval for all VLANs Defaults The interval between multicast router solicitations is 30 seconds by default Access Enabled History Introduced in MSS Version 3 0 setigmp ogi 437 Usage You cannot add MAP access ports or wired authentication ports as static multicast ports However MSS can dynamically add these port types to the list of multicast ports based on multicast traffic Examples The following example changes the multicast router solicitation interval to 60 seconds WX1200 set igmp mrsol mrsi 60 success change accepted See Also set igmp mrsol on page 436 set igmp ogi Changes the IGMP other querier present interval timer on one VLAN or all VLANs on a WX Syntax set igmp oqi seconds vlan vlan id oqi seconds Number of seconds that the WX waits for a general query to arrive before electing itself the querier You can specify a value from 1 through 65 535 vlan vlan id VLAN name or number If you do not specify a VLAN the timer change applies to all VLANs Defaults The default other querier present interval is 255 seconds 4 25 minutes Access Enabled History Introduced in MSS Version 3 0 Usage A WX cannot become the querier unless the pseudo querier feature is enabled on the WX switch
302. ect a command that you want to repeat from the history buffer The MSS CLI uses the Tab key for command completion You can type the first few characters of a command and press the Tab key to show the command s that begin with those characters For example WX1200 display i lt Tab gt ifm display interfaces maintained by the interface manager igmp display igmp information interface display interfaces ip display ip information You can use the single asterisk wildcard character in globbing For details see User Globs MAC Address Globs and VLAN Globs on page 26 The double asterisk wildcard character matches all usernames For details see User Globs on page 26 Using CLI Help 31 Using CLI Help WX1200 help Commands disable display exit help history load logout monitor ping quit reset rollback save set telnet traceroute WX1200 display i iffm igmp interface ip The CLI provides online help To see the full range of commands available at your access level type the help command For example Clear us clear help for more information Commit the content of the ACL table Copy from filename or url to filename or url Crypto use crypto help for more information Delete url Show list of files on flash device Disable privileged mode Display use display help for more information Exit from the Admin session Show this help screen Show contents of history s
303. ed History Introduced in MSS 4 0 Usage You must use the set dap auto command to create the profile before you can enable it 328 CHAPTER 11 MANAGED ACCESS POINT COMMANDS Examples The following command enables the profile for automatic Distributed MAP configuration WxX4400 set dap auto mode enable success change accepted See Also set dap auto on page 325 set dap auto radiotype on page 326 set ap dap bias on page 328 set ap dap blink on page 330 set ap dap group on page 332 set ap dap radio auto tune max power on page 335 set ap dap radio auto tune max retransmissions on page 337 set ap dap radio auto tune min client rate on page 340 set ap dap radio mode on page 341 set ap dap radio radio profile on page 343 set ap dap upgrade firmware on page 346 set ap dap bias Changes the bias for a MAP Bias is the priority of one WX switch over other WX switches for booting and configuring the MAP Syntax set ap port list dap dap num auto bias high low ap port list List of ports on which to change the bias for directly connected MAPs dap dap num Number of a Distributed MAP for which to change the bias dap auto Configures bias for the MAP configuration profile See set dap auto on page 325 high High bias low Low bias Defaults The default bias is high set fap dap bias 32
304. ed MAP you must use the set system countrycode command to set the IEEE 802 11 country specific regulations on the WX switch See set system countrycode on page 56 For a MAP that is directly connected to the WX switch use the set port type ap command to configure a MAP access port Syntax set dap dap num serial id serial ID model ap2750 ap3750 ap7250 ap8250 ap8750 mp 52 mp 241 mp 252 mp 262 mp 341 mp 352 mp 372 mp 372 CN mp 37 JP mp 620 radiotype lla 11b 11g 82 CHAPTER 4 PORT COMMANDS dap num Number for the Distributed MAP The range of valid connection numbers depends on the WX switch model a For a WX4400 you can specify a number from 1 to 256 Fora WxX1200 you can specify a number from 1 to 30 serial id serial ID MAP access point serial ID The serial ID is listed on the MAP case To show the serial ID using the CLI use the display version details command radiotype lla 11b 11g Radio type 11a 802 11a 11b 802 11b 11g 802 11g This option applies only to single radio models Defaults The default values are the same as the defaults for the set port type ap command Access Enabled History Introduced in MSS Version 3 0 New values for model option added in Version 4 1 AP3750 a AP2750 mp 620 Examples The following command configures Distributed MAP 1 for MAP model AP2750 with serial ID M9DE48B012F00 WX44
305. ed in MSS Version 4 0 Examples The following command clears SSID mycorp from the permitted SSID list WX1200 clear rfdetect ssid list mycorp success mycorp is no longer in ssid list See Also set rfdetect ssid list on page 560 display rfdetect ssid list on page 550 clear rfdetect vendor list 537 clear rfdetect vendor list Removes an entry from the permitted vendor list Syntax clear rfdetect vendor list client ap mac addr all client ap Specifies whether the entry is for an AP brand or a client brand mac addr all Organizationally Unique Identifier OUI to remove Defaults None Access Enabled History Introduced in MSS Version 4 0 Examples The following command removes client OUI aa bb cc 00 00 00 from the permitted vendor list WX4400 clear rfdetect vendor list client aa bb cc 00 00 00 success aa bb cc 00 00 00 is no longer in client vendor list See Also set rfdetect vendor list on page 561 display rfdetect vendor list on page 551 display rfdetect attack list Displays information about the MAC addresses in the attack list Syntax display rfdetect attack list Defaults None Access Enabled History Introduced in MSS Version 4 0 538 CHAPTER 19 RF DETECTION COMMANDS Examples The following example shows the attack list on WX switch WX1200 display rfdetect attack list Total number of entries 1 Attacklist M
306. ed routes can resolve the static route MSS can use the static route Before you add a static route use the display interface command to verify that the WX switch has an IP interface in the same subnet as the route s next hop router If not the VLAN Interface field of the display ip route command output shows that the route is down You can configure a maximum of 4 routes per destination This includes default routes which have destination 0 0 0 0 0 Each route to a given destination must have a unique gateway address When the route table contains multiple default or explicit routes to the same destination MSS uses the route with the lowest cost If two or more routes to the same destination have the lowest cost MSS selects the first route in the route table When you add multiple routes to the same destination MSS groups the routes and orders them from lowest cost at the top of the group to highest cost at the bottom of the group If you add a new route that has the same destination and cost as a route already in the table MSS places the new route at the top of the group of routes with the same cost set ip snmp server 169 Examples The following command adds a default route that uses gateway 10 5 4 1 and gives the route a cost of 1 WX4400 set ip route default 10 5 4 1 1 success change accepted The following commands add two default routes and configure MSS to always use the route through 10 2 4 69 when the interface t
307. ed when MSS detects a rogue access point RFDetectRogueDisappearTraps Generated when a rogue access point is no longer being detected RFDetectClientViaRogueWiredAPTraps Generated when MSS detects on the wired part of the network the MAC address of a wireless client associated with a third party AP RFDetectDoSPortTraps Generated when MSS detects an associate request flood reassociate request flood or disassociate request flood RFDetectDoSTraps Generated when MSS detects a DoS attack other than an associate request flood reassociate request flood or disassociate request flood RFDetectinterferingRogueAPTraps Generated when an interfering device is detected RFDetectinterferingRogueDisappearTraps Generated when an interfering device is no longer detected RFDetectSpoofedMacAPTraps Generated when MSS detects a wireless packet with the source MAC address of a MAP but without the spoofed MAP s signature fingerprint RFDetectSpoofedSsidAPTraps Generated when MSS detects beacon frames for a valid SSID but sent by a rogue AP RFDetectUnAuthorizedAPTraps Generated when MSS detects the MAC address of a MAP that is on the attack list RFDetectUnAuthorizedOuiTraps Generated when a wireless device that is not on the list of permitted vendors is detected 180 CHAPTER 7 IP SERVICES COMMANDS RFDetectUnAuthorizedSsidTraps Generated when an SSID that is not on the permitted SSID list is detected a
308. ee Also Clear system ip address on page 136 display system on page 43 set interface on page 160 set timedate Sets the time of day and date on the wireless LAN switch Syntax set timedate date mmm dd yyyy time hh mm ss date mmm dd yyyy System date mmm month dd day yyyy year time hh mm ss System time in hours minutes and seconds Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage The day of week is automatically calculated from the day you set The time displayed by the CLI after you type the command might be slightly later than the time you enter due to the interval between when you press Enter and when the CLI reads and displays the new time and date Configure summertime before you set the time and date Otherwise summertime s adjustment of the time will make the time incorrect if the date is within the summertime period 194 CHAPTER 7 IP SERVICES COMMANDS Examples The following command sets the date to March 13 2003 and time to 11 11 12 WX4400 set timedate date feb 29 2004 time 23 58 00 Time now is Sun Feb 29 2004 23 58 02 PST See Also Clear summertime on page 135 Clear timezone on page 136 display summertime on page 154 display timedate on page 155 display timezone on page 155 set summertime on page 191 set timezone on page 194 set timezone Sets the number of hours and optiona
309. enable Enables automatic firmware upgrades disable Disables automatic firmware upgrades set radio profile 11g only 347 Defaults Automatic firmware upgrades of MAP access points are enabled by default Access Enabled History Introduced in MSS Version 3 0 Option auto added for configuration of the MAP configuration profile Usage When the feature is enabled on an WX port a MAP access point connected to that port upgrades its boot firmware to the latest version stored on the WX switch while booting Examples The following command disables automatic firmware upgrades on the MAP access point connected to port 6 WX1200 set ap 6 upgrade firmware disable See Also display ap dap config on page 290 set radio profile 11g only Configures each 802 11b g radio in a radio profile to allow associations with 802 11g clients only Syntax set radio profile name 1llg only enable disable a name Radio profile name enable Configures radios to allow associations with 802 119 clients only disable Configures radios to allow associations with 802 119 clients and 802 11b clients Defaults The default setting is disable 3Com 802 1 1b g radios allow associations with 802 11g and 802 11b clients by default Access Enabled History Introduced in MSS Version 3 0 Usage You must disable all radios that are using a radio profile before you can change parameters
310. enerate request web and press Enter When you are prompted type the identifying values in the fields or press Enter if the field is optional You must enter a common name for the WX switch This command outputs a PKCS 10 text string in Privacy Enhanced Mail protocol PEM format that you paste to another location for submission to the certificate authority You then send the request to the certificate authority to obtain a signed copy of the WX switch certificate as a PKCS 7 object file Examples To request an administrative certificate from a certificate authority type the following command WX4400 crypto generate request admin Country Name US State Name CA Locality Name Pleasanton Organizational Name MyCorp Organizational Unit ENG Common Name ENG Email Address admin example com Unstructured Name admin CSR for admin is SSS BEGIN CERTIFICATE REQUEST TIBuzCCASQCAQAwezELMAkKGA1UEBhMCdXMxC zAJUBGNVBAgTAmNhMQswCOYDVQQH EwJjYTELMAkGA1UEChMCY2ExCzAJBgNVBAs TAmNhMQswCOYDVOQDEWJj YTEYMBYG CSqGS Ib3DQEJARYJY2 FAY2EuY2 9tMREwDwY JKoZ IhvcNAQkCEwJj YTCBnzANBgkq 476 CHAPTER 15 CRYPTOGRAPHY COMMANDS hkiG9w0BAQEFAAOBjQAwgYkCgYEAI zatpYSt0OjHMa0QUmWHeZPPFGOQ9kKBEimJKPG bznFjAC780GcZtnJPGqnMnOKjJ 4NdknonT6NdCd2 fBdGbuEFGNMNgZMYKGcV2JIu M32 SvpSEOEnMYuidkEzqLQol1621vh67RMIKTMECM6uCBBROq6XNyplHnlgtrrpL LhyGTWUCAwEAAaAAMAO0GCSqGS I b3DQEBBAUAA4GBAHK
311. entication attacks Spoofed disassociation attacks oO N Null probe responses 1138 Broadcast deauthentications FakeAP ssid attacks FakeAP bssid attacks Netstumbler clients Rogue access points 0 0 Interfering access points 139 1116 Rogue 802 11 clients 0 0 Interfering 802 11 clients 4 347 802 11 adhoc clients 0 1 Unknown 802 11 clients 20 965 Interfering 802 11 clients seen on wired network 0 0 802 11 probe request flood 0 802 11 authentication flood 0 802 11 null data flood 0 802 11 mgmt type 6 flood 0 802 11 mgmt type 7 flood 0 802 11 mgmt type d flood 0 802 11 mgmt type e flood 0 802 11 mgmt type f flood 0 802 11 association flood 0 802 11 reassociation flood 0 802 11 disassociation flood 0 0 0 0 1 0 0 6 0 0 0 0 oe Oo Wellenreiter clients Active scans 1796 4383 Wireless bridge frames 196 196 Adhoc client frames Access points present in attack list 0 0 Access points not present in ssid list 0 0 Access points not present in vendor list 0 0 Clients not present in vendor list 0 0 Clients added to automatic black list 0 0 544 CHAPTER 19 RF DETECTION COMMANDS display rfdetect data Displays all the BSSIDs detected by an individual WX switch during an RF detection scan The data includes BSSIDs transmitted by other 3Com radios as well as by third party access points Syntax display rfdetect data Defaults None Access Enabled History Introduced in MSS Version 3
312. entication ports to process 802 1X authentication normally as determined for the user by the set authentication dot1X command port list One or more wired authentication ports for which to set 802 1X port control Defaults By default wired authentication ports are set to auto Access Enabled History Introduced in MSS Version 3 0 Usage This command affects only wired authentication ports Examples The following command forces port 1 to unconditionally accept all 802 1X authentication attempts WX4400 set dotlx port control forceauth 1 success authcontrol for 1 is set to FORCE AUTH See Also display port status on page 73 display dot1x on page 505 set dot1x quiet period 513 set dot1x quiet period Sets the number of seconds a WX remains quiet and does not respond to a supplicant after a failed authentication Syntax set dotlx quiet period seconds seconds Specify a value between 0 and 65 535 Defaults The default is 60 seconds Access Enabled History Introduced in MSS Version 3 0 Examples Type the following command to set the quiet period to 90 seconds WX4400 set dotlx quiet period 90 success dotlx quiet period set to 90 See Also Clear dot1x quiet period on page 502 set dot1x wep rekey period on page 518 set dot1x reauth Determines whether the WX switch allows the reauthentication of supplicants clients Syntax set dotlx rea
313. entire VLAN is removed from the configuration You cannot delete the default VLAN but you can remove ports from it To remove ports from the default VLAN use the port port list option Examples The following command removes port 1 from VLAN green WX4400 clear vlan green port 1 This may disrupt user connectivity Do you wish to continue y n nly success change accepted The following command removes port 4 which uses tag value 69 from VLAN red WX1200 clear vlan red port 4 tag 69 This may disrupt user connectivity Do you wish to continue y n nly success change accepted 102 CHAPTER 5 VLAN COMMANDS The following command completely removes VLAN marigold WX4400 clear vlan marigold This may disrupt user connectivity Do you wish to continue y n nly success change accepted See Also set vlan port on page 117 display vlan config on page 111 display fdb Displays entries in the forwarding database Syntax display fdb mac addr glob vlan vlan id display fdb perm static dynamic system all port port list vlan vlan id mac addr glob A single MAC address or set of MAC addresses Specify a MAC address or use the wildcard character to specify a set of MAC addresses For details see MAC Address Globs on page 27 vlan vlan id Name or number of a VLAN for which to display entries perm Displays permanent entries A permanent entry does not age out
314. epted See Also set snmp usm on page 188 display snmp usm on page 154 clear summertime Clears the summertime setting from a wireless LAN switch Syntax clear summertime Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples To clear the summertime setting from a WX switch type the following commana WX1200 clear summertime success change accepted See Also Clear timezone on page 136 display summertime on page 154 display timedate on page 155 display timezone on page 155 set summertime on page 191 set timedate on page 193 set timezone on page 194 136 CHAPTER 7 IP SERVICES COMMANDS clear system ip address AN Clears the system IP address CAUTION Clearing the system IP address disrupts the system tasks that use the address Syntax clear system ip address Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage Clearing the system IP address can interfere with system tasks that use the system IP address including the following a Mobility Domain operations Topology reporting for dual homed MAP access points Default source IP address used in unsolicited communications such as AAA accounting reports and SNMP traps Examples To clear the system IP address type the following command WX1200 clear system ip address success change accepted See Also display system on
315. er snoop2 from radio 2 on Distributed MAP 3 setsnoop 599 WX1200 clear snoop map snoop2 dap 3 radio 2 success change accepted The following command removes all snoop filter mappings from all radios WX1200 clear snoop map all success change accepted See Also set snoop map on page 602 display snoop on page 604 display snoop map on page 605 set snoop Configures a snoop filter Syntax set snoop filter name condition list observer ip addr snap length num a filter name Name for the filter The name can be up to 32 alphanumeric characters with no spaces a condition list Match criteria for packets Conditions in the list are ANDed Therefore to be copied and sent to an observer a packet must match all criteria in the condition list You can specify up to eight of the following conditions in a filter in any order or combination frame type eq neq beacon control data management probe channel eq neq channel bssid eq neq bssid src mac eq neq mac addr dest mac eq neq mac addr host mac eq neq mac addr Mac pair mac addrl mac addr2 600 CHAPTER 22 SNOOP COMMANDS To match on packets to or from a specific MAC address use the dest mac or src mac option To match on both send and receive traffic for a host address use the host mac option To match on a traffic flow source and destination MAC addresses use the mac pair option Thi
316. erences set on WX4400 gigabit Ethernet ports Syntax display port preference port list a port list List of physical ports MSS displays the preference for all the specified ports Defaults None Access All History Introduced in MSS Version 3 0 Usage This command applies only to the WX4400 Examples The following command displays the preference settings on all four ports of a WX4400 switch WX4400 display port preference display port status 73 Port Preference GBIC RJ45 GBIC GBIC BwWN EF Table 13 describes the fields in this display Table 13 Output for display port preference Field Description Port Port number Preference Preference setting a GBIC The GBIC fiber interface is selected as the active interface a RJ45 The RJ 45 copper interface is selected as the active interface See Also Clear port preference on page 67 set port preference on page 88 display port status Displays configuration and status information for ports Syntax display port status port list a port list List of physical ports If you do not specify a port list information is displayed for all ports Defaults None Access All History Introduced in MSS Version 3 0 74 CHAPTER 4 PORT COMMANDS Examples The following command displays information for all ports on a WX1200 switch WX1200 display port status Port Name Admin
317. ermining a RADIUS server is unresponsive before trying to reconnect with this server During the dead time the RADIUS server is ignored by the WX switch The default is O minutes key Shared secret key or password used to authenticate to a RADIUS server The default is no key author pass Password used for outbound authentication to a RADIUS server used in conjunction with a last resort username By default a MAC user s MAC address is also used as that user s password and no global password is set Radius Servers Information about active RADIUS servers Server Name of each RADIUS server currently active Addr IP address of each RADIUS server currently active Ports UDP ports that the WX switch uses for authentication messages and for accounting records T o Setting of timeouts on each RADIUS server currently active Tries Number of retransmissions configured for each RADIUS server currently active The default is 3 times Dead Length of time until the server is considered responsive again State Current state of each RADIUS server currently active UP operating a DOWN unavailable Server groups Names of RADIUS server groups and member servers configured on the WX switch Web Portal State of the WebAAA feature enabled a disabled set commands List of commands used to configure AAA on the WX switch user and user group profiles See Also List
318. ersion 3 0 Usage Before using this command you must configure values for the WEP keys you plan to use Use the set service profile wep key index command Examples The following command configures service profile so2 to use WEP key 4 for encrypting unicast traffic WX4400 set service profile sp2 wep active unicast index 4 success change accepted See Also set service profile wep active multicast index on page 388 set service profile wep key index on page 390 390 CHAPTER 11 MANAGED ACCESS POINT COMMANDS set service profile wep key index Sets the value of one of four static Wired Equivalent Privacy WEP keys for static WEP encryption Syntax set service profile name wep key index num key value name Service profile name key index num WEP key index You can enter a value from 1 through 4 key value Hexadecimal value of the key You can enter a 10 character ASCII string representing a 5 digit hexadecimal number or a 26 character ASCII string representing a 13 digit hexadecimal number You can use numbers or letters ASCII characters in the following ranges are supported Oto9 AtoF atof Defaults By default no static WEP keys are defined Access Enabled History Introduced in MSS Version 3 0 Usage MSS automatically enables static WEP when you define a WEP key MSS continues to support dynamic WEP If you plan to use static WEP do not map more than 8 ser
319. ertificate authority type the following command WX4400 display crypto ca certificate Table 83 describes the fields in the display Table 83 display crypto ca certificate Output Fields Description Version Version of the X 509 certificate Serial Number A unique identifier for the certificate or signature Subject Name of the certificate owner 482 CHAPTER 15 CRYPTOGRAPHY COMMANDS Table 83 display crypto ca certificate Output continued Signature Algorithm Algorithm that created the signature such as RSA MD5 or RSA SHA Issuer Certificate authority that issued the certificate or signature Validity Time period for which the certificate is valid See Also crypto ca certificate on page 470 display crypto certificate on page 482 display crypto certificate Displays information about one of the cryptographic certificates installed on the WX switch Syntax display crypto certificate admin eap web admin Displays information about the administrative certificate that authenticates the WX switch to 3WXM or Web Manager eap Displays information about the EAP certificate that authenticates the WX switch to 802 1X supplicants clients web Displays information about the WebAAA certificate that authenticates the WX switch to WebAAA clients Defaults None Access Enabled History Introduced in MSS Version 3 0 Webaaa option renamed to web in MSS Version
320. es of user globs Table 3 User Globs User Glob User s Designated jose example com User jose at example com example com All users at example com whose usernames do not contain periods for example jose example com and tamara example com but not nin wong example com because nin wong contains a period marketing example com All marketing users at example com whose usernames do not contain periods marketing example com All marketing users at example com whose usernames contain periods x All users with usernames that have no delimiters EXAMPLE All users in the Windows Domain EXAMPLE with usernames that have no delimiters EXAMPLE All users in the Windows Domain EXAMPLE whose usernames contain periods tx All users MAC Address Globs A media access control MAC address glob is a similar method for matching some authentication authorization and accounting AAA and forwarding database FDB commands to one or more 6 byte MAC addresses In a MAC address glob you can use a single asterisk as a wildcard to match all MAC addresses or as follows to match from 1 byte to 5 bytes of the MAC address 00 00 01 00 01 02 00 201 702703 00 01 02 03 04 For example the MAC address glob 02 06 8c represents all MAC addresses starting with 02 06 8c Specifying only the first 3 bytes of a MAC address allows you to apply commands to MAC addresses based on an organizationally unique
321. et port group name serverl 1 4 7 mode on success change accepted set port media type 85 See Also Clear port group on page 65 display port group on page 70 set port media type Disables the fiber interface and enables the copper interface on an WX4400 gigabit Ethernet port Syntax set port media type port list rj45 a port list List of physical ports MSS sets the preference on all the specified ports a rj45 Uses the copper interface Defaults The GBIC fiber interface is enabled and the copper interface is disabled by default Access Enabled History Introduced in MSS Version 4 0 Usage This command applies only to the WX4400 If you set the port interface to RJ 45 on a port that already has an active fiber link MSS immediately changes the link to the copper interface Examples The following command disables the fiber interface and enables the copper interface on port 2 WxX4400 set port media type 2 rj45 See Also Clear port media type on page 66 display port media type on page 75 86 CHAPTER 4 PORT COMMANDS set port name Assigns a name to a port After naming a port you can use the port name or number in other CLI commands Syntax set port port name name port Number of a physical port You can specify only one port name name Alphanumeric string of up to 16 characters with no spaces Defaults None Access Enabled History
322. etween 1 and 128 alphanumeric characters with no spaces To load the file from a subdirectory specify the subdirectory name followed by a forward slash in front of the filename For example backup_configs config_c Defaults The default configuration filename is configuration Access Enabled History Introduced in MSS Version 3 0 Usage The file must be located in the switch s nonvolatile storage Examples The following command sets the boot configuration file to testconfig1 WX4400 set boot configuration file testconfigl success boot config set set boot partition 587 set boot partition Specifies the boot partition in which to look for the system image file following the next system reset software reload or power cycle Syntax set boot partition boot0 boot1 boot0 Boot partition 0 boot1 Boot partition 1 Defaults By default an WX switch uses the same boot partition for the next software reload that was used to boot the currently running image Access Enabled History Introduced in MSS Version 3 0 Usage To determine the boot partition that was used to load the currently running software image use the dir command Examples The following command sets the boot partition for the next software reload to partition 1 WX4400 set boot partition bootl success Boot partition set to bootl See Also copy on page 567 dir on page 570 reset s
323. etwork ports to a VLAN You also can add a virtual port to each network port by adding a tag value to the network port Syntax set vlan vlan id port port list tag tag value a vilan id VLAN name or number port port list List of physical ports tag tag value Tag value that identifies a virtual port You can specify a value from 1 through 4093 By default no ports are members of any VLANs A wireless LAN switch cannot forward traffic on the network until you configure VLANs and add network ports to the VLANs Access Enabled History Introduced in MSS Version 3 0 Usage You can combine this command with the set port name command to assign the name and add the ports at the same time If you do not specify a tag value the WX switch sends untagged frames for the VLAN If you do specify a tag value the WX sends tagged frames only for the VLAN If you do specify a tag value 3Com recommends that you use the same value as the VLAN number MSS does not require the VLAN number and tag value to be the same but some other switches do Examples The following command assigns the name beige to VLAN 11 and adds ports 1 through 3 to the VLAN WX1200 set vlan 11 name beige port 1 3 success change accepted The following command adds port 6 to VLAN beige and assigns tag value 86 to the port WX1200 set vlan beige port 6 tag 86 success change accepted See Also a Clear security 12 restrict on page 99
324. eviation for the country in which the WX switch is operating in 2 alphanumeric characters with no spaces State Name string Optional Specify the abbreviation for the name of the state in 2 alphanumeric characters with no spaces Locality Name string Optional Specify the name of the locality in up to 80 alphanumeric characters with no spaces Organizational Name string Optional Specify the name of the organization in up to 80 alohanumeric characters with no spaces Organizational Unit string Optional Specify the name of the organizational unit in up to 80 alohanumeric characters with no spaces Common Name string Specify a unique name for the WX switch in up to 80 alphanumeric characters with no spaces Use a fully qualified name if such names are supported on your network This field is required crypto generate request 475 Email Address string Optional Specify your email address in up to 80 alohanumeric characters with no spaces Unstructured Name string Optional Specify any name in up to 80 alphanumeric characters with no spaces Defaults None Access Enabled History Introduced in MSS Version 3 0 Webaaa option renamed to web in MSS Version 4 1 Usage To use this command you must already have generated a public private encryption key pair with the crypto generate key command Enter crypto generate request admin crypto generate request eap or crypto g
325. ew associations Refusing The MAP access point is refusing new associations Refused Number of association requests refused by the MAP access point due to load balancing MSS resets this counter to O when the WX switch is restarted MSS is reloaded or the access point is removed from the group See Also set ap dap group on page 332 304 CHAPTER 11 MANAGED ACCESS POINT COMMANDS display ap dap status Displays MAP access point and radio status information Syntax display ap status terse port list all radio 1 2 Syntax display dap status terse dap num radio 1 2 terse Displays a brief line of essential status information for each MAP port list List of ports connected to the MAP access point s for which to display status dap num Number of a Distributed MAP for which to display status all Shows status information for all directly attached MAP access points and all Distributed MAP access points configured on the switch radio 1 Shows status information for radio 1 radio 2 Shows status information for radio 2 This option does not apply to single radio models Defaults None Access Enabled History Introduced in MSS Version 3 0 True base MAC addresses of radios are displayed in MSS Version 3 2 Previously the base MAC address displayed for a radio was the true base MAC address plus 2 Note that a radio s base
326. example the command does not completely replace the user files area Instead files in the archive are added to the user files area A file in the user area is replaced only if the archive contains a file with the same name Note If the archive s files cannot fit on the switch the restore operation fails 3Com recommends deleting unneeded image files before creating or restoring an archive The backup command stores the MAC address of the switch in the archive By default the restore command works only if the MAC address in the archive matches the MAC address of the switch where the restore command is entered The force option overrides this restriction and allows you to unpack one switch s archive onto another switch CAUTION Do not use the force option unless you are certain you want to replace the switch s files with files from another switch If you restore one switch s system files onto another switch you must generate new key pairs and certificates on the switch Examples The following command restores system critical files on a switch from archive sysa_bak WX1200 restore system tftp 10 10 20 9 sysa_bak success received 11908 bytes in 0 150 seconds 79386 bytes sec success restore complete 584 CHAPTER 20 FILE MANAGEMENT COMMANDS See Also backup on page 564 rmdir Removes a subdirectory from nonvolatile storage Syntax rmdir subdirname subdirname Subdirectory name Specify be
327. f entries including blanks The authentication method none you can specify for administrative access is different from the fallthru authentication type none which applies only to network access The authentication method none allows access to the WX switch by an administrator The fallthru authentication type none denies access to a network user See set service profile auth fallthru on page 374 For more information see Usage Defaults By default authentication is deactivated for all admin users The default authentication method in an admin authentication rule is local MSS checks the local WX database for authentication Access Enabled 230 CHAPTER 8 AAA COMMANDS gt History Introduced in MSS Version 3 0 The syntax descriptions for the set authentication commands have been separated for clarity However the options and behavior for the set authentication admin command are the same as in previous releases Usage You can configure different authentication methods for different groups of users For details see User Globs MAC Address Globs and VLAN Globs on page 26 If you specify multiple authentication methods in the set authentication console command MSS applies them in the order in which they appear in the command with these results If the first method responds with pass or fail the evaluation is final If the first method does not respond MSS tries the second method and
328. f the MAP access points connected to an WX switch to a group on that switch All access points in a group must be connected to the same WX switch set fap dap name 333 If you use the name none spelled in any combination of capital or lowercase letters the specified MAP access point is cleared from all MAP access point groups Examples The following command configures a MAP access point group named oadbalance that contains the MAP access points on ports 1 3 and 5 WX1200 set ap 1 3 5 group loadbalancel success change accepted The following command removes the MAP access point on port 4 from all MAP access point groups WX1200 set ap 4 group none success change accepted See Also display ap dap config on page 290 display ap dap group on page 303 set ap dap name Changes a MAP name Syntax set ap port list dap dap num name name ap port list List of ports connected to the MAP access point to rename dap dap num Number of a Distributed MAP to rename name Alphanumeric string of up to 16 characters with no spaces Defaults The default name of a directly attached MAP is based on the port number of the MAP access port attached to the MAP For example the default name for a MAP on MAP access port 1 is MAPO7 The default name of a Distributed MAP is based on the number you assign to it when you configure the connection For example the default name for Distribu
329. fic for the country of operation tx power Highest setting allowed for Transmit power of a radio in the country of operation decibels referred to or highest setting 1 milliwatt dBm supported on the hardware whichever is lower antennatype For most MAP models the External antenna model Access Enabled default is internal For MP 620 the default for the 802 11b g radio is ANT 1360 OUT The default for the 802 11a radio is ANT 5360 OUT The default for the 802 11b g radio on model MP 262 is ANT1060 History Introduced in MSS Version 3 0 Note This parameter is configurable only on MAPs that support external antennas Usage When you clear a radio MSS performs the following actions a Clears the transmit power channel and external antenna setting from the radio a Removes the radio from its radio profile and places the radio in the default radio profile This command does not affect the PoE setting Examples The following command disables and resets radio 2 on the MAP access point connected to port 3 WX1200 clear ap 3 radio 2 288 CHAPTER 11 MANAGED ACCESS POINT COMMANDS See Also set ap dap radio mode on page 341 set ap dap radio radio profile on page 343 set port type ap on page 91 clear radio profile Removes a radio profile or resets one of the profile s parameters to its default value Syntax clear radio profile name parameter name Radio prof
330. file Use the set radio profile mode command Examples The following command changes the beacon interval for radio profile ro7 to 200 ms WX4400 set radio profile rpl beacon interval 200 success change accepted See Also display radio profile on page 317 set radio profile mode on page 362 set radio profile countermeasures AN Enables or disables countermeasures on the MAP radios managed by a radio profile Countermeasures are packets sent by a radio to prevent clients from being able to use rogue access points CAUTION Countermeasures affect wireless service on a radio When a MAP radio is sending countermeasures the radio is disabled for use by network traffic until the radio finishes sending the countermeasures 356 CHAPTER 11 MANAGED ACCESS POINT COMMANDS MAP radios can also issue countermeasures against interfering devices An interfering device is not part of the 3Com network but also is not a rogue No client connected to the device has been detected communicating with any network entity listed in the forwarding database FDD of any WX switch in the Mobility Domain Although the interfering device is not connected to your network the device might be causing RF interference with MAP radios Syntax set radio profile name countermeasures all rogue configured none a name Radio profile name all Configures radios to attack rogues and interfering devices rogue Configures
331. file on page 317 set radio profile mode on page 362 set radio profile rts threshold Changes the RTS threshold for the MAP radios in a radio profile The RTS threshold specifies the maximum length a frame can be before the radio uses the RTS CTS method to send the frame The RTS CTS method clears the air of other traffic to avoid corruption of the frame due to a collision with another frame Syntax set radio profile name rts threshold threshold name Radio profile name threshold Maximum frame length in bytes You can enter a value from 256 through 3000 Defaults The default RTS threshold for a MAP radio is 2346 bytes Access Enabled 366 CHAPTER 11 MANAGED ACCESS POINT COMMANDS History Introduced in MSS Version 3 0 Usage You must disable all radios that are using a radio profile before you can change parameters in the profile Use the set radio profile mode command Examples The following command changes the RTS threshold for radio profile ro7 to 1500 bytes WX4400 set radio profile rpl rts threshold 1500 success change accepted See Also set radio profile mode on page 362 display radio profile on page 317 set radio profile service profile Maps a service profile to a radio profile All radios that use the radio profile also use the parameter settings including SSID and encryption settings in the service profile Syntax set radio profile name service profi
332. ge continued Type Command Fast set spantree backbonefast on page 411 etter ia display spantree backbonefast on page 400 set spantree uplinkfast on page 419 display spantree uplinkfast on page 409 Statistics display spantree statistics on page 403 clear spantree statistics on page 397 clear spantree portcost Resets to the default value the cost of a network port or ports on paths to the STP root bridge in all VLANs on a WX switch Syntax clear spantree portcost port list a port list List of ports The port cost is reset on the specified ports Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage This command resets the cost in all VLANs To reset the cost for only specific VLANs use the clear spantree portvlancost command Examples The following command resets the STP port cost on ports 5 and 6 to the default value WX1200 clear spantree portcost 5 6 success change accepted See Also Clear spantree portvlancost on page 395 display spantree on page 398 display spantree portvilancost on page 403 set spantree portcost on page 414 set spantree portviancost on page 417 clear spantree portpri 395 clear spantree portpri Resets to the default value the priority of a network port or ports for selection as part of the path to the STP root bridge in all VLANs on a wireless LAN switch or controller Syntax clear spantree
333. ge 241 clear authentication admin on page 204 clear authentication console on page 205 clear authentication dot1x on page 206 clear authentication last resort on page 207 clear authentication mac on page 208 clear authentication proxy on page 209 clear authentication web on page 209 202 CHAPTER 8 AAA COMMANDS Table 41 AAA Commands by Usage continued Type Command Local Authorization for Password Users set user on page 258 clear user on page 215 set user attr on page 259 clear user attr on page 216 set usergroup on page 261 clear usergroup on page 217 set user group on page 260 clear user group on page 217 clear usergroup attr on page 218 Local Authorization for MAC Users set mac user on page 248 clear mac user on page 211 set mac user attr on page 249 clear mac user attr on page 212 set mac usergroup attr on page 254 clear mac usergroup attr on page 214 clear mac user group on page 212 clear mac usergroup on page 213 Web authorization set web portal on page 262 Accounting set accounting admin console on page 225 set accounting dot1x mac web last resort on page 227 display accounting statistics on page 222 clear accounting on page 203 AAA information display aaa on page 219 Mobility Profiles set mobility profile on page 255 set mobility
334. ges the cost that transmission through a network port or ports in the default VLAN on a wireless LAN switch adds to the total cost of a path to the STP root bridge Syntax set spantree portcost port list cost cost port list List of ports MSS applies the cost change to all the specified ports a cost cost Numeric value You can specify a value from 1 through 65 535 STP selects lower cost paths over higher cost paths Defaults The default port cost depends on the port speed and link type Table 73 lists the defaults for STP port path cost Table 73 SNMP Port Path Cost Defaults Port Speed Link Type Default Port Path Cost 000 Mbps Full Duplex Aggregate 19 Link Port Group 000 Mbps Full Duplex 4 00 Mbps Full Duplex Aggregate 19 Link Port Group 00 Mbps Full Duplex 18 00 Mbps Half Duplex 19 0 Mbps Full Duplex Aggregate 19 Link Port Group 0 Mbps Full Duplex 95 0 Mbps Half Duplex 100 set spantree portfast 415 Access Enabled History Introduced in MSS Version 3 0 Usage This command applies only to the default VLAN VLAN 1 To change the cost of a port in another VLAN use the set spantree portvlancost command Examples The following command changes the cost on ports 3 and 4 to 20 WX1200 set spantree portcost 3 4 cost 20 success change accepted See Also Clear spantree portcost on page 394 Clear spantree portvlancost on page 395 display spantree on page 398
335. gure 50 CHAPTER 3 SYSTEM SERVICE COMMANDS Examples The following commands stage a WX switch to use the auto config option The network where the switch is installed has a DHCP server so the switch is configured to use the MSS DHCP client to obtain an IP address default gateway address DNS domain name and DNS server IP addresses 1 Configure a VLAN WX 1200 set vlan 1 port 7 success change accepted 2 Enable the DHCP client on VLAN 1 WX 1200 set interface 1 ip dhcp client enable success change accepted 3 Enable the auto config option WX 1200 set auto config enable success change accepted 4 Create a self signed administrative certificate to enable the WX to communicate with the 3WXM server WX 1200 crypto generate key admin 1024 key pair generated WX 1200 crypto generate self signed admin Country Name State Name Locality Name Organizational Name Organizational Unit Common Name remoteswitch1 example com Email Address Unstructured Name Self signed cert for admin is Ses BEGIN CERTIFICATE TICUzCCAbygAwI BAgICA cwDQYJKoZ IhvcNAQEEBOAWN ELMAkGA1UEBhMC VVMx CzAJBgNVBAgTAkNBMRowGAYDVQQDFBFOZWNocHVicOBOcnB LmNvbTAeFwOw zA0 Lm8wmVYLxP5 6MpCUAm908C2fo0YgOY40 END CERTIFICATE 5 Save the configuration changes WX 1200 save config success configuration saved set bannermotd 51 See Also crypto generate
336. hanumeric string of up to 255 characters with no spaces port list List of physical ports All the ports you specify are configured together as a single logical link mode on off State of the group Use on to enable the group or off to disable the group The group is enabled by default Defaults Once configured a group is enabled by default Access Enabled History Introduced in MSS Version 3 0 Usage You can configure up to 8 ports in a port group in any combination of ports The port numbers do not need to be contiguous and you can use 10 100 Ethernet ports and gigabit Ethernet ports in the same port group After you add a port to a port group you cannot configure port parameters on the individual port Instead change port parameters on the entire group Specify the group name instead of an individual port name or number in port configuration commands To add or remove ports in a group that is already configured change the mode to off add or remove the ports then change the mode to on Examples The following command configures a port group named server containing ports 1 through 5 and enables the link WX1200 set port group name serverl 1 5 mode on success change accepted The following commands disable the link for port group server7 change the list of ports in the group and reenable the link WX1200 set port group name serverl 1 5 mode off success change accepted WX1200 s
337. hat might have a large impact on the network Syntax set confirm on off on Enables confirmation messages off Disables confirmation messages Defaults Configuration messages are enabled Access Enabled History Introduced in MSS Version 3 0 Usage This command remains in effect for the duration of the session until you enter a quit command or until you enter another set confirm command MSS displays a message requiring confirmation when you enter certain commands that can have a potentially large impact on the network For example WX4400 clear vlan red This may disrupt user connectivity Do you wish to continue y n n Examples To turn off these confirmation messages type the following command WX4400 set confirm off success Confirm state is off setlength 53 set length Defines the number of lines of CLI output to display between paging prompts MSS displays the set number of lines and waits for you to press any key to display another set or type q to quit the display Syntax set length number of lines number of lines Number of lines of text to display between paging prompts You can specify from O to 512 The O value disables the paging prompt action entirely Defaults MSS displays 24 lines by default Access All History Introduced in MSS Version 3 0 Usage Use this command if the output of a CLI command is greater than the number
338. he receiver For static multicast receiver entries the TTL value is undef Static multicast receiver entries do not age out Querier information Information about the subnet s multicast querier If the querier is another WX switch the fields described below are applicable If the querier is the WX itself the output indicates how many seconds remain until the next general query message If IGMP snooping does not detect a querier the output indicates this The display igmp querier command shows the same information Querier for vlan VLAN containing the querier Information is listed separately for each VLAN Querier IP IP address of the querier Querier MAC MAC address of the querier TIL Number of seconds before this entry ages out if the WX does not receive a query message from the querier IGMP vlan member ports Physical ports in the VLAN This list includes all network ports configured to be in the VLAN and all ports MSS dynamically assigns to the VLAN when a user assigned to the VLAN becomes a receiver For example the list can include a MAP access port that is not configured to be in the VLAN when a user associated with the 3Com Wireless LAN Managed Access Point AP2750 on that port becomes a receiver for a group When all receivers on a dynamically added port age out MSS removes the port from the list IGMP static ports Static receiver ports IGMP statistics Multicast message and packe
339. he RADIUS server or the local database When the same attribute is specified both as an SSID default attribute and through AAA then the attribute supplied by the RADIUS server or the local database takes precedence over the SSID default attribute If a location policy is configured the location policy rules also take precedence over SSID default attributes The SSID default attributes serve as a fallback when neither the AAA process nor a location policy provides them For example a service profile might be configured with the service type attribute set to 2 If a user accessing the SSID is authenticated by a RADIUS server and the RADIUS server returns the vlan name attribute set to orange then that user will have a total of two attributes set service type and vlan name If the service profile is configured with the vlan name attribute set to blue and the RADIUS server returns the vlan name attribute set to orange then the attribute from the RADIUS server takes precedence the user is placed in the orange VLAN You can display the attributes for each connected user and whether they are set through AAA or through SSID defaults by entering the display sessions network verbose command You can display the configured SSID defaults by entering the display service profile command Examples The following command assigns users accessing the SSID managed by service profile so2 to VLAN blue WX4400 set service prof sp2 attr vlan name blue
340. he current WX switch as the seed WxX4400 set mobility domain mode seed domain name Pleasanton mode is seed domain name is Pleasanton See Also Clear mobility domain member on page 266 display mobility domain status on page 267 272 CHAPTER 9 MOBILITY DOMAIN COMMANDS 10 NETWORK DOMAIN COMMANDS Use Network Domain commands to configure and manage Network Domain groups A Network Domain is a group of geographically dispersed Mobility Domains that share information among themselves over a WAN link This shared information allows a user configured on a WX switch in one Mobility Domain to establish connectivity on a WX switch in another Mobility Domain elsewhere in the same Network Domain The WX switch forwards the user traffic by creating a VLAN tunnel to a WX switch in the remote Mobility Domain In a Network Domain one or more WX switches serve as a seed switch At least one of the Network Domain seeds maintains a connection with each of the member WX switches in the Network Domain The Network Domain seeds share information about the VLANs configured on their members so that all the Network Domain seeds have a common database of VLAN information Network Domain Commands by Usage This chapter presents Network Domain commands alphabetically Use Table 47 to locate commands in this chapter based on their use Table 47 Network Domain Commands by Usage Type Command Network Domain set network domain mode seed do
341. he system image software versions use the fver command This command does not list the boot code versions To display the boot code versions use the version command Examples The following command displays all the boot code and system image files on a WX switch boot gt dir Internal Compact Flash Directory Primary WXA30001 Rel 8863722 bytes Internal Compact Flash Directory Secondary WXA30001 Rel 8862885 bytes See Also fver on page 630 version on page 636 display Displays the currently active boot profile A boot profile is a set of parameters that a WX switch uses to control the boot process Each boot profile contains the following parameters Boot type Either compact flash local device on the WX switch or network TFTP Boot device Location of the system image file Filename System image file Flags Number representing the bit settings of boot flags to pass to the booted system image Options String up to 128 bytes of boot options to pass to the booted system image display 629 A WX switch can have up to four boot profiles numbered O through 3 Only one boot profile can be active at a time You can create change and delete boot profiles You also can activate another boot profile in place of the currently active one Syntax display Defaults None Access Boot prompt History Introduced in MSS Version 3 0 Examples To display the currently a
342. henticating a transitions from AUTHENTICATING to ABORTING a Number of times that the WX switch state wildcard from AUTHENTICATION to HELD transitions Reauths While Authenticating Number of times that the WX switch state wildcard transitions from AUTHENTICATING to ABORTING as a result of a reauthentication request reAuthenticate TRUE Starts While Authenticating Number of times that the WX switch state wildcard transitions from AUTHENTICATING to ABORTING as a result of an EAPoL Start message being received from the Supplicant client Logoffs While Authenticating Number of times that the WX switch state wildcard transitions from AUTHENTICATING to ABORTING as a result of an EAPoL logoff message being received from the Supplicant client Bad Packets Received Number of EAPoL packets received that have an invalid version or type set dot1x authcontrol Provides a global override mechanism for 802 1X authentication configuration on wired authentication ports Syntax set dotlx authcontrol enable disable enable Allows all wired authentication ports running 802 1X to use the authentication specified per port by the set dot1X port control command disable Forces all wired authentication ports running 802 1X to unconditionally accept all 802 1X authentication attempts with an EAP Success message ForceAuth set dot1x bonded period 5
343. hits Finally the following command commits the security ACLs in the edit buffer to the configuration WX4400 commit security acl all configuration accepted See Also Clear security acl on page 446 commit security acl on page 449 display security acl on page 450 set security acl map gt Assigns a committed security ACL to a VLAN physical port or ports virtual port or Distributed MAP on the WX switch To assign a security ACL to a user or group in the local WX database use the command set user attr set mac user attr set usergroup attr or set mac usergroup attr with the Filter Id attribute To assign a security ACL to a user or group with Filter ld on a RADIUS server see the documentation for your RADIUS server set security acl map 465 Syntax set security acl map acl name Vlan vlan id port port list tag tag list dap dap nun in out acl name Name of an existing security ACL to map ACL names start with a letter and are case insensitive vlan vlan id VLAN name or number MSS assigns the security ACL to the specified VLAN port port list Port list MSS assigns the security ACL to the specified physical WX port or ports tag tag list One or more values that identify a virtual port in a VLAN Specify a single tag value from 1 through 4095 Or specify a comma separated list of values a hyphen separated range or any combination with no spaces MSS assigns the security
344. ibuted MAP for which to display configuration settings radio 1 Shows configuration information for radio 1 radio 2 Shows configuration information for radio 2 This option does not apply to single radio models Defaults None Access All History Introduced in MSS Version 3 0 Usage MSS lists information separately for each MAP access point display ap dap config 291 Examples The following example shows configuration information for a MAP access point on WX port 2 WX1200 display ap config 2 Port 1 AP model AP2750 POE enable bias high name MAPO1 boot download enable YES load balancing group none Radio 1 type 802 11g mode enabled channel dynamic tx pwr dynamic profile default auto tune max power default min client rate 5 5 max retransmissions 10 The following example shows configuration information for a Distributed MAP access point configured on connection 1 WX4400 display dap config 1 Dap 1 Serial Id M9DE48B012F00 MAP model AP2750 bias high name DAP1 boot download enable YES Radio 1 type 802 1la mode disabled channel dynamic tx pwr 11 profile default auto tune max power default min client rate 24 max retransmissions 10 Table 51 describes the fields in this display Table 51 Output for display ap config Field Description Port WX port number Note This field is applicable only if the MAP is directly co
345. ication at RADIUS server groups sg7 through sg3 for all 802 1X clients at example com who want to access SSID examplecorp WX4400 set authentication dotlx ssid examplecorp example com peap mschapv2 sgl sg2 sg3 success change accepted See Also Clear authentication dot1x on page 206 display aaa on page 219 set authentication admin on page 229 set authentication console on page 231 set authentication last resort on page 236 set authentication mac on page 239 set authentication web on page 242 set service profile auth fallthru on page 374 set authentication last resort Configures an authentication rule to grant network access to a user who is not otherwise granted or denied access by 802 1X or granted access by MAC authentication Syntax set authentication last resort ssid ssid name wired methodi method2 method3 method4 a ssid ssid name SSID name to which this authentication rule applies To apply the rule to all SSIDs type any wired Applies this authentication rule specifically to users connected to a wired authentication port set authentication last resort 237 methodl method2 method3 method4 At least one of up to four methods that MSS uses to handle authentication Specify one or more of the following methods in priority order MSS applies multiple methods in the order you enter them A method can be one of the following local Uses the local database
346. ice DNS Network Time Protocol NTP and aliases and to ping a host or trace a route This chapter presents IP services commands alphabetically Use Table 28 to locate the commands in this chapter based on their use Table 28 IP Services Commands by Usage Type Command IP Interface set interface on page 160 set interface dhcp client on page 161 set interface status on page 163 display interface on page 142 display dhcp client on page 138 clear interface on page 127 System IP Address set system ip address on page 192 clear system ip address on page 136 IP Route set ip route on page 167 display ip route on page 146 clear ip route on page 130 SSH Management set ip ssh server on page 171 set ip ssh on page 170 Telnet Management set ip telnet on page 171 set ip telnet server on page 172 display ip telnet on page 148 clear ip telnet on page 131 126 CHAPTER 7 IP SERVICES COMMANDS Table 28 IP Services Commands by Usage continued Type Command HTTPS Management set ip https server on page 167 display ip https on page 145 DNS set ip dns on page 164 set ip dns domain on page 165 set ip dns server on page 166 display ip dns on page 144 clear ip dns domain on page 129 clear ip dns server on page 129 IP Alias set ip alias on page 164 display ip alias on page 143 clear ip alias on page 1
347. ient Type Classification of the rogue device rogue Wireless device that is on the network but is not supposed to be on the network intfr Wireless device that is not part of your network and is not a rogue but might be causing RF interference with MAP radios known Device that is a legitimate member of the network Last seen Number of seconds since a MAP radio last detected 802 11 packets from the device Table 96 display rfdetect clients mac Output Field Description RSSI Received signal strength indication RSSI the strength of the RF signal detected by the MAP radio in decibels referred to 1 milliwatt dBm Rate The data rate of the client Last Seen Number of seconds since a MAP radio last detected 802 11 packets from the device BSSID MAC address of the SSID with which the rogue client is associated Vendor Company that manufactures or sells the AP with which the rogue client is associated display rfdetect countermeasures 541 Table 96 display rfdetect clients mac Output continued Field Description Typ Classification of the rogue device rogue Wireless device that is on the network but is not supposed to be on the network a intfr Wireless device that is not part of your network and is not a rogue but might be causing RF interference with MAP radios a known Device that is a legitimate member of the network D
348. ific Daylight Time type the following command WX1200 set summertime PDT success change accepted See Also Clear summertime on page 135 Clear timezone on page 136 display summertime on page 154 display timedate on page 155 display timezone on page 155 set timedate on page 193 set timezone on page 194 set system ip address Configures the system IP address The system IP address determines the interface or source IP address MSS uses for system tasks including the following a Mobility domain operations Topology reporting for dual homed MAP access points Default source IP address used in unsolicited communications such as AAA accounting reports and SNMP traps Syntax set system ip address ip addr ip addr IP address in dotted decimal notation The address must be configured on one of the WX switch s VLANs Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage You must use an address that is configured on one of the WX switch s VLANs To display the system IP address use the display system command set timedate 193 Examples The following commands configure an IP interface on VLAN taupe and configure the interface to be the system IP address WX4400 set interface taupe ip 10 10 20 20 24 SUCCESS set ip address 10 10 20 20 netmask 255 255 255 0 on vlan taupe WX4400 set system ip address 10 10 20 20 success change accepted S
349. ificate authority s certificate as a PKCS 7 object file Then do the following Open the PKCS 7 object file with an ASCII text editor such as Notepad Or Vi 2 Enter the crypto ca certificate command on the CLI command line 3 When MSS prompts you for the PEM formatted certificate paste the PKCS 7 object file onto the command line Examples The following command adds the certificate authority s certificate to WX certificate and key storage WX4400 crypto ca certificate admin Enter PEM encoded c rtificate oe ae BEGIN CERTIFICATE TIDwDCCA2qgAwIBAgIQL2jvuu4PO5SFAQCyewU30j ANBgkqhkiG9wOBAQUFADCB mzerMClaweVOOTTooewi wpoer0QWNENk3J 900 44mbdr11277SWO8G7DiwYUtrqoQplKIvxz Lm8wmVYxP56M CUAm908C2f0YgOY40 SSS END CERTIFICATI ae See Also display crypto ca certificate on page 481 crypto certificate Installs one of the WX switch s PKCS 7 certificates into the certificate and key storage area on the WX switch The certificate which is issued and signed by a certificate authority authenticates the WX switch either to 3WXM or Web Manager or to 802 1X supplicants clients Syntax crypto certificate admin eap web PEM formatted certificate admin Stores the certificate authority s administrative certificate which authenticates the WX switch to 3WXM or Web Manager a eap Stores the certificate authority s Extensible Authentica
350. ile name a parameter Radio profile parameter beacon interval a dtim interval a frag threshold a long retry max rx lifetime max tx lifetime preamble length a xrts threshold service profile a short retry For information about these parameters see the set radio profile commands that use them Defaults If you reset an individual parameter the parameter is returned to the default value listed in Table 66 on page 362 Access Enabled History Introduced in MSS Version 3 0 Usage If you specify a parameter the setting for the parameter is reset to its default value The settings of the other parameters are unchanged and the radio profile remains in the configuration If you do not specify a parameter the entire radio profile is deleted from the configuration All radios that use this profile must be disabled before you can delete the profile clear service profile 289 Examples The following commands disable the radios that are using radio profile ro7 and reset the beaconed interval parameter to its default value WX4400 set radio profile rpl mode disable WX4400 clear radio profile rpl beacon interval success change accepted The following commands disable the radios that are using radio profile rptest and remove the profile WX4400 set radio profile rptest mode disable WX4400 clear radio profile rptest success change accepted See Also display radio profile on page 317 set
351. in effect until 60 seconds after the last 802 11b traffic is detected by the 802 11b g radio Sweep Mode indicates that a disabled radio is nonetheless participating in rogue detection scans Even though this message appears only for disabled radios all radios enabled or disabled participate in rogue detection Countermeasures Enabled indicates that the radio is sending countermeasures packets to combat a rogue The following information appears for external antennas External antenna detected configured as antenna model lndicates that an external antenna has been detected and lists the antenna model configured on the radio MSS does not detect the specific model External antenna detected not configured Iindicates that an external antenna was detected but no external antenna is configured on the radio External antenna not detected configured as antenna model lndicates that an external antenna is configured on the radio but no external antenna was detected operational channel The channel on which the radio is currently operating If the channel number is followed by Auto the value was set by RF Auto Tuning operational power The power level at which the radio is currently operating If the power setting is followed by Auto the value was set by RF Auto Tuning base mac Base MAC address of the radio bssid ssid SSIDs configured on the radio and their BSSIDs display auto tune
352. in MSS Version 4 1 Usage The last resort fallthru authentication type allows any user to access any SSID managed by the service profile This method does not require the user to provide a username or password Use the last resort method only if none of the SSIDs managed by the service profile require secure access The web auth authentication type requires additional configuration items See the Configuring AAA for Network Users chapter of the Wireless LAN Switch and Controller Configuration Guide Examples The following command sets the fallthru authentication for SSIDS managed by the service profile rnd_lab to none Wx4400 set service profile rnd_lab auth fallthru none success change accepted See Also a display service profile on page 321 set web portal on page 262 set service profile web portal form on page 387 set service profile auth psk Enables preshared key PSK authentication of Wi Fi Protected Access WPA clients by MAP radios in a radio profile when the WPA information element IE is enabled in the service profile Syntax set service profile name auth psk enable disable name Service profile name enable Enables PSK authentication of WPA clients disable Disables PSK authentication of WPA clients Defaults When the WPA IE is enabled PSK authentication of WPA clients is enabled by default If the WPA IE is disabled the auth psk setting has no effect 376
353. in client rate rate ap port list List of ports connected to the MAP access points on which to set the channel dap dap num Number of a Distributed MAP on which to set the channel dap auto Sets the radio mode for MAPs managed by the MAP configuration profile See set dap auto on page 325 radio 1 Radio 1 of the MAP radio 2 Radio 2 of the MAP This option does not apply to single radio models a rate Minimum data rate in megabits per second Mbps The valid values depend on the radio type For 802 119 radios 54 48 36 24 18 12 11 9 6 5 5 2 or 1 For 802 11b radios 11 5 5 2 or 1 For 802 11a radios 54 48 36 24 18 12 9 or 6 Defaults The default minimum data transmit rate depends on the radio type The default minimum data rate for 802 11b g and 802 11b radios is 5 5 Mbps The default minimum data rate for 802 11a radios is 24 Mbps Access Enabled History Introduced in MSS Version 3 0 Option auto added for configuration of the MAP configuration profile set fap dap radio mode 341 Usage If the data rate for traffic sent by a radio to an associated client falls below the default minimum rate the radio increases power in 1 dBm increments until all clients are at or above the minimum rate After all clients are at or above the minimum data transmit rate the radio reduces power by 1 dBm As long as the radio continues to transmit a
354. ine of the display identifies the characters to distinguish among the entry types The following command displays all entries that begin with the MAC address glob 00 WX4400 display fdb 00 Static VLAN TAG Dest MAC Route Des 1 Entry 03013 973137 0bs2t 0 0b 0e 02 76 f 5 Total Matching FDB Permanent Entry System Entry CoS Destination Ports Protocol Type T ALL T ALL Entries Displayed 2 Table 21 describes the fields in the display fdb output Table 21 Output for display fdb Field Description VLAN VLAN number TAG VLAN tag value If the interface is untagged the TAG field is blank MAC address of this forwarding entry s destination Dest MAC Route Des 104 CHAPTER 5 VLAN COMMANDS Table 21 Output for display fdb continued Field Description Cos Type of entry The entry types are explained in the first row of the command output Note This Class of Service CoS value is not associated with MSS quality of service QoS features Destination Ports Wireless LAN switch port associated with the entry A WX switch sends traffic to the destination MAC address through this port Protocol Type Layer 3 protocol address types that can be mapped to this entry Total Matching FDB Number of entries displayed by the command Entries Displayed See Also Clear fdb on page 98 set fdb on page 113 display fdb agingtime Dis
355. ing RF interference with MAP radios known Device that is a legitimate member of the network Adhoc Indicates whether the rogue is an infrastructure rogue is using an AP or is operating in ad hoc mode 550 CHAPTER 19 RF DETECTION COMMANDS Table 100 display rfdetect mobility domain ssid or bssid Output continued Field Description Crypto Types Encryption type clear no encryption ccmp tkip wep 104 WPA 104 bit WEP wep40 WPA 40 bit WEP wep non WPA WEP Wx IPaddress System IP address of the WX switch that detected the rogue Port Radio Channel Port number radio number and channel number of the radio that detected the rogue For a Distributed MAP the connection number is labeled dap This stands for distributed ap Mac MAC address of the radio that detected the rogue Device type Device type detected by the MAP radio Adhoc Ad hoc status yes or no detected by the MAP radio Crypto Types Encryption type detected by the MAP radio RSSI Received signal strength indication RSSI the strength of the RF signal detected by the MAP radio in decibels referred to 1 milliwatt dBm SSID SSID mapped to the BSSID See Also display rfdetect data on page 544 display rfdetect visible on page 552 display rfdetect ssid list Displays the entries in the permitted SSID list Syntax display rfdetect ssid list Defaults None Access Enabled
356. ing the number of seconds that must elapse before the WX times out a request to a RADIUS server Syntax clear dotlx timeout auth server Defaults The default is 30 seconds Access Enabled History Introduced in MSS Version 3 0 Examples To reset the default timeout for requests to an authentication server type the following command WX4400 clear dotlx timeout auth server success change accepted See Also display dot1x on page 505 set dot1x timeout auth server on page 515 clear dot1x timeout supplicant Resets to the default setting the number of seconds that must elapse before the WX switch times out an authentication session with a supplicant client Syntax clear dotlx timeout supplicant Defaults The default for the authentication timeout sessions is 30 seconds Access Enabled History Introduced in MSS Version 3 0 Examples Type the following command to reset the timeout period for an authentication session WX4400 clear dotlx timeout supplicant success change accepted See Also display dot1x on page 505 set dot1x timeout supplicant on page 516 clear dot1x tx period 505 clear dot1x tx period Resets to the default setting the number of seconds that must elapse before the WX switch retransmits an EAP over LAN EAPoL packet Syntax clear dotlx tx period Defaults The default is 5 seconds Access Enabled History Introduced in MSS Ve
357. ing to access and the user s MAC address MSS uses the method specified by the command Otherwise MSS uses local MAC authentication by default If the username does not match an authentication rule for the SSID the user is attempting to access MSS uses the fa thru authentication type configured for the SSID which can be last resort web for WebAAA or none Examples To use the local WX database to authenticate all users who access the mycorp2 SSID by their MAC address type the following command WX4400 set authentication ssid mycorp2 mac local success change accepted See Also Clear authentication mac on page 208 display aaa on page 219 set authentication admin on page 229 set authentication console on page 231 set authentication dot1x on page 233 set authentication last resort on page 236 set authentication web on page 242 set authentication proxy 241 set authentication proxy Configures a proxy authentication rule for a third party AP s wireless users Syntax set authentication proxy ssid ssid name user glob radius server group a ssid ssid name SSID name to which this authentication rule applies a user glob A single user or a set of users Specify a username use the double asterisk wildcard character to specify all usernames or use the single asterisk wildcard character to specify a set of usernames up to or following the first delimiter character either an a
358. interface Mrouter Term Multicast router termination messages A multicast router sends this type of message when multicast forwarding is disabled on the router interface the router interface is administratively disabled or the router itself is gracefully shutdown Mrouter Sol Multicast router solicitation messages A multicast client or a WX sends this type of message to immediately solicit multicast router advertisement messages from the multicast routers in the subnet DVMRP Distance Vector Multicast Routing Protocol DVMRP messages Multicast routers running DVMRP exchange multicast information with these messages PIM V1 Protocol Independent Multicast PIM version 1 messages Multicast routers running PIMv1 exchange multicast information with these messages PIM V2 PIM version 2 messages Received Number of packets received Transmitted Number of packets transmitted This number includes both multicast packets originated by the WX and multicast packets received and then forwarded by the WX Dropped Number of IGMP packets dropped by the WX setigmp 433 Table 79 Output of display igmp statistics continued Field Description Topology Number of Layer 2 topology change notifications received by the notifications WX In the current software version the value in this field is always 0 Packets with Number of multicast packets received with an unrecognized unknown multicast type
359. interfaces configured on the wireless LAN switch Syntax display interface vlan id a vlan id VLAN name or number Defaults If you do not specify a VLAN ID interfaces for all VLANs are displayed Usage All History Introduced in MSS Version 3 0 Examples The following command displays all the IP interfaces configured on a WX switch WX4400 display interface VLAN Name default mauve Address Mask Enabled State RIB 10 10 10 10 290 2595 29050 YES Up ipv4 10 10 20 10 29529929540 O Down ipv4 TOSTO TOL 25529929940 YES Up ipv4 web aaa Table 33 describes the fields in this display display ip alias 143 Table 33 Output for display interface Field Description VLAN VLAN number Name VLAN name Address IP address Mask Subnet mask Enabled Administrative state a YES enabled a NO disabled State Link state Up operational a Down unavailable RIB Routing Information Base See Also Clear interface on page 127 set interface on page 160 set interface dhcp client on page 161 display ip alias Shows the IP aliases configured on the wireless LAN switch Syntax display ip alias name name Alias string Defaults If you do not specify an alias name all aliases are displayed Access Enabled History Introduced in MSS Version 3 0 Examples The following command displays all the aliases configured on a WX switch
360. io STP priority of the port Portfast State of the uplink fast convergence feature a Enabled a Disabled See Also display spantree blockedports on page 401 display spantree backbonefast Indicates whether the STP backbone fast convergence feature is enabled or disabled Syntax display spantree backbonefast Defaults None Access All History Introduced in MSS Version 3 0 display spantree blockedports 401 Examples The following example shows the command output on a WX switch with backbone fast convergence enabled WX4400 display spantree backbonefast Backbonefast is enabled See Also set spantree backbonefast on page 411 display spantree Lists information about wireless LAN switch ports that STP has blocked on blockedports one or all of its VLANs Syntax display spantree blockedports vlan vlan id vlan vlan id VLAN name or number If you do not specify a VLAN MSS displays information for blocked ports on all VLANs Defaults None Access All History Introduced in MSS Version 3 0 Usage The command lists information separately for each VLAN Examples The following command shows information about blocked ports on a WX switch for the default VLAN VLAN 1 WX4400 display spantree blockedports vlan default Port Vlan Port State Cost Prio Portfast 2 190 Blocking 4 128 Disabled Number of blocked ports segments in VLAN 1 1 The port informatio
361. iority order MSS applies multiple methods in the order you enter them A method can be one of the following local Uses the local database of usernames and user groups on the WX switch for authentication server group name Uses the defined group of RADIUS servers for authentication You can enter up to four names of existing RADIUS server groups as methods RADIUS servers cannot be used with the EAP TLS protocol For more information see Usage Defaults By default authentication is unconfigured for all clients with network access through MAP ports or wired authentication ports on the WX switch Connection authorization and accounting are also disabled for these users Bonded authentication is disabled by default set authentication dotix 235 Access Enabled History Introduced in MSS Version 3 0 Usage You can configure different authentication methods for different groups of users by globbing For details see User Globs on page 26 You can configure a rule either for wireless access to an SSID or for wired access through a WX switch s wired authentication port If the rule is for wireless access to an SSID specify the SSID name or specify any to match on all SSID names If the rule is for wired access specify wired instead of an SSID name You cannot configure client authentication that uses both the EAP TLS protocol and one or more RADIUS servers EAP TLS authentication i
362. ious interval and changes radio power levels if needed Power Backoff Timer Interval in minutes at which radios in a radio profile reduce power after temporarily increasing the power to maintain the minimum data rate for an associated client At the end of each power backoff interval radios that temporarily increased their power reduce it by 1 dBm The power backoff continues in 1 dBm increments after each interval until the power returns to expected setting Channel Holddown Minimum number of seconds a radio in a radio profile must remain at its current channel assignment before RF Auto Tuning can change the channel 320 CHAPTER 11 MANAGED ACCESS POINT COMMANDS Table 63 Output for display radio profile continued Field Description Service profiles Service profiles mapped to this radio profile Each service profile contains an SSID and encryption information for that SSID Note When you upgrade from 2 x MSS creates a default dot1x service profile for encrypted SSIDs and a default clear service profile for unencrypted SSIDs These default service profiles contain the default encryption settings for crypto SSIDs and clear SSIDs respectively See Also set radio profile 11g only on page 347 set radio profile auto tune channel config on page 349 set radio profile auto tune channel holddown on page 350 set radio profile auto tune channel interval on page 351 set radio profile auto tune power backoff ti
363. isk wildcard character to specify all usernames or use the single asterisk wildcard character to specify a set of usernames up to or following the first delimiter character either an at sign or a period For details see User Globs on page 26 Defaults None Access Enabled History Introduced in MSS Version 3 0 The syntax descriptions for the clear authentication commands have been separated for clarity However the options and behavior for the clear authentication console command are the same as in previous releases Examples The following command clears authentication for administrator Regina Wx4400 clear authentication console Regina success change accepted See Also Clear authentication admin on page 204 display aaa on page 219 Clear authentication dot1x on page 206 Clear authentication last resort on page 207 Clear authentication mac on page 208 Clear authentication proxy on page 209 set authentication console on page 231 206 CHAPTER 8 AAA COMMANDS clear authentication dot1x Removes an 802 1X authentication rule Syntax clear authentication dot1lx ssid ssid name wired user glob a ssid ssid name SSID name to which this authentication rule applies a wired Clears a rule used for access over a WX switch s wired authentication port user glob A single user or a set of users with 802 1X network access Specify a username u
364. isplay banner motd on page 41 set confirm on page 52 set length on page 53 System Identification set prompt on page 54 set system name on page 60 set system location on page 59 set system contact on page 55 set system countrycode on page 56 set system idle timeout on page 58 set system idle timeout on page 58 display load on page 43 display system on page 43 clear system on page 40 38 CHAPTER 3 SYSTEM SERVICE COMMANDS clear banner motd Table 6 System Services Commands by Usage continued Type Command clear prompt on page 39 Help help on page 46 History history on page 47 clear history on page 39 License display license on page 42 set license on page 53 Technical Support display base information on page 41 Deletes the message of the day MOTD banner that is displayed before the login prompt for each CLI session on the wireless LAN switch Syntax clear banner motd Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples To clear a banner type the following command WX4400 clear banner motd success change accepted As an alternative to clearing the banner you can overwrite the existing banner with an empty banner by typing the following command set banner motd See Also display banner motd on page 41 quickstart on page 48 clear history 39 clear history Deletes
365. isplay the summertime setting on a WX switch type the following commana WX1200 display summertime Summertime is enabled and set to PDT Start Sun Apr 04 2004 02 00 00 End Sun Oct 31 2004 02 00 00 Offset 60 minutes Recurring yes starting at 2 00 am of first Sunday of April and ending at 2 00 am on last Sunday of October See Also Clear summertime on page 135 Clear timezone on page 136 display timedate on page 155 display timezone on page 155 set summertime on page 191 display timedate 155 set timedate on page 193 set timezone on page 194 display timedate Shows the date and time of day currently set on a wireless LAN switch s real time clock Syntax display timedate Defaults None Access All History Introduced in MSS Version 3 0 Examples To display the time and date set on a WX switch s real time clock type the following command WX1200 display timedate Sun Feb 29 2004 23 59 02 PST See Also Clear summertime on page 135 Clear timezone on page 136 display summertime on page 154 display timezone on page 155 set summertime on page 191 set timedate on page 193 set timezone on page 194 display timezone Shows the time offset for the real time clock from UTC on a wireless LAN switch Syntax display timezone Defaults None Access All History Introduced in MSS Version 3 0 156 CHAPTER 7 IP SERVICE
366. ist mac addr mac addr MAC address you want to remove from the black list Defaults None Access Enabled History Introduced in MSS Version 4 0 Examples The following command removes MAC address 11 22 33 44 55 66 from the black list WX1200 clear rfdetect black list 11 22 33 44 55 66 success 11 22 33 44 55 66 is no longer blacklisted See Also set rfdetect black list on page 555 display rfdetect black list on page 538 clear rfdetect ignore Removes a device from the ignore list for RF scans MSS does not generate log messages or traps for the devices in the ignore list Syntax clear rfdetect ignore mac addr a mac addr Basic service set identifier BSSID which is a MAC address of the device to remove from the ignore list Defaults None Access Enabled History Introduced in MSS Version 3 0 536 CHAPTER 19 RF DETECTION COMMANDS Examples The following command removes BSSID aa bb cc 17 22 33 from the ignore list for RF scans WX1200 clear rfdetect ignore aa bb cc 11 22 33 success aa bb cc 11 22 33 is no longer ignored See Also display rfdetect ignore on page 546 set rfdetect ignore on page 558 clear rfdetect ssid list Removes an SSID from the permitted SSID list Syntax clear rfdetect ssid list ssid name ssid name SSID name you want to remove from the permitted SSID list Defaults None Access Enabled History Introduc
367. ket statistics first a xreceive errors Displays errors in received packets first transmit errors Displays errors in transmitted packets first a collisions Displays collision statistics first xreceive etherstats Displays Ethernet statistics for received packets first transmit etherstats Displays Ethernet statistics for transmitted packets first monitor port counters 77 Defaults All types of statistics are displayed for all ports MSS refreshes the statistics every 5 seconds This interval cannot be configured Statistics types are displayed in the following order by default Octets a Packets Receive errors Transmit errors a Collisions a Receive Ethernet statistics a Transmit Ethernet statistics Access All History Introduced in MSS Version 3 0 Usage Each type of statistic is displayed separately Press the Spacebar to cycle through the displays for each type If you use an option to specify a statistic type the display begins with that statistic type You can use one statistic option with the command Use the keys listed in Table 16 to control the monitor display Table 16 Key Controls for Monitor Port Counters Display Field Description Spacebar Advances to the next statistic type Esc Exits the monitor MSS stops displaying the statistics and displays a new command prompt c Clears the statistics counters for the currently displayed statistics t
368. key on page 473 crypto generate self signed on page 476 save config on page 584 set interface dhcp client on page 161 set vlan port on page 117 set banner motd Configures the banner string that is displayed before the beginning of each login prompt for each CLI session on the WX switch Syntax set banner motd text a Delimiting character that begins and ends the message text Up to 2000 alphanumeric characters including tabs and carriage returns but not the delimiting character The maximum number of characters is approximately 24 lines by 80 characters Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage Type a caret then the message then another caret Do not use the following characters with commands in which you set text to be displayed on the WX switch such as message of the day MOTD banners Ampersand amp Angle brackets lt gt Double quotation marks Number sign Question mark Single quotation mark 52 CHAPTER 3 SYSTEM SERVICE COMMANDS Examples To create a banner that says Update meeting at 3 p m type the following command WX4400 set banner motd Update meeting at 3 p m success change accepted See Also Clear banner motd on page 38 display banner motd on page 41 set confirm Enables or disables the display of confirmation messages for commands t
369. ks are vegetable based with a low heavy metal content CONTENTS ABOUT THIS GUIDE Conventions 19 Documentation 20 Documentation Comments 21 USING THE COMMAND LINE INTERFACE Overview 23 CLI Conventions 24 Command Prompts 24 Syntax Notation 24 Text Entry Conventions and Allowed Characters 25 MAC Address Notation 25 IP Address and Mask Notation 26 User Globs MAC Address Globs and VLAN Globs 26 Port Lists 28 Virtual LAN Identification 29 Command Line Editing 29 Keyboard Shortcuts 29 History Buffer 30 Tabs 30 Single Asterisk Wildcard Character 30 Double Asterisk Wildcard Characters 30 Using CLI Help 31 Understanding Command Descriptions 32 ACCESS COMMANDS Commands by Usage 33 disable 33 enable 34 quit 34 set enablepass 35 SYSTEM SERVICE COMMANDS Commands by Usage 37 clear banner motd 38 clear history 39 clear prompt 39 clear system 40 display banner motd 41 display base information 41 display license 42 display load 43 display system 43 help 46 history 47 quickstart 48 set auto config 48 set banner motd 51 set confirm 52 set length 53 set license 53 set prompt 54 set system contact 55 set system countrycode 56 set system idle timeout 58 set system ip address 59 set system location 59 set system name 60 PORT COMMANDS Commands by Usage 63 cleardap 64 clear port counters 65 clear port group 65 clear port media type 66 clear portname 66 clear port preference 6
370. l ports refers to the number of additional MAPs the switch can boot and actively manage See Also display license on page 42 set prompt Changes the CLI prompt for the WX switch to a string you specify Syntax set prompt string a string Alphanumeric string up to 32 characters long To include spaces in the prompt you must enclose the string in double quotation marks Defaults The factory default for the WX switch name is the model number WX7200 for the 3Com Wireless LAN Switch WX1200 Wx4400 for the 3Com Wireless LAN Controller WX4400 Access Enabled History Introduced in MSS Version 3 0 set system contact set system contact 55 Usage When you first log in for the initial configuration of the WX switch the CLI provides a WX1200 gt or WX4400 gt prompt depending on your model After you become enabled by typing enable and giving a suitable password the WX7200 or WxX4400 prompt is displayed If you use the set system name command to change the default system name MSS uses that name in the prompt unless you also change the prompt with set prompt Examples The following example sets the prompt from WX4400 to happy_days Wx4400 set prompt happy days success change accepted happy _days See Also Clear prompt on page 39 a display config on page 574 set system name on page 60 Stores a contact name for the WX switch Syntax set system contact string
371. lay security acl resource usage output CHAPTER 14 SECURITY ACL COMMANDS Table 81 Output of display security acl resource usage Field Description Number of rules Number of security ACEs currently mapped to ports or VLANs Number of leaf nodes Number of security ACL data entries stored in the rule tree Stored rule count Number of security ACEs stored in the rule tree Leaf chain count Number of chained security ACL data entries stored in the rule tree Longest leaf chain Longest chain of security ACL data entries stored in the rule tree Number of non leaf nodes Number of nodes with no data entries stored in the rule tree Uncompressed Rule Count Number of security ACEs stored in the rule tree including duplicates ACEs in ACLs applied to multiple ports virtual ports or VLANs Maximum node depth Number of data elements in the rule tree from the root to the furthest data entry leaf Sub chain count Sum of action types represented in all security ACL data entries PSCBs in primary memory Number of pattern search control blocks PSCBs stored in primary node memory PSCBs in secondary memory Number of PSCBs stored in secondary node memory Leaves in primary Number of security ACL data entries stored in primary leaf memory Leaves in secondary Number of ACL data entries stored in secondary leaf memory Sum node depth
372. lds in this display Table 30 Output for display dhcp client Field Description Interface VLAN name and number Configuration Status Status of the DHCP client on this VLAN a Enabled a Disabled DHCP State State of the IP interface a F_UP a IF_DOWN Lease Allocation Duration of the address lease Lease Remaining Number of seconds remaining before the address lease expires IP Address P address received from the DHCP server Subnet Mask Network mask of the IP address received from the DHCP server Default Gateway Default gateway IP address received from the DHCP server If the address is 0 0 0 0 the server did not provide an address DHCP Server P address of the DHCP server DNS Servers DNS server IP address es received from the DHCP server DNS Domain Name See Also Default DNS domain name received from the DHCP server set interface dhcp client on page 161 140 CHAPTER 7 IP SERVICES COMMANDS display dhcp server Displays MSS DHCP server information Syntax display dhcp server interface vlan id verbose interface vlan id Displays the IP addresses leased by the specified VLAN verbose Displays configuration and status information for the MSS DHCP server Defaults None Access All History Introduced in MSS Version 4 0 Examples The following command displays the addresses leased by the MSS D
373. le disable permit mac mac addr mac addr vlan id VLAN name or number set security 2 restrict 115 mode Enables or disables restriction of Layer 2 forwarding enable disable permit mac mac addr MAC addresses to which clients are mac addr allowed to forward data at Layer 2 You can specify up to four addresses Defaults Layer 2 restriction is disabled by default Access Enabled History Introduced in MSS Version 4 1 Usage You can specify multiple addresses by listing them on the same command line or by entering multiple commands To change a MAC address use the clear security 12 restrict command to remove it then use the set security 12 restrict command to add the correct address Restriction of client traffic does not begin until you enable the permitted MAC list Use the mode enable option with this command Examples The following command restricts Layer 2 forwarding of client data in VLAN abc_air to the gateway routers with MAC address aa bb cc dd ee ff and 11 22 33 44 55 66 WxX4400 set security 12 restrict vlan abc_air mode enable permit mac aa bb cc dd ee ff 11 22 33 44 55 66 success change accepted See Also a Clear security 12 restrict on page 99 Clear security 12 restrict counters on page 100 display security 12 restrict on page 109 116 CHAPTER 5 VLAN COMMANDS set vlan name Creates a VLAN and assigns a number and name to it Syntax set vlan
374. le MSS assigns the radio to the default radio profile auto tune Maximum power level the RF Auto Tuning feature can set on max power the radio The value default means RF Auto Tuning can set the power up to the maximum level allowed for the country of operation A specific numeric value means you or another administrator set the maximum value auto tune Minimum data rate the radio must maintain for associated min client rate clients When RF Auto Tuning is enabled the radio can temporarily increase its power to maintain the data rate with an associated client display ap dap config 293 Table 51 Output for display ap config continued Field Description auto tune Maximum percentage of packets that can be retransmitted max retransmissions by a client before RF Auto Tuning increases power Note Only packets that are received twice by the MAP are counted as retransmissions If a client retransmits a packet but the MAP receives only a single copy of the packet the packet is not counted as a retransmission See Also display dap connection on page 313 display dap global on page 314 display dap unconfigured on page 316 display radio profile on page 317 set dap on page 81 set port type ap on page 91 set ap dap bias on page 328 set ap dap group on page 332 set ap dap name on page 333 set ap dap upgrade firmware on page 346 set ap dap radio mode on page 341 set ap dap radio antennatyp
375. le name xradio profile name Radio profile name of up to 16 alphanumeric characters with no spaces service profile name Service profile name of up to 16 alphanumeric characters with no spaces Defaults A radio profile does not have a service profile associated with it by default In this case the radios in the radio profile use the default settings for parameters controlled by the service profile Table 67 lists the parameters controlled by a service profile and their default values Table 67 Defaults for Service Profile Parameters Radio Behavior When Parameter Set Parameter Default Value to Default Value auth dot1x enable When the Wi Fi Protected Access WPA information element IE is enabled uses 802 1X to authenticate WPA clients set radio profile service profile 367 Table 67 Defaults for Service Profile Parameters continued Radio Behavior When Parameter Set Parameter Default Value to Default Value auth fallthru web auth Uses WebAAA for users who do not match an 802 1X or MAC authentication rule for the SSID requested by the user auth psk disable Does not support using a preshared key PSK to authenticate WPA clients beacon enable Sends beacons to advertise the SSID managed by the service profile cipher ccmp disable Does not use Counter with Cipher Block Chaining Message Authentication Code Protocol CCMP to encrypt traffic sent to WP
376. lear ip telnet 131 clear location policy 210 clear log 609 clear log buffer 609 clear log server 609 OY ONO Of OO OY OO ONAN Oe OK CO Oe OV OX EY OY Oe OF OO OY OY OO OV OY OOK OO OY EOYs OF OS OF OY OS ON OL OVO OO OY ear log trace 590 ear mac user 211 ear mac user attr 212 ear mac user group 212 ear mac usergroup 213 ear mac usergroup attr 214 ear mobility domain 266 ear mobility domain member 266 ear mobility profile 215 ear network domain 274 ear network domain mode 275 ear network domain peer 276 ear network domain seed ip 277 ear ntp server 131 ear ntp update interval 132 ear port counters 65 ear port media type 66 ear port name 66 ear port type 68 ear port group 65 ear qos 120 ear radio profile 288 ear radius 486 ear radius client system ip 487 ear radius server 489 ear rfdetect attack list 534 ear rfdetect black list 535 ear rfdetect ignore 535 ear rfdetect ssid list 536 ear rfdetect vendor list 537 ear security 12 restrict 99 ear security 12 restrict counters 100 ear security acl 446 ear security acl map 447 ear server group 489 ear server group load balance 489 ear service profile 289 ear sessions 519 ear sessions network 521 ear snmp community 133 ear snmp notify profile 133 ear snmp notify target 134 ear snoop 598 ear snoop map 598 s F an y a 642 INDEX clear spantree portcost 394 clear spantree portpri 395 cl
377. les The following command loads system image file WXA30001 Rel from boot partition 1 boot gt boot FN WXA03001 Rel DEV bootl Compact Flash load from boot0 WXA03001 Rel unzip Inflating ramdisk 3 0 1 092304 WxX4400 OK unzip file len 36196930 OK Copyright c 1996 1997 1998 1999 2000 2001 2002 2003 2004 The NetBSD Foundation Inc All rights reserved Copyright c 1982 1986 1989 1991 1993 anl he Regents of the University of California All rights reserved Detecting hardware done readclock 2004 9 29 21 45 7 31 UTC system initialized 3 0 1 starting MSS Executing update _ 3 Starting supervisor 3 0 1 092304 Wx4400 SNMPD Sep 29 21 45 34 262293 NOTICE SNMPD SNMP Agent Resident Module Version 16 1 0 0 SNMPD Sep 29 21 45 34 263146 NOTICE SNMPD Copyright c 2004 3Com Corporation All rights reserved SYS Sep 29 21 45 36 849457 NOTICE Port 1 up 1000 Full Duplex SYSLOGD Sep 29 21 45 38 857125 ALERT SYSTEM READY The system has finished booting cause was Warm Reboot Copyright c 2004 3Com Corporation All rights reserved Username See Also change on page 623 display on page 628 change 623 change Changes parameters in the currently active boot profile For information about boot profiles see display on page 628 Syntax change Defaults The default boot type is c compact flash The default filename is default The default flags
378. levels minimum delay 8 and minimum monetary cost 1 8 minimum delay 4 maximum throughput a 2 maximum reliability a 1 minimum monetary cost 0 normal established For TCP packets only applies the ACE only to established TCP sessions and not to new TCP sessions set security acl 463 before editbuffer index Inserts the new ACE in front of another ACE in the security ACL Specify the number of the existing ACE in the edit buffer Index numbers start at 1 To display the edit buffer use display security acl editbuffer modify editbuffer index Replaces an ACE in the security ACL with the new ACE Specify the number of the existing ACE in the edit buffer Index numbers start at 1 To display the edit buffer use display security acl editbuffer a hits Tracks the number of packets that are filtered based on a security ACL for all mappings Defaults Permitted packets are assigned to class of service CoS class 0 by default Access Enabled History Introduced in MSS Version 3 0 Usage The WX switch does not apply security ACLs until you activate them with the commit security acl command and map them to a VLAN port or virtual port or to a user If the WX switch is reset or restarted any ACLs in the edit buffer are lost You cannot perform ACL functions that include permitting denying or marking with a Class of Service CoS level on packets with a multicast
379. lient For non 802 1X clients who use MAC authentication WebAAA or last resort authentication wired authentication works if the clients are directly attached or indirectly attached Examples The following command sets port 2 for a wired authentication user WX1200 set port type wired auth 2 success change accepted The following command sets port 7 for a wired authentication user and specifies a maximum of three simultaneous user sessions WX1200 set port type wired auth 7 max sessions 3 success change accepted See Also Clear port type on page 68 set port type ap on page 91 Commands by usage VLAN COMMANDS Use virtual LAN VLAN commands to configure and manage parameters for individual port VLANs on network ports and to display information about clients roaming within a mobility domain This chapter presents VLAN commands alphabetically Use Table 20 to locate commands in this chapter based on their use Table 20 VLAN Commands by Usage Type Command Creation set security I2 restrict on page 114 Ports set vlan port on page 117 clear security 12 restrict on page 99 display vlan config on page 111 Roaming and Tunnels display roaming station on page 106 display roaming vlan on page 108 display security 12 restrict on page 109 Restriction of Client set security I2 restrict on page 114 Layer 2 Forwarding display security 12 restrict on page 109 clear security 12 res
380. list and the VLAN the ports are in MSS enables or disables STP on only the specified ports within the specified VLAN Defaults Disabled Access Enabled History Introduced in MSS Version 3 0 set spantree backbonefast 411 Examples The following command enables STP on all VLANs configured on a WX switch WxX4400 set spantree enable success change accepted The following command disables STP on VLAN burgundy WX4400 set spantree disable vlan burgundy success change accepted See Also display spantree on page 398 set spantree backbonefast AN Enables or disables STP backbone fast convergence on a wireless LAN switch This feature accelerates a port s recovery following the failure of an indirect link CAUTION The backbone fast convergence feature is not compatible with switches that are running standard IEEE 802 1D Spanning Tree implementations This includes switches running Rapid Spanning Tree or Multiple Spanning Tree Syntax set spantree backbonefast enable disable enable Enables backbone fast convergence disable Disables backbone fast convergence Defaults STP backbone fast path convergence is disabled by default Access Enabled History Introduced in MSS Version 3 0 Usage If you plan to use the backbone fast convergence feature you must enable it on all the bridges in the spanning tree Examples The following command enables backbone fast c
381. lly the number of minutes that the wireless LAN switch s real time clock is offset from Coordinated Universal Time UTC These values are also used by Network Time Protocol NTP if it is enabled Syntax set timezone zone name hours minutes zone name Time zone name of up to 32 alphabetic characters You can use a standard name or any name you like minus sign Minus time to indicate hours and minutes to be subtracted from UTC Otherwise hours and minutes are added by default hours Number of hours to add or subtract from UTC minutes Number of minutes to add or subtract from UTC Defaults If this command is not used then the default time zone is UTC Access Enabled History Introduced in MSS Version 3 0 telnet 195 Examples To set the time zone for Pacific Standard Time PST type the following commana WX1200 set timezone PST 8 Timezone is set to PST offset from UTC is 8 0 hours See Also Clear summertime on page 135 Clear timezone on page 136 display summertime on page 154 display timedate on page 155 display timezone on page 155 set summertime on page 191 set timedate on page 193 telnet Opens a Telnet client session with a remote device Syntax telnet ip addr hostname port port num ip addr IP address of the remote device hostname Hostname of the remote device port port num TCP port number
382. log messages Syntax display base information file subdirname filename subdirname filename Optional subdirectory name and a string up to 32 alphanumeric characters The command s output is saved into a file with the specified name in nonvolatile storage Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage Enter this command before calling for Technical Support See Obtaining Support for your Product on page 637 for more information 42 CHAPTER 3 SYSTEM SERVICE COMMANDS See Also display boot on page 573 display config on page 574 display license on page 42 display system on page 43 a display version on page 576 display license Displays information about the license currently installed on the WX switch Syntax display license Defaults None Access All Examples To view the WX switch license type the following command WX4400 display license Serial Number M8XE4IBB8DB10 License Number 2 245 License Key WXL 076E 93E9 62DA 54D8 Activation key WXA 3E04 4CC2 430D B508 Feature 24 additional ports Expires Never The additional ports refers to the number of additional MAPs the switch can boot and actively manage See Also set license on page 53 display load 43 display load Displays CPU usage on a WX switch Syntax display load Defaults None Access Enabled
383. lohanumeric characters with no spaces crypto generate self signed 477 Organizational Unit string Optional Specify the name of the organizational unit in up to 80 alohanumeric characters with no spaces Common Name string Specify a unique name for the WX switch in up to 80 alphanumeric characters with no spaces Use a fully qualified name if such names are supported on your network This field is required Note If you are generating a WebAAA web certificate use a common name that looks like a domain name two or more strings connected by dots with no spaces For example use common name instead of common name The string is not required to be an actual domain name It simply needs to be formatted like one Email Address string Optional Specify your email address in up to 80 alphanumeric characters with no spaces Unstructured Name string Optional Specify any name in up to 80 alphanumeric characters with no spaces Defaults None Access Enabled History Introduced in MSS Version 3 0 Webaaa option renamed to web in MSS Version 4 1 Usage To use this command you must already have generated a public private encryption key pair with the crypto generate key command To generate a self signed administrative certificate type the following command WX4400 crypto generate self signed admin Country Name State Name Locality Name Organizational Name Organizational Unit
384. lowing Spanish speakers enter the URL http lat 3com com lat support form html Portuguese speakers enter the URL http lat 3com com br support form html English speakers in Latin America should send e mail to lat_support_anc 3com com AT amp T 800 998 2 57 1 657 0888 AT amp T 800 998 2 800 998 2112 571 657 0888 01 800 849CARE AT amp T 800 998 2 AT amp T 800 998 2 54 11 4894 1888 AT amp T 800 998 2 800 998 2112 AT amp T 800 998 2 800 998 2112 AT amp T 800 998 2 AT amp T 800 998 2 57 1 657 0888 ao o US and Canada Telephone Technical Support and Repair 1 800 876 3266 INDEX A autoboot 620 B boot 621 C change 623 clear ap dap radio 286 clear accounting 203 clear authentication admin 204 clear authentication console 205 clear authentication dot1x 206 clear authentication last resort 207 clear authentication mac 208 clear authentication proxy 209 clear banner motd 38 clear boot backup configuration 566 clear boot config 566 clear dap 64 clear dot1x max req 501 clear dot1x port control 501 clear dot1x quiet period 502 clear dot1x reauth max 503 clear dot1x reauth period 503 clear dot1x timeout auth server 504 clear dot1x timeout supplicant 504 clear dot1x tx period 505 clear fdb 98 clear history 39 clear igmp statistics 422 clear interface 127 clear ip alias 128 clear ip dns domain 129 clear ip dns server 129 clear ip route 130 c
385. lso does not tune the channels during operation If RF Auto Tuning for channels is enabled MSS does not allow you to manually change channels 350 CHAPTER 11 MANAGED ACCESS POINT COMMANDS RF Auto Tuning of channels on 802 11a radios uses only the bottom eight channels in the band 36 40 44 48 52 56 60 and 64 To use a higher channel number you must disable RF Auto Tuning of channels on the radio profile the radio is in and use the set ap dap radio channel command to statically configure the channel Examples The following command disables dynamic channel tuning for radios in the rp2 radio profile WX4400 set radio profile rp2 auto tune channel config disable success change accepted See Also set ap dap radio channel on page 339 set radio profile auto tune channel holddown on page 350 set radio profile auto tune channel interval on page 351 set radio profile auto tune power config on page 353 set radio profile auto tune channel holddown Sets the minimum number of seconds a radio in a radio profile must remain at its current channel assignment before RF Auto Tuning can change the channel The channel holddown provides additional stability to the network by preventing the radio from changing channels too rapidly in response to spurious RF anomalies such as short duration channel interference Syntax set radio profile name auto tune channel holddown holddown name Radio profile name
386. lt value 3600 seconds ip address Resets the IP address of the WX switch to null location Resets the location of the WX switch to null name Resets the name of the WX switch to the default system name which is the model number Defaults None Access Enabled History Introduced in MSS Version 3 0 Option idle timeout added in MSS Version 4 1 Examples To clear the location of the WX switch type the following command WxX4400 clear system location success change accepted See Also a display config on page 574 display system on page 43 set system contact on page 55 set system countrycode on page 56 set system idle timeout on page 58 set system idle timeout on page 58 set system location on page 59 display banner motd 41 display banner motd Shows the banner that was configured with the set banner motd command Syntax display banner motd Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples To show the banner with the message of the day type the following command WX4400 display banner motd hello world See Also Clear banner motd on page 38 a quickstart on page 48 display base information Provides an in depth snapshot of the status of the wireless LAN switch which includes details about the boot image the version ports and other configuration values This command also displays the last 100
387. lue Added Services 637 Troubleshoot Online 638 Access Software Downloads 638 Telephone Technical Support and Repair 638 Contact Us 639 INDEX Conventions 19 ABOUT THIS GUIDE This command reference explains Mobility System Software MSS command line interface CLI that you enter on a 3Com WXR100 or WX1200 Wireless Switch or WX4400 Wireless LAN Controller to configure and manage the Mobility System wireless LAN WLAN Read this reference if you are a network administrator responsible for managing WXR100 WX1200 or WX4400 wireless switches and their Managed Access Points MAPs in a network If release notes are shipped with your product and the information there differs from the information in this guide follow the instructions in the release notes Most user guides and release notes are available in Adobe Acrobat Reader Portable Document Format PDF or HTML on the 3Com World Wide Web site http www 3com com Conventions Table 1 and Table 2 list conventions that are used throughout this guide Table 1 Notice Icons Icon Notice Type Description Information note Information that describes important features or instructions Caution Information that alerts you to potential loss of data or A N potential damage to an application system or device 20 ABOUT THIS GUIDE This manual uses the following text and syntax conventions Table 2 Text Conventions Convention Description Monospace te
388. ly and the default authentication and encryption types are both none Access Enabled History Introduced in MSS Version 4 0 Examples The following command creates USM user snmpmgr7 associated with the local SNMP engine ID This user can send traps to notification receivers WX 1200 set snmp usm snmpmgrl snmp engine id local success change accepted The following command creates USM user securesnmpmgr which uses SHA authentication and 3DES encryption with passphrases This user can send informs to the notification receiver that has engine ID 192 168 40 2 WX4400 set snmp usm securesnmpmgrl snmp engine id ip 192 168 40 2 auth type sha auth pass phrase myauthpword encrypt type 3des encrypt pass phrase mycryptpword success change accepted See Also Clear snmp usm on page 134 set ip snmp server on page 169 set snmp community on page 175 set snmp notify target on page 181 setsnmp notify profile on page 177 set snmp protocol on page 186 set snmp security on page 187 display snmp usm on page 154 set summertime 191 set summertime Offsets the real time clock of a wireless LAN switch by 1 hour and returns it to standard time for daylight savings time or a similar summertime period that you set Syntax set summertime summer name start week weekday month hour min end week weekday month hour min summer name Name of up to 32 alphanumeric characters that describes the summertime
389. ly that VLAN Otherwise dynamic entries that match all VLANs are removed tag tag value VLAN tag value that identifies a virtual port If you do not specify a tag value MSS deletes only entries that match untagged interfaces Specifying a tag value deletes entries that match only the specified tagged interfaces Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage You can delete forwarding database entries based on entry type port or VLAN A VLAN name or number is required for deleting permanent or static entries Examples The following command clears all static forwarding database entries that match VLAN blue WX4400 clear fdb static vlan blue success change accepted clear security 12 restrict 99 The following command clears all dynamic forwarding database entries that match all VLANs WX4400 clear fdb dynamic success change accepted The following command clears all dynamic forwarding database entries that match ports 3 and 5 WX4400 clear fdb port 3 5 success change accepted See Also display fdb on page 102 set fdb on page 113 clear security 12 restrict Removes one or more MAC addresses from the list of destination MAC addresses to which clients in a VLAN are allowed to send traffic at Layer 2 Syntax clear security 12 restrict vlan vlan id permit mac mac addr mac addr all a vlan id VLAN name or number permit mac List of
390. m ID for the target This ID is local to the WX switch and does not need to correspond to a value on the target itself You can specify a number from 1 to 10 ip addr udp port number IP address of the server You also can specify the UDP port number to send notifications to community string Community string profile profile name Notification profile this SNMP user will use to specify the notification types to send or drop To configure a notification target for traps from SNMPv1 use the following command Syntax set snmp notify target target num ip addr udp port number vl community string profile profile name target num ID for the target This ID is local to the WX switch and does not need to correspond to a value on the target itself You can specify a number from 1 to 10 ip addr udp port number IP address of the server You also can specify the UDP port number to send notifications to set snmp notify target 185 s community string Community string profile profile name Notification profile this SNMP user will use to specify the notification types to send or drop Defaults The default UDP port number on the target is 162 The default minimum required security level is unsecured The default number of retries is O and the default timeout is 2 seconds Access Enabled History Introduced in MSS Version 4 0 Usage The inform or trap option specifies whether the MS
391. main name on page 282 set network domain mode member seed ip on page 280 set network domain peer on page 281 clear network domain on page 274 clear network domain mode on page 275 274 CHAPTER 10 NETWORK DOMAIN COMMANDS clear network domain Table 47 Network Domain Commands by Usage continued Type Command clear network domain peer on page 276 clear network domain seed ip on page 277 display network domain on page 278 Clears all Network Domain configuration and information from a WX switch regardless of whether the WX switch is a seed or a member of a Network Domain Syntax clear network domain Defaults None Access Enabled History Introduced in MSS 4 1 Examples This command has no effect if the WX switch is not configured as part of a Network Domain To clear a Network Domain from a WX switch within the domain type the following commana WX1200 clear network domain This will clear all network domain configuration Would you like to continue y n n y success change accepted See Also set network domain mode member seed ip on page 280 set network domain peer on page 281 set network domain mode seed domain name on page 282 clear network domain mode 275 clear network domain mode Removes the Network Domain seed or member configuration from the WX switch Syntax clear network domain mode seed member seed Clears the
392. match the location policy rule Action options For a permit rule MSS changes the attributes assigned to the user to the values specified by the following options a vlan vlan name Name of an existing VLAN to assign to users with characteristics that match the location policy rule inacl inacl name Name of an existing security ACL to apply to packets sent to the WX switch with characteristics that match the location policy rule Optionally you can add the suffix in to the name outacl outacl name Name of an existing security ACL to apply to packets sent from the WX switch with characteristics that match the location policy rule set location policy 245 Optionally you can add the suffix out to the name Condition options MSS takes the action specified by the rule if all conditions in the rule are met You can specify one or more of the following conditions ssid operator ssid name SSID with which the user is associated The operator must be eq which applies the location policy rule to all users associated with the SSID Asterisks wildcards are not supported in SSID names You must specify the complete SSID name vlan operator vlan glob VLAN Name attribute assigned by AAA and condition by which to determine if the location policy rule applies Replace operator with one of the following operands eq Applies the location policy rule to all users assigned VLAN names matching vian g ob
393. mauve success change accepted See Also Clear spantree portcost on page 394 Clear spantree portvlancost on page 395 display spantree on page 398 display spantree portvlancost on page 403 set spantree portcost on page 414 418 CHAPTER 12 STP COMMANDS set spantree portvlanpri Changes the priority of a network port or ports for selection as part of the path to the STP root bridge on one VLAN or all VLANs Syntax set spantree portvlanpri port list priority value all vlan vlan id port list List of ports MSS changes the priority on the specified ports a priority value Priority value You can specify a value from 0O highest priority through 255 lowest priority all Changes the priority on all VLANs vlan vlan id VLAN name or number MSS changes the priority on only the specified VLAN Defaults The default STP priority for all network ports is 128 Access Enabled History Introduced in MSS Version 3 0 Examples The following command sets the priority of ports 3 and 4 to 48 on VLAN mauve WX1200 set spantree portvlanpri 3 4 priority 48 vlan mauve success change accepted See Also Clear spantree portpri on page 395 Clear spantree portvlanpri on page 396 display spantree on page 398 set spantree portpri on page 416 set spantree priority 419 set spantree priority Changes the STP root bridge priority of a wireless LAN switch on one or
394. me type SSH requires an SSH authentication key but you can allow MSS to generate it automatically The first time an SSH client attempts to access the SSH server on a WX switch the switch automatically generates a 1024 byte SSH key If you want to use a 2048 byte key instead use the crypto generate key ssh 2048 command to generate one Examples To generate an administrative key for use with 3WXM type the following command WX4400 crypto generate key admin 1024 key pair generated 474 CHAPTER 15 CRYPTOGRAPHY COMMANDS See Also display crypto key ssh on page 483 crypto generate request Generates a Certificate Signing Request CSR This command outputs a PEM formatted PKCS 10 text string that you can cut and paste to another location for delivery to a certificate authority This command generates either an administrative CSR for use with 3WXM and Web Manager or an EAP CSR for use with 802 1X clients Syntax crypto generate request admin eap web admin Generates a request for an administrative certificate to authenticate the WX switch to 3WXM or Web Manager eap Generates a request for an EAP certificate to authenticate the WX switch to 802 1X supplicants clients web Generates a request for a WebAAA certificate to authenticate the WX switch to WebAAA clients After you type the command you are prompted for the following variables Country Name string Optional Specify the abbr
395. mer on page 352 set radio profile auto tune power config on page 353 set radio profile auto tune power interval on page 354 set radio profile beacon interval on page 355 set radio profile dtim interval on page 357 set radio profile frag threshold on page 358 set radio profile long retry on page 359 set radio profile max rx lifetime on page 360 set radio profile max tx lifetime on page 361 set radio profile mode on page 362 set radio profile preamble length on page 364 set radio profile rts threshold on page 365 set radio profile service profile on page 366 set radio profile short retry on page 369 display service profile 321 display service profile Displays service profile information Syntax display service profile name name Displays information about the named service profile a Displays a list of service profiles Defaults None Access Enabled History Introduced in MSS Version 3 0 New fields added to indicate the configured SSID default attributes in the service profile Examples The following command displays information for service profile woa_clients WX4400 display service profile wpa_clients ssid name private ssid type crypto beacon yes auth fallthru web auth WEP Key 1 value lt none gt WEP Key 2 value lt none gt WEP Key 3 value lt none gt WEP Key 4 value lt none gt WEP Unicast Index 1 WEP Multicast Index 1 Shared Key Auth NO WPA enabled
396. method and so on 238 CHAPTER 8 AAA COMMANDS However if local appears first followed by a RADIUS server group MSS overrides any failed searches in the local WX database and sends an authentication request to the server group MSS uses a last resort authentication rule under the following conditions a The client is not denied access by 802 1X or does not support 802 1X The client s MAC address does not match a MAC authentication rule The fallthru method is last resort For a wireless authentication rule the fallthru method is specified by the set service profile auth fallthru command For a wired authentication rule the fallthru method is specified by the auth fall thru option of the set port type wired auth command For wireless access MSS appends the requested SSID name to the user name last resort For example if the requested SSID is mycorp MSS attempts to authenticate the user ast resort mycorp If the RADIUS server or local database used as the authentication method has the user last resort mycorp access is granted Otherwise access is denied If the SSID specified in the last resort authentication rule is any MSS searches for user ast resort any The any in the username is not a wildcard The username must be last resort any exactly as spelled here Examples The following command configures a last resort authentication rule in the local WX database for SSID mycorp WX4400 set authentication last resort
397. mmand applies only to the WX4400 This command does not affect a link that is already active on the port Examples The following command clears the preference set on port 2 on a WX4400 switch WX4400 clear port preference 2 See Also display port preference on page 72 set port preference on page 88 68 CHAPTER 4 PORT COMMANDS clear port type AN Removes all configuration settings from a port and resets the port as a network port CAUTION When you clear a port MSS ends user sessions that are using the port Syntax clear port type port list a port list List of physical ports MSS resets and removes the configuration from all the specified ports Defaults The cleared port becomes a network port but is not placed in any VLANs Access Enabled History Introduced in MSS Version 3 0 Usage Use this command to change a port back to a network port All configuration settings specific to the port type are removed For example if you clear a MAP access point port all MAP specific settings are removed Table 10 lists the default network port settings that MSS applies when you clear a port s type Table 10 Network port defaults Port Parameter Setting VLAN membership None Note Although the command changes a port to a network port the command does not place the port in any VLAN To use the port in a VLAN you must add the port to the VLAN Spanning Tree Protocol STP Based on th
398. models radio all Shows RF attribute information for both radios Defaults None 310 CHAPTER 11 MANAGED ACCESS POINT COMMANDS Access Enabled History Introduced in MSS Version 3 0 Examples The following command displays RF attribute information for radio 1 on the directly connected MAP access point on port 2 WX1200 display auto tune attributes ap 2 radio 1 Auto tune attributes for port 2 radio 1 Noise Utilization CRC Errors count 92 Packet Retransmission Count 0 0 Phy 122 Errors Count 0 Table 58 describes the fields in this display Table 58 Output for display auto tune attributes Field Description Noise Noise threshold on the active channel RF Auto Tuning prefers channels with low noise levels over channels with higher noise levels Utilization Number of multicast packets per second that a radio can send on a channel while continuously sending fixed size frames over a period of time The number of packets that are successfully transmitted indicates how busy the channel is CRC Errors count Number of frames received by the radio on that active channel that had CRC errors A high CRC error count can indicate a hidden node or co channel interference Packet Retransmission Count Number of retransmitted packets sent from the client to the radio on the active channel Retransmissions can indicate that the client is not receiving ACKs from the MAP r
399. n MSS Version 3 0 Examples To clear all administrator sessions type the following command WX4400 clear sessions admin This will terminate manager sessions do you wish to continue y n nly To clear all administrative sessions through the console type the following command WX4400 clear sessions console This will terminate manager sessions do you wish to continue y n nly To clear all administrative Telnet sessions type the following command WX4400 clear sessions telnet This will terminate manager sessions do you wish to continue y n nly To clear Telnet client session O type the following command WX4400 clear sessions telnet client 0 See Also display sessions on page 522 clear sessions network 521 clear sessions network Clears all network sessions for a specified username or set of usernames MAC address or set of MAC addresses virtual LAN VLAN or set of VLANs or session ID Syntax clear sessions network user user glob mac addr mac addr glob vlan vlan glob session id local session id user user glob Clears all network sessions for a single user or set of users Specify a username use the double asterisk wildcard character to specify all usernames or use the single asterisk wildcard character to specify a set of usernames up to or following the first delimiter character either an at sign or a period For details see User Gl
400. n from enabled mode to restricted access Syntax disable Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command restricts access to the CLI for the current session WX1200 disable WX1200 gt See Also enable on page 34 34 CHAPTER 2 ACCESS COMMANDS enable Places the CLI session in enabled mode which provides access to all commands required for configuring and monitoring the system Syntax enable Access All History Introduced in MSS Version 3 0 Usage MSS displays a password prompt to challenge you with the enable password To enable a session your or another administrator must have configured the enable password to this WX switch with the set enablepass command Examples The following command plus the enable password provides enabled access to the CLI for the current sessions WX1200 gt enable Enter password password WX1200 See Also set enablepass on page 35 set confirm on page 52 quit Exit from the CLI session Syntax quit Defaults None Access All History Introduced in MSS Version 3 0 Examples To end the administrator s session type the following command WX1200 gt quit set enablepass 35 set enablepass Sets the password that provides enabled access for configuration and monitoring to the WX switch Syntax set enablepass Defaults None Access Enabled
401. n is the same as the information displayed by the display spantree command See Table 69 on page 399 See Also display spantree on page 398 402 CHAPTER 12 STP COMMANDS display spantree portfast Displays STP uplink fast convergence information for all network ports or for one or more network ports Syntax display spantree portfast port list port list List of ports If you do not specify any ports MSS displays uplink fast convergence information for all ports Defaults None Access All History Introduced in MSS Version 3 0 Examples The following command shows uplink fast convergence information for all ports WX1200 display spantree portfast Port Vlan Portfast 0 si a O BF WN EF Q P o w o 0 0 oO Table 70 describes the fields in this display Table 70 Output for display spantree portfast Field Description Port Port number VLAN VLAN number Portfast State of the uplink fast convergence feature a Enable a Disable See Also set spantree portfast on page 415 display spantree portvlancost 403 display spantree portvlancost Shows the cost of a port on a path to the STP root bridge for each of the port s VLANs Syntax display spantree portvlancost port list a port list List of ports Defaults None Access All History Introduced in MSS Version 3 0 Examples The following command shows the STP port cost of port 1
402. n page 209 set service profile auth fallthru on page 374 set user on page 258 264 CHAPTER 8 AAA COMMANDS gt MOBILITY DOMAIN COMMANDS Use Mobility Domain commands to configure and manage Mobility Domain groups A Mobility Domain is a system of WX switches and MAP access points working together to support a roaming user client One WX switch acts as a seed switch which maintains and distributes a list of IP addresses of the domain members 3Com recommends that you run the same MSS version on all the WX switches in a Mobility Domain Commands by Usage This chapter presents Mobility Domain commands alphabetically Use Table 45 to locate commands in this chapter based on their use Table 45 Mobility Domain Commands by Usage Type Command Mobility Domain set mobility domain mode seed domain name on page 271 set mobility domain member on page 269 set mobility domain mode member seed ip on page 270 display mobility domain status on page 267 display mobility domain config on page 267 clear mobility domain member on page 266 clear mobility domain on page 266 266 CHAPTER 9 MOBILITY DOMAIN COMMANDS clear mobility domain Clears all Mobility Domain configuration and information from a WX switch regardless of whether the WX switch is a seed or a member of a Mobility Domain Syntax clear mobility domain Defaults None Access Enabled History Introduced in
403. n page 529 display sessions network session id display See Table 93 on page 530 Examples To display summary information for all network sessions type display sessions network For example WX1200 display sessions network User Sess IP or MAC VLAN Port Name ID Address Name Radio EXAMPLE Natasha 4 10 10 40 17 vilan eng 3 host laptop1l exmpl com 6 10 10 40 16 vlan eng 3 2 nin exmpl com 539 10 10 40 17 vlan eng 1 EXAMPLE hosni 302 10 10 40 10 vlan eng 3 563 00 0b be 15 46 56 none 1 2 jose exmpl com 380 10 30 40 8 vlan eng 1 00 30 65 16 8d 69 443 10 10 40 19 vlan wep 3 1 EXAMPLE Geetha 459 10 10 40 18 vilan eng 3 2 8 sessions total The following command displays summary information about the sessions for MAC address 00 05 5d 7e 98 1a WX1200 display sessions network mac addr 00 05 5d 7e 98 1la User Sess IP or MAC VLAN Port Name ID Address Name Radio EXAMPLE Havel 13 10 10 10 40 vlan eng 1 2 The following command displays summary information about all the sessions of users whose names begin with E WX1200 display sessions network user E User Sess IP or MAC VLAN Port Name ID Address Name Radio display sessions network 527 EXAMPLE Singh 12 10 10 10 30 vlan eng 3 2 EXAMPLE Havel 13 10 10 10 40 vlan eng 1 2 2 sessions match criteria of 3 total Table 91 on page 528 describes the summary displays of dis
404. n the Network Domain State Mode State of the WX switch in the Network Domain UP a DOWN Role of the WX switch in the Network Domain UP a DOWN Output if WX is a Network Domain Member Member Network Domain name Name of the Network Domain of which the WX switch is a member Member IP addresses of the seed WX switch and members in the Network Domain State State of the WX switch in the Network Domain UP a DOWN Mode Role of the WX switch in the Network Domain a MEMBER SEED See Also Clear network domain on page 274 set network domain mode member seed ip on page 280 set network domain mode seed domain name on page 282 set network domain peer on page 281 280 CHAPTER 10 NETWORK DOMAIN COMMANDS set network domain mode member seed ip Sets the IP address of a Network Domain seed This command is used for configuring a WX switch as a member of a Network Domain You can specify multiple Network Domain seeds and configure one as the primary seed Syntax set network domain mode member seed ip ip addr affinity num ip addr IP address of the Network Domain seed in dotted decimal notation num Preference for using the specified Network Domain seed You can specify a value from 1 through 10 A higher number indicates a greater preference Defaults The default affinity for a Network Domain seed is 5 Access Enabled History Introduced in MSS 4 1 U
405. nd Examples The following command changes the short retry threshold for radio profile rp7 to 3 WX4400 set radio profile rpl short retry 3 success change accepted See Also display radio profile on page 317 set radio profile mode on page 362 set radio profile long retry on page 359 set radio profile wmm Disables or reenables Wi Fi Multimedia WMM on the MAP radios in a radio profile Syntax set radio profile name wmm enable disable name Radio profile name enable Enables WMM disable Disables WMM Defaults WMM is enabled by default Access Enabled History Introduced in MSS Version 4 0 Usage When WMM is disabled MAP forwarding prioritization is optimized for SpectraLink Voice Priority SVP instead of WMM and the MAP does not tag packets it sends to the WX Otherwise classification and tagging remain in effect For information see the Configuring Quality of Service chapter of the Wireless LAN Switch and Controller Configuration Guide If you plan to use SpectraLink 802 11 phones you must enable call admission control CAC Use the set radio profile wmm admission control command set service profile attr 371 If you plan to use SVP or another non WMM type of prioritization you must configure ACLs to tag the packets See the Enabling Prioritization for Legacy Voice over IP section in the Configuring and Managing Security ACLs chapter
406. nd begins countermeasures against rogue BSSID aa bb cc 11 22 33 WX1200 set rfdetect countermeasures mac aa bb cc 11 22 33 success set rfdetect countermeasures mac aa bb cc 11 22 33 558 CHAPTER 19 RF DETECTION COMMANDS See Also Clear rfdetect attack list on page 534 display rfdetect ignore on page 546 set rf detect countermeasures on page 556 set rfdetect ignore Configures a list of known devices to ignore during an RF scan MSS does not generate log messages or traps for the devices in the ignore list Syntax set rfdetect ignore mac addr mac addr BSSID MAC address of the device to ignore Defaults MSS reports all unknown BSSIDs detected during an RF scan Access Enabled History Introduced in MSS Version 3 0 Usage Use this command to identify third party APs and other devices you are already aware of and do not want MSS to report following RF scans If you try to initiate countermeasures against a device on the ignore list the ignore list takes precedence and MSS does not issue the countermeasures Countermeasures apply only to rogue devices If you add a device that MSS has classified as a rogue to the permitted vendor list or permitted SSID list but not to the ignore list MSS can still classify the device as a rogue Adding an entry to the permitted vendor list or permitted SSID list merely indicates that the device is from an allowed manufacturer or is using an allowed SSID
407. nds to change settings for the parameters listed in Table 65 The commands are listed in the See Also section Table 65 Configurable Profile Parameters for Distributed MAPs Parameter Default Value MAP Parameters mode disabled bias high upgrade firmware enable YES boot download enable group load balancing group none blink disable Not shown in display dap config output Radio Parameters radiotype type 11g or 11b for country codes where 802 11g is not allowed mode enabled 326 CHAPTER 11 MANAGED ACCESS POINT COMMANDS Table 65 Configurable Profile Parameters for Distributed MAPs continued Parameter Default Value tx pwr Highest setting allowed for the country of operation radio profile profile default max power default min client rate 5 5 for 802 11b g 24 for 802 11a max retransmissions 10 Examples The following command creates a profile for automatic Distributed MAP configuration WX1200 set dap auto success change accepted See Also set dap auto mode on page 327 set dap auto radiotype on page 326 set ap dap bias on page 328 set ap dap blink on page 330 set ap dap group on page 332 set ap dap radio auto tune max power on page 335 set ap dap radio auto tune max retransmissions on page 337 set ap dap radio auto tune min client rate on page 340 set ap dap radio mode on page 341 set ap dap
408. ne Access All History Introduced in MSS Version 3 0 The following command lists the number of dynamic entries that the forwarding database contains WX1200 display fdb count dynamic Total Matching Entries 2 See Also display fdb on page 102 106 CHAPTER 5 VLAN COMMANDS display roaming station Shows a list of the stations roaming to the wireless LAN switch through a VLAN tunnel Syntax display roaming station vlan vlan id peer ip addr vlan vian id Output is restricted to stations using this VLAN peer ip addr Output is restricted to stations tunnelling through this peer WX switch in the Mobility Domain Defaults None Access Enabled History Introduced in MSS Version 3 0 Old AP MAC field removed in MSS Version 4 1 Usage The output displays roaming stations within the previous 1 second Examples To display all stations roaming to the WX switch type the following command WX4400 display roaming station User Name redsgqa Station Address VLAN State HOt TOLOS violet Up Table 22 describes the fields in the display Table 22 Output for display roaming station Field Description User Name Name of the user This is the name used for authentication The name resides in a RADIUS server database or the local user database on a wireless LAN switch Station IP address of the user device Address VLAN Name of the VLAN to which the RADIU
409. nel channel number Channel number The valid channel numbers depend on the country of operation Defaults The default channel depends on the radio type The default channel number for 802 1 1b g is 6 The default channel number for 802 114 is the lowest valid channel number for the country of operation Access Enabled History Introduced in MSS Version 3 0 Usage You can configure a radio s transmit power on the same command line Use the tx power option This command is not valid if dynamic channel tuning RF Auto Tuning is enabled Examples The following command configures the channel on the 802 11a radio on the MAP access point connected to port 5 WX1200 set ap 5 radio 1 channel 36 success change accepted The following command configures the channel and transmit power on the 802 11b g radio on the MAP access point connected to port 1 WX1200 set ap 1 radio 1 channel 1 tx power 10 success change accepted 340 CHAPTER 11 MANAGED ACCESS POINT COMMANDS See Also display ap dap config on page 290 set ap dap radio tx power on page 344 set ap dap radio auto tune min client rate Sets the minimum rate at which a radio is allowed to transmit traffic to clients The radio automatically increases its transmit power when necessary to maintain at least the minimum rate with an associated client Syntax set ap port list dap dap num auto radio 1 2 auto tune m
410. nent static dynamic ip addr mac addr permanent Adds a permanent entry A permanent entry does not age out and remains in the database even after a reboot reset or power cycle a static Adds a static entry A static entry does not age out but the entry does not remain in the database after a reboot reset or power cycle dynamic Adds a dynamic entry A dynamic entry is automatically removed if the entry ages out or after a reboot reset or power cycle ip addr IP address of the entry in dotted decimal notation mac addr MAC address to map to the IP address Use colons to separate the octets for example 00 11 22 aa bb cc Defaults The default aging timeout is 1200 seconds Access Enabled History Introduced in MSS Version 3 0 Examples The following command adds a static ARP entry that maps IP address 10 10 10 1 to MAC address 00 bb cc dd ee ff WX1200 set arp static 10 10 10 1 00 bb cc dd ee ff success added arp 10 10 10 1 at O0 bb cc dd ee ff on VLAN 1 See Also set arp agingtime on page 159 telnet on page 195 set arp agingtime 159 set arp agingtime Changes the aging timeout for dynamic ARP entries Syntax set arp agingtime seconds seconds Number of seconds an entry can remain unused before MSS removes the entry You can specify from O through 1 000 000 To disable aging specify O Defaults None Access Enabled History In
411. nfigured in the attack list are subject to countermeasures In this case devices found to be rogues by other means such as policy violations or by determining that the device is providing connectivity to the wired network are not attacked Examples The following command adds MAC address aa bb cc 44 55 66 to the attack list WX4400 set rfdetect attack list 11 22 33 44 55 66 success MAC 11 22 33 44 55 66 is now in attacklist See Also Clear rfdetect attack list on page 534 display rfdetect attack list on page 537 set radio profile countermeasures on page 355 set rfdetect black list Adds an entry to the client black list The client black list specifies clients that are not allowed on the network MSS drops all packets from the clients on the black list Syntax set rfdetect black list mac addr mac addr MAC address you want to place on the black list Defaults The client black list is empty by default Access Enabled History Introduced in MSS Version 4 0 Usage In addition to manually configured entries the list can contain entries added by MSS MSS can place a client in the black list due to an association reassociation or disassociation flood from the client The client black list applies only to the WX switch on which the list is configured WX switches do not share client black lists 556 CHAPTER 19 RF DETECTION COMMANDS Examples The following command adds client MAC addres
412. ng characters cannot be used as part of the one time password of a PKCS 12 file Quotation marks Question mark Ampersand amp Defaults None Access Enabled crypto pkcs12 crypto pkcs12 479 History Introduced in MSS Version 3 0 Webaaa option renamed to web in MSS Version 4 1 Usage The password allows the public private key pair and certificate to be installed together from the same PKCS 12 object file MSS erases the one time password after processing the crypto pkcs12 command or when you reboot the WX switch 3Com recommends that you create a password that is memorable to you but is not subject to easy guesses or a dictionary attack For best results create a password of alphanumeric uppercase and lowercase characters Examples The following command creates the one time password hap9iN ss for installing an EAP certificate and key pair WX4400 crypto generate otp eap hap9iN ss OTP set See Also crypto pkcs12 on page 479 Unpacks a PKCS 12 object file into the certificate and key storage area on the WX switch This object file contains a public private key pair an WX certificate signed by a certificate authority and the certificate authority s certificate Syntax crypto pkcs12 admin eap web file location url admin Unpacks a PKCS 12 object file for an administrative certificate and key pair and optionally the certificate authority s own certificat
413. ng for snoop filter snoop 7 WX1200 display snoop map snoop1 filter snoopl mapping Dap 3 Radio 2 See Also Clear snoop map on page 598 set snoop map on page 602 display snoop on page 604 606 CHAPTER 22 SNOOP COMMANDS display snoop stats Displays statistics for enabled snoop filters Syntax display snoop stats filter name dap num radio 1 2 a filter name Name of the snoop filter dap num Number of a Distributed MAP to which the snoop filter is mapped radio 1 Radio 1 of the MAP radio 2 Radio 2 of the MAP This option does not apply to single radio models Defaults None Access Enabled History Introduced in MSS Version 4 0 Usage The MAP retains statistics for a snoop filter until the filter is changed or disabled The MAP then clears the statistics Examples The following command shows statistics for snoop filter snoop 1 WX1200 display snoop stats snoop1l Filter Dap Radio Rx Match Tx Match Dropped Stop After snoopl 3 1 96 4 0 stopped display snoop stats 607 Table 109 describes the fields in this display Table 109 display snoop stats Output Field Filter Dap Radio Rx Match Tx Match Dropped Stop After Description Name of the snoop filter Distriouted MAP containing the radio to which the filter is mapped Radio to which the filter is mapped Number of packets received by the radio that match the filter Num
414. nnected to the WX switch and the WX switch s port is configured as a MAP access port DAP Connection ID for the Distributed MAP Note This field is applicable only if the MAP is configured on the WX switch as a Distributed MAP Serial Id Serial ID of the MAP access point Note This field is displayed only for Distributed MAPs AP model MAP access point model number POE PoE state on the WX port a Enable a Disable bias Bias of the WX connection to the MAP a High a Low 292 CHAPTER 11 MANAGED ACCESS POINT COMMANDS Table 51 Output for display ap config continued Field Description name MAP access point name boot download enable State of the firmware upgrade option a YES automatic upgrades are enabled a NO automatic upgrades are disabled load balancing group Names of the MAP load balancing groups to which the MAP access point belongs If the value is None the access point does not belong to any load balancing groups Note This field is displayed only if the MAP is a member of a group Radio Radio number The information listed below this field applies specifically to the radio type Radio type a 802 11a a 802 11b 802 119 mode Radio state a Enabled a Disabled channel Channel number antennatype External antenna model if applicable tx pwr Transmit power in dBm profile Radio profile that manages the radio Until you assign the radio to a radio profi
415. nticated nor are they encrypted This is the default authenticated Message exchanges are authenticated but are not encrypted encrypted Message exchanges are authenticated and encrypted To configure a notification target for informs from SNMPv2c use the following command Syntax set snmp notify target target num ip addr udp port number v2c community string inform profile profile name retries num timeout num target num ID for the target This ID is local to the WX switch and does not need to correspond to a value on the target itself You can specify a number from 1 to 10 184 CHAPTER 7 IP SERVICES COMMANDS SNMPv2c with Traps SNMPv1 with Traps ip addr udp port number IP address of the server You also can specify the UDP port number to send notifications to community string Community string profile profile name Notification profile this SNMP user will use to specify the notification types to send or drop retries num Notification profile this SNMP user will use to specify the notification types to send or drop timeout num Specifies the number of seconds MSS waits for acknowledgement of a notification You can specify from 1 to 5 seconds To configure a notification target for traps from SNMPv2c use the following command Syntax set snmp notify target target num ip addr udp port number v2c community string trap profile profile name target nu
416. ntication last resort wired See Also Clear authentication admin on page 204 Clear authentication console on page 205 Clear authentication dot1x on page 206 Clear authentication mac on page 208 Clear authentication proxy on page 209 display aaa on page 219 set authentication last resort on page 236 208 CHAPTER 8 AAA COMMANDS clear authentication mac Removes a MAC authentication rule Syntax clear authentication mac ssid ssid name wired mac addr glob a ssid ssid name SSID name to which this authentication rule applies a wired Clears a rule used for access over a WX switch s wired authentication port mac addr glob A single user or set of users with access via a MAC address Specify a MAC address or use the wildcard character to specify a set of MAC addresses For details see MAC Address Globs on page 27 Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command removes a MAC authentication rule for access to SSID thatcorp by MAC addresses beginning with aa bb cc WX4400 clear authentication mac ssid thatcorp aa bb cc See Also Clear authentication admin on page 204 Clear authentication console on page 205 Clear authentication dot1x on page 206 Clear authentication last resort on page 207 Clear authentication proxy on page 209 display aaa on page 219 set authentication mac on page
417. nting statistics Output Field Description Date and time Date and time of the accounting record display accounting statistics 223 Table 43 display accounting statistics Output continued Acct Status Type Type of accounting record START STOP UPDATE Acct Authentic Location where the user was authenticated if authentication took place for the session a 1 RADIUS server 2 Local WX database User Name Username of a user with a password Acct Multi Session ld Unique accounting ID for multiple related sessions in a log file AAA_TTY_ATIR For sessions conducted through a console or administrative Telnet connection the Telnet terminal number Event Timestamp Time in seconds since January 1 1970 at which the event was triggered See RFC 2869 for more information Acct Session Time Number of seconds that the session has been online Acct Output Octets Number of octets the WX switch has sent during the session Acct Input Octets Number of octets the WX switch has received during the session Acct Output Packets Number of packets the WX switch has sent during the session Acct Input Packets Number of packets the WX switch has received during the session Vlan Name Name of the client s VLAN Calling Station Id MAC address of the supplicant client Nas Port ld Number of the port and radio on the MAP access point through which the session was cond
418. o ClientDot1xFailureTraps Generated when a client experiences an 802 1X failure ClientRoamingTraps Generated when a client roams CounterMeasureStartTraps Generated when MSS begins countermeasures against a rogue access point CounterMeasureStopTraps Generated when MSS stops countermeasures against a rogue access point DAPConnectWarningTraps Generated when a Distributed MAP whose fingerprint has not been configured in MSS establishes a management session with the switch DeviceFailTraps Generated when an event with an Alert severity occurs DeviceOkayTraps Generated when a device returns to its normal state LinkDownTraps Generated when the link is lost on a port LinkUpTraps Generated when the link is detected on a port MichaelMICFailureTraps Generated when two Michael message integrity code MIC failures occur within 60 seconds triggering Wi Fi Protected Access WPA countermeasures set snmp notify profile 179 MobilityDomainJoinTraps Generated when the WX switch is initially able to contact a mobility domain seed member or can contact the seed member after a timeout MobilityDomainTimeoutTraps Generated when a timeout occurs after a WX switch has unsuccessfully tried to communicate with a seed member PoEFailTraps Generated when a serious PoE problem such as a short circuit occurs RFDetectAdhocUserTraps Generated when MSS detects an ad hoc user RFDetectRogueAPTraps Generat
419. o pro set radio pro set radio pro set radio pro set radio pro set radio prof set radio prof set radio prof set radio prof set radio pro set radio prof set radio prof set radio prof set radio prof set radio prof set radio prof f f f set service profile attr set service profile auth dot1x set service profile auth fallthru radio auto tune min client rate 340 radio mode 341 radio radio profile radio tx power ty 345 upgrade firmware ile 11g only 347 ile active scan 348 ile auto tune channel config 349 ile auto tune channel holddown 350 ile auto tune channel interval 351 ile auto tune power backoff timer ile auto tune power config 353 ile auto tune power interval 354 ile beacon interval 355 ile countermeasures 355 ile dtim interval 357 ile frag threshold 358 ile long retry 359 ile max rx lifetime ile max tx lifetime ile mode 362 ile preamble length ile rts threshold 365 ile service profile 366 ile short retry 369 illewmm 370 371 343 344 346 352 360 361 364 373 374 set service pro set service pro set service pro set service pro set service pro set service pro set service pro set service pro f f ile auth psk 375 ile beacon 376 ile cipher ccmp 377 ile cipher tkip 378 ile cipher wep104 ile cipher wep40 ile psk phrase ile psk raw 379 380 381 382 12 set service profile rsn i
420. o specify a port range enter two port numbers Enter the lower port number first followed by the higher port number 462 CHAPTER 14 SECURITY ACL COMMANDS For a complete list of TCP and UDP port numbers see www iana org assignments port numbers a destination ip addr mask P address and wildcard mask of the network or host to which the packet is being sent Specify both address and mask in dotted decimal notation For more information see Wildcard Masks on page 26 type icmp type Filters ICMP messages by type Specify a value from O through 255 For a list of ICMP message type and code numbers see www iana org assignments icmp parameters code icmp code For ICMP messages filtered by type additionally filters ICMP messages by code Specify a value from O through 255 For a list of ICMP message type and code numbers see www iana org assignments icmp parameters precedence precedence Filters packets by precedence level Specify a value from O through 7 a 0 routine precedence 1 priority precedence 2 immediate precedence 3 flash precedence a 4 flash override precedence 5 Critical precedence 6 internetwork control precedence a 7 network control precedence a tos tos Filters packets by type of service TOS level Specify one of the following values or any sum of these values up to 15 For example a tos value of 9 filters packets with the TOS
421. o that gateway router is up WX4400 set ip route default 10 2 4 69 1 success change accepted WX4400 set ip route default 10 2 4 17 2 success change accepted The following command adds an explicit route from a WX switch to any host on the 192 168 4 x subnet through the local router 10 5 4 2 and gives the route a cost of 1 WX4400 set ip route 192 168 4 0 255 255 255 0 10 5 4 2 1 success change accepted The following command adds another explicit route using CIDR notation to specify the subnet mask WX4400 set ip route 192 168 5 0 24 10 5 5 2 1 success change accepted See Also Clear ip route on page 130 display interface on page 142 display ip route on page 146 set ip snmp server Enables or disables the SNMP service on the wireless LAN switch Syntax set ip snmp server enable disable enable Enables the SNMP service disable Disables the SNMP service Defaults The SNMP service is disabled by default Access Enabled 170 CHAPTER 7 IP SERVICES COMMANDS History Introduced in MSS Version 3 0 Examples The following command enables the SNMP server on a WX switch WxX4400 set ip snmp server enable success change accepted See Also set port trap on page 90 set snmp community on page 175 set ip ssh Changes the TCP port number on which a wireless LAN switch listens for Secure Shell SSH management traffic CAUTION If you change the SSH port numbe
422. o tune max retransmissions 337 set ap dap radio channel 339 set ap dap radio min client rate 340 set ap dap radio mode 341 set ap dap radio radio profile 343 644 se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se se set se se se set t INDEX ap dap radio tx power 344 ap dap upgrade firmware 346 accounting admin console 225 accounting dot1x mac web last resort 227 arp 158 arp agingtime 159 authentication admin 229 authentication console 231 authentication dot1x 233 authentication last resort 236 authentication mac 239 authentication proxy 241 authentication web 242 auto config 48 banner motd 51 boot backup configuration 585 boot configuration file 586 587 confirm 52 dap 81 dap auto 325 dap auto mode 327 dap fingerprint 331 dot1x authcontrol 508 dot1x key tx 510 dot1x max req 511 dot1x port control 512 dot1x quiet period 513 dot1x reauth 513 dot1x reauth max 514 dot1x reauth period 515 dot1x timeout auth server 515 dot1x timeout supplicant 516 dot1x tx period 516 dot1x wep rekey 517 dot1x wep rekey period 518 enablepass 35 fdb 113 fdb agingtime 114 igmp mrsol 436 igmp mrsol mrsi 436 igmp qri 440 igmp querier 441 igmp receiver 441 igmp rv 442 interface 160 interface dhcp server 162 interface st
423. o which a WX forwards multicast traffic You can display receivers for all VLANs a single VLAN or a group or groups identified by group address and network mask Syntax display igmp receiver table vlan vlan id group group ip addr mask length vlan vlan id VLAN name or number If you do not specify a VLAN MSS displays the multicast receivers on all VLANs group group ip addr mask length IP address and subnet mask of a multicast group in CIDR format for example 239 20 20 10 24 If you do not specify a group address MSS displays the multicast receivers for all groups Defaults None Access All History Introduced in MSS Version 3 0 Examples The following command displays all multicast receivers in VLAN orange WX1200 display igmp receiver table vlan orange VLAN Session 237 237 237 237 orange Port Receiver IP Receiver MAC TTL 0 2 none none none undef 255 5 10 10 10 11 00 02 04 06 08 0b 179 255 5 10 10 10 13 00 02 04 06 08 0d 179 255 5 10 10 10 14 00 02 04 06 08 0e 179 255 5 10 10 10 12 00 02 04 06 08 0c 179 255 5 10 10 10 10 00 02 04 06 08 0a 179 237 430 CHAPTER 13 IGMP SNOOPING COMMANDS VLAN red Session 2378259629982 237425542599 119 VLAN green Session 2318255429907 The following command lists all receivers for multicast groups 237 255 255 1 through 237 255 255 255 in all VLANs WX1200 display igmp receiver table group 237 255 255 0 24
424. obs on page 26 mac addr mac addr glob Clears all network sessions for a MAC address Specify a MAC address in hexadecimal numbers separated by colons or use the wildcard character to specify a set of MAC addresses For details see MAC Address Globs on page 27 vlan vian glob Clears all network sessions on a single VLAN or a set of VLANs Specify a VLAN name use the double asterisk wildcard character to specify all VLAN names or use the single asterisk wildcard character to specify a set of VLAN names up to or following the first delimiter character either an at sign or a period For details see VLAN Globs on page 28 session id local session id Clears the specified 802 1X network session To find local session IDs use the display sessions command Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage The clear sessions network command clears network sessions by deauthenticating and for wireless clients disassociating them 522 CHAPTER 18 SESSION MANAGEMENT COMMANDS Examples To clear all sessions for MAC address 00 01 02 03 04 05 type the following command WX4400 clear sessions network mac addr 00 01 02 03 04 05 To clear session 9 type the following command WX1200 clear sessions network session id 9 SM Apr 11 19 53 38 DEBUG SM STATE localid 9 mac 00 06 25 09 39 5d flags 0000012fh to change state
425. ofile to the user Examples The following command removes the user profile for a user at MAC address 01 02 03 04 05 06 WX4400 clear mac user 01 02 03 04 05 06 success change accepted See Also display aaa on page 219 set mac usergroup attr on page 254 set mac user attr on page 249 212 CHAPTER 8 AAA COMMANDS clear mac user attr Removes an authorization attribute from the user profile in the local database on the WX switch for a user who is authenticated by a MAC address To remove an authorization attribute in RADIUS see the documentation for your RADIUS server Syntax clear mac user mac addr attr attribute name mac addr MAC address of the user in hexadecimal numbers separated by colons You can omit leading zeros attribute name Name of an attribute used to authorize the MAC user for a particular service or session characteristic For a list of authorization attributes see Table 44 on page 249 Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command removes an access control list ACL from the profile of a user at MAC address 01 02 03 04 05 06 WX4400 clear mac user 01 02 03 04 05 06 attr filter id success change accepted See Also display aaa on page 219 set mac user attr on page 249 clear mac user group Removes a user profile from a MAC user group in the local database on the WX switch for a u
426. om 192 168 192 206 2 ms 1 ms 1 ms 2 engineering 2 example com 192 168 196 204 2 ms 3 ms 2 ms 3 gateway_a example com 192 168 1 201 6 ms 3 ms 3 ms 4 serverl xampl com 192 168 22 7 3 ms 2 ms The first row of the display indicates the target host the maximum number of hops and the packet size Each numbered row displays information about one hop The rows are displayed in the order in which the hops occur beginning with the hop closest to the WX switch The row for a hop lists the total time in milliseconds for each ICMP packet to reach the router or host plus the time for the ICMP Time Exceeded message to return to the host An exclamation point following any of these values indicates that the Port Unreachable message returned by the destination has a maximum hop count of O or 1 This can occur if the destination uses the maximum hop count value from the arriving packet as the maximum hop count in its ICMP reply The reply does not arrive at the source until the destination receives a traceroute packet with a maximum hop count equal to the number of hops between the source and destination An asterisk indicates that the timeout period expired before MSS received a Time Exceeded message for the packet If Traceroute receives an ICMP error message other than a Time Exceeded or Port Unreachable message MSS displays one of the error codes described in Table 40 instead of displaying the round trip time or an
427. omain member On the seed WX switch adds a member to the list of Mobility Domain members If the current WX switch is not configured as a seed this command is rejected Syntax set mobility domain member ip addr ip addr IP address of the Mobility Domain member in dotted decimal notation Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage This command must be entered from the seed WX switch Examples The following commands add three WX switches with the IP addresses 192 168 1 8 192 168 1 9 and 192 168 1 10 as members of a Mobility Domain whose seed is the current WX switch WX4400 set mobility domain member 192 168 1 8 success change accepted WX4400 set mobility domain member 192 168 1 9 success change accepted WX4400 set mobility domain member 192 168 1 10 success change accepted See Also clear mobility domain member on page 266 display mobility domain config on page 267 set mobility domain mode seed domain name on page 271 270 CHAPTER 9 MOBILITY DOMAIN COMMANDS set mobility domain mode member seed ip On a nonseed WX switch sets the IP address of the seed WX switch This command is used on a member WX to configure it as a member If the WX switch is currently part of another Mobility Domain or using another seed this command overwrites that configuration Syntax set mobility domain mode member seed ip ip addr ip addr IP ad
428. on for a WX switch s hardware and boot code Syntax version Defaults None Access Boot prompt History Introduced in MSS Version 3 0 Usage This command does not list the system image file versions installed in the boot partitions To display system image file versions use the dir or fver command Examples To display hardware and boot code version information type the following command at the boot prompt boot gt version 3Com WX 4400 Bootstrap Bootloader Version 3 0 2 Release Compiled on Wed Sep 22 09 18 47 PDT 2004 by Bootstrap 0 version re Active Bootloader 0 version 3 0 2 Active Bootstrap 1 version S21 Bootloader 1 version 3 0 1 WX 4400 Board Revision Ze WxX 4400 Controller Revision Die See Also dir on page 627 fver on page 630 A OBTAINING SUPPORT FOR YOUR PRODUCT Register Your Product Warranty and other service benefits start from the date of purchase so it is important to register your product quickly to ensure you get full use of the warranty and other service benefits available to you Warranty and other service benefits are enabled through product registration Register your product at http eSupport 3com com 3Com eSupport services are based on accounts that you create or have authorization to access First time users must apply for a user name and password that provides access to a number of eSupport features including Product Registration Repair Services and
429. on information reset Reset the system test Display the state of enable or disable the tests option diag Access the diagnostic command CLI See Also help on page 631 next Activates and displays the boot profile in the next boot profile slot For information about boot profiles see display on page 628 Syntax next Defaults None Access Boot prompt History Introduced in MSS Version 3 0 Usage A WX switch contains 4 boot profile slots numbered O through 3 This command activates the boot profile in the next slot in ascending numerical order If the currently active slot is 3 the command activates the boot profile in slot 0 634 reset CHAPTER 24 BOOT PROMPT COMMANDS Examples To activate the boot profile in the next slot and display the profile type the following command boot gt next BOOT Index 0 BOOT TYPE c DEVICE boot1 FILENAME testcfg FLAGS 00000000 OPTIONS run nos boot 0 See Also change on page 623 create on page 624 delete on page 625 display on page 628 Resets a WX switch s hardware Syntax reset Defaults None Access Boot prompt History Introduced in MSS Version 3 0 Usage After resetting the hardware the reset command attempts to load a system image file only if other boot settings are configured to do SO Examples To immediately reset the system type the following command at the
430. on which the TCP server on the remote device listens for Telnet connections Defaults MSS attempts to establish Telnet connections with TCP port 23 by default Access Enabled History Introduced in MSS Version 3 0 Usage To end a Telnet session from the remote device press Ctrl t or type quit or logout in the management session on the remote device To end a client session from the local WX switch use the clear sessions telnet client command If the configuration of the WX switch from which you enter the telnet command has an ACL that denies Telnet client traffic the ACL also denies access by the telnet command 196 CHAPTER 7 IP SERVICES COMMANDS Examples In the following example an administrator establishes a Telnet session with another device and enters a command on the remote device WX4400 telnet 10 10 10 90 Session 0 pty tty2 d Trying 10 10 10 90 Connected to 10 10 10 90 Disconnect character is t Copyright c 2004 3Com Corporation All rights reserved Username username Password password WX1200 remote gt display vlan Admin VLAN Tunl Port VLAN Name Status State Affin Port Tag State 1 default Up Up 5 3 none Up 3 red Up Up 5 10 backbone Up Up 5 1 none Up 2 none Up 4094 web aaa Up Up 0 2 4094 Up When the administrator presses Ctrl t to end the Telnet connection the management session returns to the local prompt WX1200 remote gt Session 0 pty tty2 d terminate
431. ond to probes which can make this counter artificially high display ap dap counters 299 Table 52 Output for display ap counters continued Field Description Noise Floor Received signal strength at which the MAP can no longer distinguish 802 11 packets from ambient RF noise A value around 90 or higher is good for an 802 1 1b g radio A value around 80 or higher is good for an 802 11a radio Values near O can indicate RF interference 802 3 Packet Rx Ct Number of raw 802 3 packets received by the radio These are LocalTalk AppleTalk frames This counter increments only if LocalTalk traffic is present The counters above are global for all data rates The counters below are for individual data rates If counters for lower data rates are incrementing but counters for higher data rates are not incrementing this can indicate poor throughput The poor throughput can be caused by interference If the cause is not interference or the interference cannot be eliminated you might need to relocate the MAP in order to use the higher data rates and therefore improve throughput TxUniPkt Number of unicast packets transmitted by the radio TxMultiPkt Number of multicast packets transmitted by the radio TxUniByte Number of unicast bytes transmitted by the radio TxMultiByte Number of multicast bytes transmitted by the radio RxPkt Number of packets received by the radio RxByte Number of bytes re
432. onds that must elapse before the WX switch times out an authentication session with a supplicant client Syntax set dotlx timeout supplicant seconds seconds Specify a value between 1 and 65 535 Defaults The default is 30 seconds Access Enabled History Introduced in MSS Version 3 0 Examples Type the following command to set the number of seconds for authentication session timeout to 300 WX4400 set dotlx timeout supplicant 300 success dotlx supplicant timeout set to 300 See Also display dot1x on page 505 Clear dot1x timeout auth server on page 504 set dot1x tx period Sets the number of seconds that must elapse before the WX switch retransmits an EAPoL packet Syntax set dotlx tx period seconds seconds Specify a value between 1 and 65 535 Defaults The default is 5 seconds Access Enabled History Introduced in MSS Version 3 0 set dot1x wep rekey 517 Examples Type the following command to set the number of seconds before the WX switch retransmits an EAPoL packet to 300 WX4400 set dotlx tx period 300 success dotlx tx period set to 300 See Also display dot1x on page 505 Clear dot1x tx period on page 505 set dot1x wep rekey Enables or disables Wired Equivalency Privacy WEP rekeying for broadcast and multicast encryption keys Syntax set dot1X wep rekey enable disable enable Causes the broadcast and multicast keys for
433. one Access All History Introduced in MSS Version 3 0 150 CHAPTER 7 IP SERVICES COMMANDS Examples To display NTP information for a WX switch type the following command WxX4400 gt display ntp NTP client enabled Current update interval 20 secs Current time Fri Feb 06 2004 12 02 57 Timezone is set to PST offset from UTC is 8 0 hours Summertime is enabled Last NTP update Fri Feb 06 2004 12 02 46 TP Server Peer state Local State 192 168 1 5 SYSPEER SYNCED Table 39 describes the fields in this display Table 39 Output for display ntp Field Description NTP client State of the NTP client The state can be one of the following a Enabled a Disabled Current update interval Number of seconds between queries sent by the WX switch to the NTP servers for updates Current time System time that was current on the WX switch when you pressed Enter after typing the display ntp command Timezone Time zone configured on the WX switch MSS offsets the time reported by the NTP server based on the time zone This field is displayed only if you change the time zone Summertime Summertime period configured on the WX switch MSS offsets the system time 1 hour and returns it to standard time for daylight savings time or a similar summertime period that you set This field is displayed only if you enable summertime Last NTP update Time when the WX switch receive
434. onnected MAPs can appear set auto config Enables a WX switch to contact a 3WXM server for its configuration Syntax set auto config enable disable enable Enables the switch to contact a 3WXM server to request a configuration disable Disables the auto config option Defaults The auto config option is automatically enabled on an unconfigured WXR100 when the factory reset switch is pressed during power on However auto config is disabled by default on other models Access Enabled History Introduced in MSS Version 4 0 Usage A network administrator at the corporate office can preconfigure the switch in a 3WXM network plan The switch configuration must have a name for the switch the model must be WXR100 and the serial number must match the switch s serial number The configuration should also include all other settings required for the deployment including MAP configuration SSIDs AAA settings and so on set auto config 49 When the 3WXM server in the corporate network receives the configuration request the server looks in the currently open network plan for a switch configuration with the same model and serial number as the one in the configuration request a f the network plan contains a configuration with a matching model and serial number 3WXM sends the configuration to the switch and restarts the switch The switch boots using the configuration it received from 3WXM a f th
435. onvergence WX4400 set spantree backbonefast enable success change accepted 412 CHAPTER 12 STP COMMANDS See Also display spantree backbonefast on page 400 set spantree fwddelay Changes the period of time after a topology change that a WX switch which is not the root bridge waits to begin forwarding Layer 2 traffic on one or all of its configured VLANs The root bridge always forwards traffic Syntax set spantree fwddelay delay all vlan vlan id delay Delay value You can specify from 4 through 30 seconds all Changes the forwarding delay on all VLANs vlan vlan id VLAN name or number MSS changes the forwarding delay on only the specified VLAN Defaults The default forwarding delay is 15 seconds Access Enabled History Introduced in MSS Version 3 0 Examples The following command changes the forwarding delay on VLAN pink to 20 seconds WX4400 set spantree fwddelay 20 vlan pink success change accepted See Also display spantree on page 398 set spantree hello Changes the interval between STP hello messages sent by a wireless LAN switch when operating as the root bridge on one or all of its configured VLANs Syntax set spantree hello interval all vlan vlan id interval Interval value You can specify from 1 through 10 seconds a all Changes the interval on all VLANs set spantree maxage 413 vlan vlan id VLAN name or number
436. oop filter A snoop filter does not take effect until you map it to a MAP radio and enable the filter Syntax set snoop filter name all mode enable stop after num pkts disable a filter name all Name of the snoop filter Specify all to enable all snoop filters enable stop after num pkts Enables the snoop filter The stop after option disables the filter after the specified number of packets match the filter Without the stop after option the filter operates until you disable it or until the MAP is restarted disable Disables the snoop filter Defaults Snoop filters are disabled by default Access Enabled History Introduced in MSS Version 4 0 Usage The filter mode is not retained if you change the filter configuration or disable and reenable the radio or when the MAP or the WX switch is restarted You must reenable the filter to place it back into effect Examples The following command enables snoop filter snoop7 and configures the filter to stop after 5000 packets match the filter WX1200 set snoop snoopl mode enable stop after 5000 success filter snoopl enabled See Also display snoop on page 604 display snoop info on page 604 display snoop map on page 605 display snoop stats on page 606 604 CHAPTER 22 SNOOP COMMANDS display snoop Displays the MAP radio mapping for all snoop filters Syntax display snoop Defaults None Access Enabled
437. oot partition 0 boot1 boot partition 1 FN filename System image filename HA ip addr Host address IP address of a TFTP server This parameter applies only when the boot type is n network FL num Number representing the bit settings of boot flags to pass to the booted system image Use this parameter only if advised to do so by 3Com OPT opt ion String up to 128 bytes of boot options to pass to the booted system image instead of the boot option s in the currently active boot profile The options temporarily replace the options in the boot profile Use this parameter only if advised to do so by 3Com OPT option String up to 128 bytes of boot options to pass to the booted system image in addition to the boot option s in the currently active boot profile The options are appended to the options already in the boot profile Use this parameter only if advised to do so by 3Com Defaults The boot settings in the currently active boot profile are used by default Access Boot prompt History Introduced in MSS Version 3 0 622 CHAPTER 24 BOOT PROMPT COMMANDS Usage If you use an optional parameter the parameter setting overrides the setting of the same parameter in the currently active boot profile However the boot profile itself is not changed To display the currently active boot profile use the display command To change the currently active boot profile use the change command Examp
438. or broadcast destination address The order of security ACEs in a security ACL is important Once an ACL is active its ACEs are checked according to their order in the ACL If an ACE criterion is met its action takes place and any ACEs that follow are ignored ACEs are listed in the order in which you create them unless you move them To position security ACEs within a security ACL use before editbuffer index and modify editbuffer index Examples The following command adds an ACE to security ac _123 that permits packets from IP address 192 168 1 11 24 and counts the hits WxX4400 set security acl ip acl_123 permit 192 168 1 11 0 0 0 255 hits 464 CHAPTER 14 SECURITY ACL COMMANDS The following command adds an ACE to ac _723 that denies packets from IP address 192 168 2 11 WxX4400 set security acl ip acl_123 deny 192 168 2 11 0 0 0 0 The following command creates ac _725 by defining an ACE that denies TCP packets from source IP address 192 168 0 1 to destination IP address 192 168 0 2 for established sessions only and counts the hits Wx4400 set security acl ip acl_125 deny tcp 192 168 0 1 0 0 0 0 192 168 0 2 0 0 0 0 established hits The following command adds an ACE to ac _725 that denies TCP packets from source IP address 192 168 1 1 to destination IP address 192 168 1 2 on destination port 80 only and counts the hits Wx4400 set security acl ip acl_125 deny tcp 192 168 1 1 0 0 0 0 192 168 1 2 0 0 0 0 eq 80
439. or your RADIUS server Syntax clear user username attr attribute name username Username of a user with a password a attribute name Name of an attribute used to authorize the user for a particular service or session characteristic For a list of authorization attributes see Table 44 on page 249 Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command removes the Session Timeout attribute from Hosni s user profile WxX4400 clear user Hosni attr session timeout success change accepted See Also display aaa on page 219 set user attr on page 259 clear user group 217 clear user group Removes a user with a password from membership in a user group in the local database on the WX switch To remove a user from a user group in RADIUS see the documentation for your RADIUS server Syntax clear user username group username Username of a user with a password Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage Removing the user from the group removes the group name from the user s profile but does not delete either the user or the user group from the local WX database To remove the group use clear usergroup Examples The following command removes the user Nin from a user group WX4400 clear user Nin group success change accepted See Also Clear usergroup on page 217 di
440. ords turns on logging to the system buffer of all facilities at all levels Entering set log buffer disable with no other keywords turns off all logging to the buffer Examples To log only emergency alert and critical system events to the console type the following command WX4400 set log console severity critical enable success change accepted See Also Clear log on page 609 display log config on page 612 set log mark Configures MSS to generate mark messages at regular intervals The mark messages indicate the current system time and date 3Com can use the mark messages to determine the approximate time when a system restart or other event causing a system outage occurred Syntax set log mark enable disable severity level interval interval enable Enables the mark messages disable Disables the mark messages a severity level Log severity at which the messages are logged emergency set log mark 617 alert critical error warning notice info debug interval interval Interval at which MSS generates the mark messages You can specify from 1 to 2147483647 seconds Defaults Mark messages are disabled by default When they are enabled MSS generates a message at the notice level once every 300 seconds by default Access Enabled History Introduced in MSS Version 4 1 Examples The following command enables mark messages WX1200 set log mark ena
441. ort Use the WX switch s PoE to power 3Com MAP access points only If you enable PoE on ports connected to other devices damage can result Syntax set port poe port list enable disable a port list List of physical ports MSS disables or reenables PoE on all the specified ports enable Enables PoE on the specified ports disable Disables PoE on the specified ports Defaults PoE is disabled on network and wired authentication ports The state on MAP access point ports depends on whether you enabled or disabled PoE when setting the port type See set port type ap on page 91 Access Enabled History Introduced in MSS Version 3 0 Usage This command does not apply to any gigabit Ethernet ports or to ports 7 and 8 on the WX1200 switch 88 CHAPTER 4 PORT COMMANDS Examples The following command disables PoE on ports 4 and 5 which are connected to a MAP access point WX1200 set port poe 4 5 disable If you are enabling power on these ports they must be connected only to approved PoE devices with the correct wiring Do you wish to continue y n nly The following command enables PoE on ports 4 and 5 WX1200 set port poe 4 5 enable If you are enabling power on these ports they must be connected only to approved PoE devices with the correct wiring Do you wish to continue y n nly See Also set port type ap on page 91 set port type wired auth on page 94 set por
442. ortvlancost 2 vlan sunflower success change accepted See Also Clear spantree portcost on page 394 display spantree on page 398 display spantree portvlancost on page 403 set spantree portcost on page 414 set spantree portviancost on page 417 clear spantree portvlanpri Resets to the default value the priority of a network port or ports for selection as part of the path to the STP root bridge on one VLAN or all VLANs Syntax clear spantree portvlanpri port list all vlan vilan id a port list List of ports The port priority is reset to 32 the default on the specified ports all Resets the priority for all VLANs vlan vlan id VLAN name or number MSS resets the priority for only the specified VLAN Defaults None Access Enabled clear spantree statistics 397 History Introduced in MSS Version 3 0 Usage MSS does not change a port s priority for VLANs other than the one s you specify Examples The following command resets the STP priority for port 2 in VLAN avocado WX4400 clear spantree portvlanpri 2 vlan avocado success change accepted See Also Clear spantree portpri on page 395 display spantree on page 398 set spantree portpri on page 416 set spantree portvianpri on page 418 clear spantree statistics Clears STP statistics counters for a network port or ports and resets them to 0 Syntax clear spantree statistics port list
443. ot support the use of special characters including the following in any named elements such as SSIDs and VLANs ampersand amp angle brackets lt gt number sign question mark or quotation marks In addition the CLI does not support the use of international characters such as the accented in DECOR MSS displays MAC addresses in hexadecimal numbers with a colon delimiter between bytes for example 00 01 02 1a 00 01 You can enter MAC addresses with either hyphen or colon delimiters but colons are preferred For shortcuts You can exclude leading zeros when typing a MAC address MSS displays of MAC addresses include all leading zeros Insome specified commands you can use the single asterisk wildcard character to represent from 1 byte to 5 bytes of a MAC address For more information see MAC Address Globs on page 27 26 CHAPTER 1 USING THE COMMAND LINE INTERFACE IP Address and Mask Notation User Globs MAC Address Globs and VLAN Globs MSS displays IP addresses in dotted decimal notation for example 192 168 1 111 MSS makes use of both subnet masks and wildcard masks Subnet Masks Unless otherwise noted use classless interdomain routing CIDR format to express subnet masks for example 192 168 1 112 24 You indicate the subnet mask with a forward slash and specify the number of bits in the mask Wildcard Masks Security access control lists
444. ou are unable to locate a copy please contact 3Com and a copy will be provided to you UNITED STATES GOVERNMENT LEGEND If you are a United States government agency then this documentation and the software described herein are provided to you subject to the following All technical data and computer software are commercial in nature and developed solely at private expense Software is delivered as Commercial Computer Software as defined in DFARS 252 227 7014 June 1995 or as a commercial item as defined in FAR 2 101 a and as such is provided with only such rights as are provided in 3Com s standard commercial license for the Software Technical data is provided with limited rights only as provided in DFAR 252 227 7015 Nov 1995 or FAR 52 227 14 June 1987 whichever is applicable You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered trademarks are registered in the United States and may or may not be registered in other countries 3Com is a registered trademark of 3Com Corporation The 3Com logo is a trademark of 3Com Corporation Mobility Domain Mobility Point Mobility Profile Mobility System Mobility System Software MP MSS and SentrySweep are trademarks of Trapeze Networks Inc Intel and Pentium are registered trademarks of Intel Corporation Micro
445. ouble asterisk wildcard character to specify all usernames or use the single asterisk wildcard character to specify a set of usernames up to or following the first delimiter character either an at sign or a period For details see User Globs on page 26 a ssid ssid name SSID name to which this authentication rule applies To apply the rule to all SSIDs type any wired Applies this authentication rule specifically to users connected to a wired authentication port methodl method2 method3 method4 At least one and up to four methods that MSS uses to handle authentication Specify one or more of the following methods in priority order MSS applies multiple methods in the order you enter them A method can be one of the following local Uses the local database of usernames and user groups on the WX switch for authentication server group name Uses the defined group of RADIUS servers for authentication You can enter up to four names of existing RADIUS server groups as methods RADIUS servers cannot be used with the EAP TLS protocol For more information see Usage Defaults By default authentication is unconfigured for all clients with network access through MAP ports or wired authentication ports on the WX switch Connection authorization and accounting are also disabled for these users Access Enabled History Introduced in MSS Version 3 0 set authen
446. owing command displays the Mobility Domain configuration WX4400 display mobility domain config This WX is a member with seed 192 168 14 6 See Also Clear mobility domain on page 266 set mobility domain member on page 269 display mobility domain status on page 267 display mobility domain status On the seed WX displays the Mobility Domain status and members Syntax display mobility domain status Defaults None Access Enabled 268 CHAPTER 9 MOBILITY DOMAIN COMMANDS History Introduced in MSS Version 3 0 Examples To display Mobility Domain status type the following command WX4400 display mobility domain status Mobility Domain name Pleasanton Member State Status 192 168 253 11 STATE UP MEMBER 192 168 253 12 STATE DOWN MEMBER 192 168 253 14 STATE _UP SEED Table 46 describes the fields in the display Table 46 display mobility domain Output Field Description Mobility Domain Name of the Mobility Domain name Member IP addresses of the seed WX switch and members in the Mobility Domain State State of the WX switch in the Mobility Domain STATE_UP a STATE_DOWN Status Role of the WX switch in the Mobility Domain a MEMBER SEED See Also Clear mobility domain on page 266 set mobility domain member on page 269 set mobility domain mode member seed ip on page 270 set mobility domain member 269 set mobility d
447. p dap blink on page 330 set ap dap upgrade firmware on page 346 reset ap dap on page 324 set ap dap radio channel on page 339 set ap dap radio tx power on page 344 clear ap dap radio on page 286 display ap dap group on page 303 display ap dap status on page 304 display ap dap counters on page 294 display dap global on page 314 display dap connection on page 313 display dap unconfigured on page 316 display ap dap qos stats on page 300 display ap dap etherstats on page 301 clear ap dap radio Disables a MAP radio and resets it to its factory default settings Syntax clear ap port list dap dap num radio 1 2 all ap port list List of ports connected to the MAP access point s on which to reset a radio dap dap num Number of a Distributed MAP on which to reset a radio radio 1 Radio 1 of the MAP radio 2 Radio 2 of the MAP This option does not apply to single radio models radio all All radios on the MAP clear ap dap radio 287 Defaults The clear ap radio command resets the radio to the default settings listed in Table 50 and in Table 66 on page 362 Table 50 Radio Specific Parameters Parameter Default Value Description channel 802 11b 6 Number of the channel in 802 11a Lowest which a radio transmits and valid channel number SEIVES traf
448. p dns server on page 166 set ip dns domain Configures a default domain name for DNS queries The wireless LAN switch appends the default domain name to domain names or hostnames you enter in commands Syntax set ip dns domain name a name Domain name of between 1 and 64 alphanumeric characters with no spaces for example example org Defaults None Access Enabled Usage To override the default domain name when entering a hostname in a CLI command enter a period at the end of the hostname For example if the default domain name is example com enter chris if the fully qualified hostname is chris and not chris example com Aliases take precedence over DNS When you enter a hostname MSS checks for an alias with that name first before using DNS to resolve the name Examples The following command configures the default domain name example com WX1200 set ip dns domain example com Domain name changed See Also Clear ip dns domain on page 129 Clear ip dns server on page 129 display ip dns on page 144 setip dns on page 164 set ip dns server on page 166 166 CHAPTER 7 IP SERVICES COMMANDS set ip dns server Specifies a DNS server to use for resolving hostnames you enter in CLI commands Syntax set ip dns server ip addr primary secondary ip addr IP address of a DNS server in dotted decimal or CIDR notation primary Makes the server the primary server
449. p on page 261 display security acl map on page 453 set security acl hit sample rate Specifies the time interval in seconds at which the packet counter for each security ACL is sampled for display The counter counts the number of packets filtered by the security ACL or hits Syntax set security acl hit sample rate seconds seconds Number of seconds between samples A sample rate of 0 zero disables the sample process Defaults By default the hits are not sampled Access Enabled History Introduced in MSS Version 3 0 Syntax changed from hit sample rate seconds to set security acl hit sample rate seconds to allow the command to be saved in the configuration file Usage To view counter results for a particular ACL use the display security acl info acl name command To view the hits for all security ACLs use the display security acl hits command set security acl hit sample rate 467 Examples The first command sets MSS to sample ACL hits every 15 seconds The second and third commands display the results The results show that 916 packets matching security acl_153 were sent since the ACL was mapped WX4400 set security acl hit sample rate 15 WxX4400 display security acl info acl_153 ACL information for acl_153 set security acl ip acl_153 hits 3 916 1 permit IP source IP 20 1 1 1 0 0 0 0 destination IP any enable hits WX4400 display security acl hits ACL hit counters
450. p to 2346 bytes long without fragmentation long retry 5 Sends a long unicast frame up to five times without acknowledgment set radio profile mode 363 Table 66 Defaults for Radio Profile Parameters continued Parameter Default Value Radio Behavior When Parameter Set to Default Value max rx lifetime 2000 Allows a received frame to stay in the buffer for up to 2000 ms 2 seconds max tx lifetime 2000 Allows a frame that is scheduled for transmission to stay in the buffer for up to 2000 ms 2 seconds preamble length short Advertises support for short 802 11b preambles accepts either short or long 802 11b preambles and generates unicast frames with the preamble length specified by the client Note This parameter applies only to 802 11b g radios rts threshold 2346 Transmits frames longer than 2346 bytes by means of the Request to Send Clear to Send RTS CTS method service profile No service profiles defined Default settings for all service profile parameters including encryption parameters are used short retry 5 Sends a short unicast frame up to five times without acknowledgment wmm Access Enabled enable Prioritizes traffic based on the Wi Fi Multimedia WMM standard History Introduced in MSS Version 3 0 Usage Use the command without any optional parameters to create new profile If the radio profile does not alread
451. p9iN ss and unpack the PKCS 12 file WX4400 copy tftp 192 168 253 1 2048full p12 2048full p12 success received 637 bytes in 0 253 seconds 2517 bytes sec WX4400 crypto otp eap hap9iN ss OTP set WX4400 crypto pkcs12 eap 2048full p12 Unwrapped from PKCS12 file keypair device certificate CA certificate See Also crypto otp on page 478 display crypto ca certificate 481 display crypto ca certificate Displays information about the certificate authority s PEM encoded PKCS 7 certificate Syntax display crypto ca certificate admin eap web admin Displays information about the certificate authority s certificate that signed the administrative certificate for the WX switch The administrative certificate authenticates the WX to 3WXM or Web Manager eap Displays information about the certificate authority s certificate that signed the Extensible Authentication Protocol EAP certificate for the WX switch The EAP certificate authenticates the WX switch to 802 1X supplicants clients web Displays information about the certificate authority s certificate that signed the WebAAA certificate for the WX switch The WebAAA certificate authenticates the WX switch to WebAAA clients Defaults None Access Enabled History Introduced in MSS Version 3 0 Webaaa option renamed to web in MSS Version 4 1 Examples To display information about the certificate of a c
452. paces Defaults None Access Enabled History Introduced in MSS Version 3 0 mkdir 581 Examples The following commands create a subdirectory called corp2 and display the root directory to verify the result WX4400 mkdir corp2 success change accepted WX4400 dir file Filename Size Created file configuration 17 KB May 21 2004 18 20 53 file configuration txt 379 bytes May 09 2004 18 55 17 corp2 512 bytes May 21 2004 19 22 09 corp_a 512 bytes May 21 2004 19 15 48 file dangcfg 13 KB May 16 2004 18 30 44 dangdir 512 bytes May 16 2004 17 23 44 old 512 bytes Sep 23 2003 21 58 48 Total 33 Kbytes used 207822 Kbytes free Boot Filename Size Created boot0 bload 746 KB May 09 2004 19 02 16 boot0 WXA03002 Rel 8182 KB May 09 2004 18 58 16 boot1 WXA03001 Rel 8197 KB May 21 2004 18 01 02 BootO Total 8928 Kbytes used 3312 Kbytes free Bootl Total 8197 Kbytes used 4060 Kbytes free temporary files Filename Size Created Total 0 bytes used 93537 Kbytes free See Also dir on page 570 rmdir on page 584 582 CHAPTER 20 FILE MANAGEMENT COMMANDS reset system Restarts an WX switch and reboots the software Syntax reset system force force Immediately restarts the system and reboots without comparing the running configuration to the configuration file Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage
453. page 43 set system ip address on page 192 clear timezone Clears the time offset for the wireless LAN switch s real time clock from Coordinated Universal Time UTC UTC is also know as Greenwich Mean Time GMT Syntax clear timezone Defaults None Access Enabled display arp 137 History Introduced in MSS Version 3 0 Examples To return the WX switch s real time clock to UTC type the following command Wx4400 clear timezone success change accepted See Also Clear summertime on page 135 set summertime on page 191 set timedate on page 193 set timezone on page 194 display summertime on page 154 display timedate on page 155 display timezone on page 155 display arp WX4400 display arp ARP aging time 1200 seconds Shows the ARP table Syntax display arp ip addr a ip addr IP address Defaults If you do not specify an IP address the whole ARP table is displayed Usage All History Introduced in MSS Version 3 0 Examples The following command displays ARP entries HW Address VLAN ype State 00 0b 0e 02 76 f 5 1 DYNAMIC RESOLVED 00 0b 0e 02 76 f 7 1 LOCAL RESOLVED 138 CHAPTER 7 IP SERVICES COMMANDS Table 29 describes the fields in this display Table 29 Output for display arp Field Description ARP aging time Number of seconds a dynamic entry can remain unused before MSS remo
454. pher wep104 on page 379 set service profile cipher wep40 on page 380 set service profile psk phrase on page 381 set service profile psk raw on page 382 set service profile rsn ie on page 383 set service profile shared key auth on page 384 set service profile ssid name on page 384 set service profile ssid type on page 385 set service profile tkip mc time on page 386 set service profile web portal form on page 387 set service profile wep active multicast index on page 388 set service profile wep active unicast index on page 389 set service profile wep key index on page 390 set service profile wpa ie on page 391 set radio profile short retry Changes the short retry threshold for the MAP radios in a radio profile The short retry threshold specifies the number of times a radio can send a short unicast frame without receiving an acknowledgment Syntax set radio profile name short retry threshold name Radio profile name threshold Number of times the radio can send the same short unicast frame You can enter a value from 1 through 15 Defaults The default short unicast retry threshold for MAP radios is 5 attempts Access Enabled History Introduced in MSS Version 3 0 370 CHAPTER 11 MANAGED ACCESS POINT COMMANDS Usage You must disable all radios that are using a radio profile before you can change parameters in the profile Use the set radio profile mode comma
455. play sessions network commands The following command displays detailed verbose session information about user nin example com WX1200 display sessions network user nin example com verbose User Sess IP or MAC VLAN Port Name ID Address Name Radio nin example com 5 10 20 30 40 vilan eng 1 1 Client MAC 00 02 2d 6e ab a5 GID SESS 5 000430 686792 d8b3c564 State ACTIVE prev AUTHORIZED now on WX 192 168 12 7 AP radio 1 1 AP 00 0b 0e 00 05 fe as of 00 23 32 ago 1 sessions match criteria of 10 total The following command displays verbose output about the sessions of all current network users WX1200 display sessions network verbose User Sess IP or MAC VLAN Port Name ID Address Name Radio SHUTTLE2 exmpl 6 10 3 8 55 default 3 1 Client MAC 00 06 25 13 08 33 GID SESS 4 000404 98441 c807c14b State ACTIVE prev AUTHORIZED now on WX 10 3 8 103 AP radio 3 1 AP 00 0b 0e ff 00 3a as of 00 00 24 ago from WX 10 3 8 103 AP radio 6 1 AP 00 0b 0e 00 05 d7 as of 00 01 07 ago from WX 10 3 8 103 AP radio 3 1 AP 00 0b 0e f 00 3a as of 00 01 53 ago Vlan Name default service profile Service Type 2 service profile End Date 52 06 07 08 57 AAA Start Date 05 04 11 10 00 AAA 1 sessions total 528 CHAPTER 18 SESSION MANAGEMENT COMMANDS Table 92 on page 529 describes the additional fields of the verbose output of display sessions network commands The following command di
456. play dap connection 313 isplay dap global 314 isplay dap unconfigured 316 isplay dhcp client 138 isplay dhcp server 140 isplay dot1x 505 isplay fdb 102 isplay fdb agingtime 104 isplay fdb count 105 display igmp 422 display igmp mrouter 426 display igmp querier 427 display igmp receiver table 429 display igmp statistics 431 display interface 142 display ip alias 143 d d d QqQaaqaaaqaqaaqaqaaaaaQaaqaqaaqaaaa isplay ip dns 144 isplay ip https 145 isplay ip route 146 display ip telnet 148 isplay license 42 display load 43 isplay location policy 224 isplay log buffer 610 isplay log config 612 isplay log trace 613 isplay mobility domain config 267 isplay mobility domain status 267 isplay mobility profile 224 isplay network domain 278 isplay ntp 149 display port counters 69 isplay port media type 75 display port poe 71 display port status 73 isplay port group 70 isplay gos 123 isplay qos dscp table 124 isplay radio profile 317 isplay rfdetect attack list 537 isplay rfdetect black list 538 isplay rfdetect clients 539 QaqaQqaaqoqaqaqaqaq om Q LLa aaan cda sp sp sp sp sp sp ay rfdetect countermeasures 541 ay rfdetect coun ay rfdetect data ters 542 544 ay rfdetect ignore 546 ay rfdetect mob ay rfdetect ssid ility domain 546 ist 550 INDEX 643 H help 46 631 history 47 splay rfdetect vendor list 551 splay rfdetect visible 552 splay roaming station 106
457. plays the aging timeout period for forwarding database entries Syntax display fdb agingtime vlan vlan id vlan vlan id VLAN name or number If you do not specify a VLAN the aging timeout period for each VLAN is displayed Defaults None Access All History Introduced in MSS Version 3 0 Examples The following command displays the aging timeout period for all VLANs WX1200 display fdb agingtime VLAN 2 aging time 600 sec VLAN 1 aging time 300 sec Because the forwarding database aging timeout period can be configured only on an individual VLAN basis the command lists the aging timeout period for each VLAN separately display fdb count 105 See Also set fdb agingtime on page 114 display fdb count Lists the number of entries in the forwarding database Syntax display fdb count perm static dynamic vlan vlan id perm Lists the number of permanent entries A permanent entry does not age out and remains in the database even after a reboot reset or power cycle static Lists the number of static entries A static entry does not age out but is removed from the database after a reboot reset or power cycle dynamic Lists the number of dynamic entries A dynamic entry is automatically removed through aging or after a reboot reset or power cycle vlan vlan id VLAN name or number Entries are listed for only the specified VLAN Defaults No
458. ples The following command adds user Hosni to the cardiology user group WX4400 set user Hosni group cardiology success change accepted See Also Clear user group on page 217 display aaa on page 219 set usergroup Creates a user group in the local database on the WX switch for users and assigns authorization attributes for the group To create user groups and assign authorization attributes in RADIUS see the documentation for your RADIUS server Syntax set usergroup group name attr attribute name value group name Name of a group for password users Specify a name of up to 32 alphanumeric characters with no spaces a attribute name valu Name and value of an attribute you are using to authorize all users in the group for a particular service or session characteristic For a list of authorization attributes and values that you can assign to users see Table 44 on page 249 Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage To change the value of an attribute enter set usergroup attr with the new value To delete an attribute use clear usergroup attr To add a user to a group user the command set user group 262 CHAPTER 8 AAA COMMANDS set web portal You can assign attributes to individual users and to user groups If attributes are configured for a user and also for the group the user is in the attributes assigned to the individual user take preceden
459. portpri port list a port list List of ports The port priority is reset to 32 the default on the specified ports Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage This command resets the priority in all VLANs To reset the priority for only specific VLANs use the clear spantree portvlanpri command Examples The following command resets the STP priority on port 6 to the default WX1200 clear spantree portpri 6 success change accepted See Also Clear spantree portvlanpri on page 396 display spantree on page 398 set spantree portpri on page 416 set spantree portvianpri on page 418 clear spantree portvlancost Resets to the default value the cost of a network port or ports on paths to the STP root bridge for a specific VLAN on a wireless LAN switch or for all VLANs Syntax clear spantree portvlancost port list all vlan vlan id port list List of ports The port cost is reset on the specified ports a all Resets the cost for all VLANs 396 CHAPTER 12 STP COMMANDS vlan vlan id VLAN name or number MSS resets the cost for only the specified VLAN Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage MSS does not change a port s cost for VLANs other than the one s you specify Examples The following command resets the STP cost for port 2 in VLAN sunflower WX4400 clear spantree p
460. pplies only when mac is specified start stop Sends accounting records at the start and end of a network session stop only Sends accounting records only at the end of a network session 228 CHAPTER 8 AAA COMMANDS methodl method2 method3 method4 At least one of up to four methods that MSS uses to process accounting records Specify one or more of the following methods in priority order If the first method does not succeed MSS tries the second method and so on A method can be one of the following local Stores accounting records in the local database on the WX switch When the local accounting storage space is full MSS overwrites older records with new ones server group name Stores accounting records on one or more Remote Authentication Dial In User Service RADIUS servers You can also enter the names of existing RADIUS server groups as methods Defaults Accounting is disabled for all users by default Access Enabled History Introduced in MSS Version 3 0 Usage For network users with start stop accounting whose records are sent to a RADIUS server MSS sends interim updates to the RADIUS server when the user roams Examples The following command issues stop only records to the RADIUS server group sg2 for network user Nin who is authenticated by 802 1X WX4400 set accounting dotlx Nin stop only sg2 success change accepted See Also Clear accounting on page 203
461. pplying security ACLs Use inacl inac name to filter traffic that enters the switch from users via a MAP access port or wired authentication port or from the network via a network port Use outacl outac name to filter traffic sent from the switch to users via a MAP access port or wired authentication port or from the network via a network port set location policy 247 You can optionally add the suffixes in and out to inac name and outacl name so that they match the names of security ACLs stored in the local WX database Examples The following command denies network access to all users at theirfirm com causing them to fail authorization WX4400 set location policy deny if user eq theirfirm com The following command authorizes access to the guest_7 VLAN for all users who are not at wodefirm com Wx4400 set location policy permit vlan guest_1 if user neq wodefirm com The following command authorizes users at ny ourfirm com to access the bid4 tac VLAN instead and applies the security ACL tac_24 to the traffic they receive WX4400 set location policy permit vlan bld4 tac outacl tac _24 if user eq ny ourfirm com The following command authorizes access to users on VLANs with names matching b d4 and applies security ACLs svcs_2 to the traffic they send and svcs_3 to the traffic they receive WxX4400 set location policy permit inacl svcs_2 outacl svcs 3 if vlan eq bldg4 The following command authori
462. profile mode on page 257 display mobility profile on page 224 clear mobility profile on page 215 Location Policy set location policy on page 244 display location policy on page 224 clear location policy on page 210 clear accounting 203 clear accounting Removes accounting services for specified wireless users with administrative access or network access Syntax clear accounting admin dot1x user glob admin Users with administrative access to the WX switch through a console connection or through a Telnet or Web Manager connection a dotlx Users with network access through the WX switch Users with network access are authorized to use the network through either an IEEE 802 1X method or their media access control MAC address a user glob Single user or set of users with administrative access or network access Specify a username use the double asterisk wildcard character to specify all usernames or use the single asterisk wildcard character to specify a set of usernames up to or following the first delimiter character either an at sign or a period For details see User Globs on page 26 Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command removes accounting services for authorized network user Nin WxX4400 clear accounting dotlx Nin success change accepted See Also set acco
463. profile name beacon enable disable name Service profile name set service profile cipher ccmp 377 enable Enables beaconing of the SSID managed by the service profile disable Disables beaconing of the SSID managed by the service profile Defaults Beaconing is enabled by default Access Enabled History Introduced in MSS Version 3 0 Examples The following command disables beaconing of the SSID managed by service profile sp2 WX4400 set service profile sp2 beacon disable success change accepted See Also display service profile on page 321 set radio profile beacon interval on page 355 set service profile ssid name on page 384 set service profile ssid type on page 385 set service profile cipher ccmp Enables Counter with Cipher Block Chaining Message Authentication Code Protocol CCMP encryption with WPA clients for a service profile Syntax set service profile name cipher ccmp enable disable name Service profile name enable Enables CCMP encryption for WPA clients disable Disables CCMP encryption for WPA clients Defaults CCMP encryption is disabled by default Access Enabled History Introduced in MSS Version 3 0 Usage To use CCMP you must also enable the WPA IE 378 CHAPTER 11 MANAGED ACCESS POINT COMMANDS Examples The following command configures service profile so2 to use CCMP encryption WxX4400 set
464. ps server on page 167 setip telnet on page 171 setip telnet server on page 172 display ip route Shows the IP route table Syntax display ip route destination destination Route destination IP address in dotted decimal notation Defaults None Access All History Introduced in MSS Version 3 0 display ip route 147 Usage When you add an IP interface to a VLAN that is up MSS adds direct and local routes for the interface to the route table If the VLAN is down MSS does not add the routes If you add an interface to a VLAN but the routes for that interface do not appear in the route table use the display vlan config command to check the VLAN state If you add a static route and the route s state is shown as Down use the display interface command to verify that the route has an IP interface in the gateway router s subnet MSS cannot resolve a static route unless one of the WX switch s VLANs has an interface in the gateway router s subnet If the WX switch has such an interface but the static route is still down use the display vlan config command to check the state of the VLAN s ports Examples The following command shows all routes in a WX switch s IP route table WX4400 display ip route Router table for IPv4 Destination Mask Proto Metric NH Type Gateway VLAN Interface 0 0 0 0 0 Static 1 Router 10 0 1 17 Down 0 0 0 0 0 Static 2 Router 10 0 2 17 vlan 2 ip 10 0 2
465. pter based on their use Table 9 Port Commands by Usage Type Command Port Type set port type ap on page 91 set dap on page 81 set port type wired auth on page 94 clear port type on page 68 clear dap on page 64 Name set port name on page 86 clear port name on page 66 State set port on page 83 reset port on page 81 display port status on page 73 Gigabit Interface Type display port media type on page 75 set port media type on page 85 clear port media type on page 66 Speed set port speed on page 89 Autonegotiation set port negotiation on page 86 PoE set port poe on page 87 display port poe on page 71 SNMP set port trap on page 90 64 CHAPTER 4 PORT COMMANDS Table 9 Port Commands by Usage continued Type Command Port Groups set port group on page 84 display port group on page 70 clear port group on page 65 Statistics display port counters on page 69 monitor port counters on page 76 clear port counters on page 65 clear dap AN Removes a Distributed MAP CAUTION When you clear a Distributed MAP MSS ends user sessions that are using the MAP Syntax clear dap dap num a dap num Number of the Distributed MAP s you want to remove Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command clears Distributed MA
466. r 11 85 i 3com webaaa Table 101 describes the fields in this display Table 101 display rfdetect visible Output Field Description Transmit MAC MAC address the rogue device that sent the 802 11 packet detected by the MAP radio Vendor Company that manufactures or sells the rogue device Type Classification of the rogue device rogue Wireless device that is on the network but is not supposed to be on the network a intfr Wireless device that is not part of your network and is not a rogue but might be causing RF interference with MAP radios known Device that is a legitimate member of the network Ch Channel number on which the radio detected the rogue RSSI Received signal strength indication RSSI the strength of the RF signal detected by the MAP radio in decibels referred to 1 milliwatt dBm Flags Classification and encryption information for the rogue Thei a or u flag indicates the classification The other flags indicate the encryption used by the rogue For flag definitions see the key in the command output SSID SSID used by the detected device See Also display rfdetect data on page 544 display rfdetect mobility domain on page 546 554 CHAPTER 19 RF DETECTION COMMANDS set rfdetect active scan Disables or reenables active RF detection scanning on a WX switch When active scanning is enabled the MAP radios managed by the switch look for rogue devices by
467. r RADIUS packets sent from the WX switch Syntax set radius client system ip Defaults None If you do not use this command RADIUS packets leaving the WX have the source IP address of the outbound interface which can change as routing conditions change Examples Enabled History Introduced in MSS Version 3 0 492 CHAPTER 16 RADIUS AND SERVER GROUP COMMANDS Usage The WX system IP address must be set before you use this command Examples The following command sets the WX system IP address as the address of the RADIUS client WX4400 set radius client system ip success change accepted See Also Clear radius client system ip on page 487 set system idle timeout on page 58 set radius proxy client Adds a RADIUS proxy entry for a third party AP The proxy entry specifies the IP address of the AP and the UDP ports on which the WX switch listens for RADIUS traffic from the AP Syntax set radius proxy client address ip address acct port acct udp port number port udp port number key string address ip address IP address of the third party AP Enter the address in dotted decimal notation port udp port number UDP port on which the WX switch listens for RADIUS access requests from the AP acct port acct udp port number UDP port on which the WX switch listens for RADIUS stop accounting records from the AP a key string Password shared secret key the WX switch uses
468. r from an SSH session MSS immediately ends the session To open a new management session you must configure the SSH client to use the new TCP port number Syntax set ip ssh port port num port num TCP port number Defaults The default SSH port number is 22 Access Enabled History Introduced in MSS Version 3 0 Examples The following command changes the SSH port number on a WX switch to 6000 WX4400 set ip ssh port 6000 success change accepted See Also setip ssh server on page 171 set ip ssh server 171 set ip ssh server AN Disables or reenables the SSH server on a wireless LAN switch CAUTION If you disable the SSH server SSH access to the WX switch is also disabled Syntax set ip ssh server enable disable enable Enables the SSH server disable Disables the SSH server Defaults The SSH server is enabled by default Access Enabled History Introduced in MSS Version 3 0 Usage You must generate an SSH authentication key to use SSH The maximum number of SSH sessions supported on a WX switch is eight If Telnet is also enabled the WX switch can have up to eight Telnet or SSH sessions in any combination and one Console session See Also crypto generate key on page 473 setip ssh on page 170 setip ssh server on page 171 set ip telnet AN Changes the TCP port number on which a wireless LAN switch listens for Telnet management
469. r reenables all MAP radios that are using a specific profile Syntax set radio profile name mode enable disable xadio profile name Radio profile name of up to 16 alphanumeric characters with no spaces Use this command without the mode enable or mode disable option to create a new profile mode enable Enables the radios that use this profile mode disable Disables the radios that use this profile Defaults Each radio profile that you create has a set of properties with factory default values that you can change with the other set radio profile commands in this chapter Table 66 lists the parameters controlled by a radio profile and their default values Table 66 Defaults for Radio Profile Parameters Radio Behavior When Parameter Set to Parameter Default Value Default Value 11g only disable Allows associations with 802 11g and 802 11b clients Note This parameter applies only to 802 11b g radios active scan enable Sends probe any requests probe requests with a null SSID name to solicit probe responses from other access points auto tune enable Allows dynamic configuration of channel and power settings by MSS beacon interval 100 Waits 100 ms between beacons countermeasures Not configured Does not issue countermeasures against any device dtim interval 1 Sends the delivery traffic indication map DTIM after every beacon frag threshold 2346 Transmits frames u
470. r tkip on page 378 set service profile cipher wep104 on page 379 set service profile cipher wep40 on page 380 392 CHAPTER 11 MANAGED ACCESS POINT COMMANDS 12 STP Commands by Usage STP COMMANDS Use Spanning Tree Protocol STP commands to configure and manage spanning trees on the virtual LANs VLANs configured on a wireless LAN switch or controller to maintain a loop free network This chapter presents STP commands alphabetically Use the following table to locate commands in this chapter based on their use Table 68 STP Commands by Usage Type Command STP State set spantree on page 410 display spantree on page 398 display spantree blockedports on page 401 Bridge Priority set spantree priority on page 419 Port Cost set spantree portcost on page 414 set spantree portvlancost on page 417 display spantree portvlancost on page 403 clear spantree portcost on page 394 clear spantree portvlancost on page 395 Port Priority set spantree portpri on page 416 set spantree portvlanpri on page 418 clear spantree portpri on page 395 clear spantree portvianpri on page 396 Timers set spantree fwddelay on page 412 set spantree hello on page 412 set spantree maxage on page 413 Fast Convergence set spantree portfast on page 415 display spantree portfast on page 402 394 CHAPTER 12 STP COMMANDS Table 68 STP Commands by Usa
471. radio radio profile on page 343 set ap dap upgrade firmware on page 346 set dap auto radiotype Sets the radio type for single MAP radios that use the MAP configuration profile Syntax set dap auto radiotype lla 11b 11g radiotype lla 11b 11g Radio type The 11a option applies only to single radio models The 802 11a radio in two radio models is always 802 1 1a set dap auto mode set dap auto mode 327 a gt 11a 802 11a 11b 802 11b 11g 802 11g Defaults The default radio type for models AP2750 MP 241 and MP 341 and for the 802 11b g radios in other models is 802 11g in regulatory domains that support 802 119 or 802 11b in regulatory domains that do not support 802 119 MAP radios configured for 802 11g also allow associations from 802 1 1b clients by default To disable support for 802 11b associations use the set radio profile 11g only command on the radio profile that contains the radio Examples The following command sets the radio type to 802 1 1b WX4400 set dap auto radiotype 11b success change accepted See Also set dap auto on page 325 Enables a WX switch s profile for automatic Distributed MAP configuration Syntax set dap auto mode enable disable enable Enables the MAP configuration profile disable Disables the MAP configuration profile Defaults The MAP configuration profile is disabled by default Access Enabl
472. radios to attack rogues only configured Configures radios to attack only devices in the attack list on the WX switch on demand countermeasures When this option is specified devices found to be rogues by other means such as policy violations or by determining that the device is providing connectivity to the wired network are not attacked a none Disables countermeasures for this radio profile Defaults Countermeasures are disabled by default Access Enabled History Command introduced in MSS Version 4 0 New option configured added to support on demand countermeasures in MSS Version 4 1 Examples The following command enables countermeasures in radio profile radprof3 for rogues only WX1200 set radio profile radprof3 countermeasures rogue success change accepted The following command disables countermeasures in radio profile radprofs WX1200 clear radio profile radprof3 countermeasures success change accepted set radio profile dtim interval b gt set radio profile dtim interval 357 The following command causes radios managed by radio profile radprof3 to issue countermeasures against devices in the WX switch s attack list WX1200 set radio profile radprof3 countermeasures configured success change accepted Note that when you issue this command countermeasures are then issued only against devices in the WX switch s attack list not against other devices that were classified as
473. rameters apply to traffic only on the encrypted SSID WEP Key 2 value State of static WEP key number 2 none The key is not configured preset The key is configured WEP Key 3 value State of static WEP key number 3 none The key is not configured preset The key is configured WEP Key 4 value State of static WEP key number 4 none The key is not configured preset The key is configured WEP Unicast Index Index of the static WEP key used to encrypt unicast traffic on an encrypted SSID WEP Multicast Index Index of the static WEP key used to encrypt multicast traffic on an encrypted SSID Shared Key Auth Indicates whether shared key authentication is enabled display service profile 323 Table 64 Output for display service profile continued Field Description WPA enabled Indicates that the Wi Fi Protected Access WPA information element IE is enabled Additional fields display the settings of other WPA parameters a ciphers Lists the WPA cipher suites advertised by radios in the radio profile mapped to this service profile a authentication Lists the authentication methods supported for WPA clients 802 1X dynamic authentication PSK preshared key authentication a TKIP countermeasures time Indicates the amount of time in ms MSS enforces countermeasures following a second message integrity code MIC failure wi
474. ributed MAPs this field also indicates whether the MAP s management traffic with the WX is encrypted and whether the MAP s fingerprint has been verified on the WX not encrypted The management session is not encrypted encrypted but fingerprint not verified The MAP s management traffic is encrypted but the MAP s fingerprint has not been verified in MSS encrypted and verified The MAP s management traffic is encrypted and the MAP s fingerprint has been verified in MSS CPU info T Specifications and identification of the CPU For MAP models MP 352 MP 341 and MP 52 the ID portion of this field is not applicable Uptime Amount of time since the MAP last rebooted using this link Note This field is displayed only when this link is the MAP access point s primary link 308 CHAPTER 11 MANAGED ACCESS POINT COMMANDS Table 56 Output for display ap status continued Field Description Radio 1 type Radio 2 type 802 11 type and configuration state of the radio The configure succeed state indicates that the MAP has received configuration parameters for the radio and the radio is ready to accept client connections 802 11b protect indicates that the 802 11b g radio is sending messages to 802 11b devices while sending 802 1 1g traffic at higher data rates to inform the 802 11b devices about the 802 11g traffic and reserve bandwidth for the traffic Protection mode remains
475. ring an unresponsive RADIUS server unavailable You can specify from 1 to 100 retries timeout seconds Number of seconds the WX switch waits for the RADIUS server to respond before retransmitting You can specify from 1 to 65 535 Defaults Global RADIUS parameters have the following default values deadtime 0 zero minutes The WX switch does not designate unresponsive RADIUS servers as unavailable key No key set radius client system ip 491 retransmit 3 the total number of attempts including the first attempt timeout 5 seconds Access Enabled History Introduced in MSS Version 3 0 Usage You can specify only one parameter per command line Examples The following commands sets the dead time to 5 minutes the RADIUS key to goody the number of retransmissions to 1 and the timeout to 21 seconds on all RADIUS servers connected to the WX switch WX1200 set radius deadtime 5 success change accepted WX1200 set radius key goody success change accepted WX1200 set radius retransmit 1 success change accepted WX1200 set radius timeout 21 success change accepted See Also Clear radius server on page 489 display aaa on page 219 set radius server on page 494 set radius client system ip Causes all RADIUS requests to be sourced from the IP address specified by the set system ip address command providing a permanent source IP address fo
476. rl destination url source url Name and location of the file to copy The uniform resource locator URL can be one of the following a subdirname filename a file subdirname filename a tftp ip addr subdirname filename a tmp filename For the filename specify between 1 and 128 alphanumeric characters with no spaces Enter the IP address in dotted decimal notation The subdirname option specifies a subdirectory a destination url Name of the copy and the location where to place the copy The URL can be one of the following a subdirname filename a file subdirname filename a tftp ip addr subdirname filename If you are copying a system image file into nonvolatile storage the filename must include the boot partition name You can specify one of the following boot0 filename a boot1 filename 568 CHAPTER 20 FILE MANAGEMENT COMMANDS Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage The filename and file filename URLs are equivalent You can use either URL to refer to a file in an WX switch s nonvolatile memory The tftp ip addr filename URL refers to a file on a TFTP server If DNS is configured on the WX switch you can specify a TFTP server s hostname as an alternative to specifying the IP address The tmp filename URL specifies a file in temporary storage You can copy a file out of temporary storage but you cannot copy a file into temporary storage
477. rms from SNMPv3 use the following command 182 CHAPTER 7 IP SERVICES COMMANDS Syntax set snmp notify target target num ip addr udp port number usm inform user username snmp engine id ip hex hex string profile profile name security unsecured authenticated encrypted retries num timeout num a target num ID for the target This ID is local to the WX switch and does not need to correspond to a value on the target itself You can specify a number from 1 to 10 ip addr udp port number IP address of the server You also can specify the UDP port number to send notifications to username USM username This option is applicable only when the SNMP version is usm If the user will send informs rather than traps you also must specify the snmp engine id of the target snmp engine id SNMP engine ID of the target Specify ip if the ip hex hex string target s SNMP engine ID is based on its IP address If the target s SNMP engine ID is a hexadecimal value use hex hex string to specify the value profile profile name Notification profile this SNMP user will use to specify the notification types to send or drop security Specifies the security level and is applicable only unsecured when the SNMP version is usm authenticated unsecured Message exchanges are not encrypted authenticated nor are they encrypted This is the default authenticated Message exchange
478. rogue Syntax set rfdetect countermeasures mac mac addr a mac addr Basic service set identifier BSSID of the rogue Enter the BSSID in MAC address format using a colon between each octet for example aa bb cc dd ee ff Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage Use this command to immediately begin countermeasures against a specific rogue in the rogue list The MAC address you specify must be in the list of rogues generated by RF detection scans MSS can issue countermeasures only against a device that is in the rogue list You can start countermeasures against more than one BSSID by typing additional set rfdetect countermeasures mac commands After you type the first set rfdetect countermeasures mac command MSS does not issue countermeasures against any devices except the ones you specify using this command To resume normal countermeasures operation where MSS automatically issues countermeasures against detected rogues use the clear rfdetect countermeasures mac all command This command is valid only on the seed switch of the Mobility Domain The countermeasures take effect only if countermeasures are enabled for the Mobility Domain using the set rfdetect countermeasures enable command This command does not become part of the configuration file when you save the configuration and therefore is not reloaded if the switch is restarted Examples The following comma
479. rrent received BPDU next_src_mac Other source MAC address from a different source See Also Clear spantree statistics on page 397 display spantree uplinkfast Shows uplink fast convergence information for one VLAN or all VLANs Syntax display spantree uplinkfast vlan vlan id vlan vlan id VLAN name or number If you do not specify a VLAN MSS displays STP statistics for all VLANs Defaults None Access All History Introduced in MSS Version 3 0 410 CHAPTER 12 STP COMMANDS Examples The following command shows uplink fast convergence information for all VLANs WX4400 display spantree uplinkfast VLAN port list Table 72 describes the fields in this display Table 72 Output for display spantree uplinkfast Field Description VLAN VLAN number port list Ports in the uplink group The port that is forwarding traffic is indicated by fwd The other ports are blocking traffic See Also set spantree uplinkfast on page 419 set spantree Enables or disables STP on one VLAN or all VLANs configured on a WX switch Syntax set spantree enable disable all vlan vlan id port port list vlan id enable Enables STP disable Disables STP all Enables or disables STP on all VLANs vlan vlan id VLAN name or number MSS enables or disables STP on only the specified VLAN on all ports within the VLAN port port list vlan id Port number or
480. rrently in power save mode LastPktRxSigStrength Signal strength in dBm of the last packet received by the MAP access point LastPktSigNoiseRatio Signal to noise ratio in decibels dB of the last packet received by the MAP access point This value indicates the strength of the radio signal above the noise floor For example if the noise floor is 88 and the signal strength is 68 the SNR is 20 If the value is below 10 this indicates a weak signal and might indicate a problem in the RF environment TKIP Pkt Transfer Ct Total number of TKIP packets sent and received by the radio TKIP Pkt Replays Number of TKIP packets that were resent to the MAP by a client A low value under about one hundred does not necessarily indicate a problem However if this counter is increasing steadily or has a very high value in the hundreds or more a Denial of Service DoS attack might be occurring Contact 3Com TAC CCMP Pkt Decrypt Err Number of times a decryption error occurred with a packet encrypted with CCMP Occasional decryption errors do not indicate a problem However steadily increasing errors or a high number of errors can indicate that data loss is occurring in the network Generally this is caused by a key mismatch between a client and the MAP To locate the client that is experiencing decryption errors and therefore is likely causing this counter to increment on the MAP use the displ
481. rrently running on the switch use the save config command to save the running configuration to the boot configuration file before using the backup command Examples The following command creates an archive of the system critical files and copies the archive directly to a TFTP server The filename in this example includes a TFTP server IP address so the archive is not stored locally on the switch WX1200 backup system tftp 10 10 20 9 sysa_bak critical success sent 28263 bytes in 0 324 seconds 87231 bytes sec Table 103 describes the fields Table 103 Output for backup Field Description tftp ip Name of the archive file to create You can store the file locally in the addr fil switch s nonvolatile storage or on a TFTP server ename all Backs up system files and all the files in the user files area The user files area contains the set of files listed in the file section of dir command output critical Backs up system files only including the configuration file used when booting and certificate files The size of an archive created by this option is generally 1MB or less See Also dir on page 570 restore on page 583 566 CHAPTER 20 FILE MANAGEMENT COMMANDS clear boot backup configuration clear boot config Clears the filename specified as the backup configuration file In the event that MSS cannot read the configuration file at boot time a backup configuration file is not used Synt
482. rsion 3 0 Examples Type the following command to reset the EAPoL retransmission time WX4400 clear dotlx tx period success change accepted See Also display dot1x on page 505 set dot1x tx period on page 516 display dot1x Displays 802 1X client information for statistics and configuration settings Syntax display dotlx clients stats config a clients Displays information about active 802 1X clients including client name MAC address and state a stats Displays global 802 1X statistics associated with connecting and authenticating config Displays a summary of the current configuration Defaults None Access Enabled 506 CHAPTER 17 802 1X MANAGEMENT COMMANDS History Introduced in MSS Version 3 0 Format of 802 1X authentication rule information in display dot1x config output changed in MSS Version 3 2 The rules are still listed at the top of the display but more information is shown for each rule Examples Type the following command to display the 802 1X clients WX4400 display dotlx clients MAC Address 00 20 a6 48 O0T05S 3 C3 07 00 05 5d 7e 00 02 2d 86 00 05 5d 7e 00 05 5d 7e 00 0b be a9 00 05 5d 7e 00 02 2d 6f 00 05 5d 7e 00 06 80 00 00 02 2d 6a 00 02 2d 5e 00 02 2d 80 OO T3066 S268 00 02 2d 64 seal 7 283 238 b4 sla 4e e3 277 709 202 f2 76 sel 2 69 1b Ce or tr cr te Te CE Te ee Te ee Ee ee nen
483. rt forward transition count Number of times the port state transitioned to the forwarding state scp failure count Number of service control point SCP failures root inc trans count Number of times the root bridge changed inhibit loopguard State of the loop guard In the current release the state is always FALSE loop inc trans count Number of loops that have occurred forward delay timer Status of the forwarding delay timer This timer monitors the time spent by a port in the listening and learning States forward delay timer value Current value of the forwarding delay timer in seconds message age timer Status of the message age timer This timer measures the age of the received protocol information recorded for a port message age timer value Current value of the message age timer in seconds topology change timer Status of the topology change timer This timer determines the time period during which configured BPDUs are transmitted with the topology change flag set by this WX switch when it is the root bridge after detection of a topology change topology change timer value Current value of the topology change timer in seconds 408 CHAPTER 12 STP COMMANDS Table 71 Output for display spantree statistics continued Field Description hold timer Status of the hold timer This timer ensures that configured BPDUs are not transmitte
484. rtime 135 clear system ip address 136 clear timezone 136 display arp 137 display dhcp client 138 display dhcp server 140 display interface 142 display ip alias 143 display ip dns 144 display ip https 145 display ip route 146 display ip telnet 148 display ntp 149 display snmp community 151 display snmp counters 152 display snmp notify profile 152 display snmp notify target 152 display snmp status 153 display snmp usm 154 display summertime 154 display timedate 155 display timezone 155 ping 156 setarp 158 set arp agingtime 159 set interface 160 set interface dhcp client 161 set interface dhcp server 162 set interface status 163 set ip alias 164 setip dns 164 set ip dns domain 165 set ip dns server 166 set ip https server 167 set ip route 167 set ip snmp server 169 set ip ssh 170 set ip ssh server 171 set ip telnet 171 set ip telnet server 172 setntp 173 set ntp server 174 set ntp update interval 175 set snmp community 175 set snmp notify profile 177 set snmp notify target 181 SNMPv3 with Informs 181 SNMPv3 with Traps 183 SNMPv2c with Informs 183 ot SNMPv2c with Traps 184 SNMPv1 with Traps 184 set snmp protocol 186 set snmp security 187 setsnmp usm 188 setsummertime 191 set system ip address 192 set timedate 193 set timezone 194 telnet 195 traceroute 197 AAA COMMANDS Commands by Usage 201 clear accounting 203 clear authentication admin 204 clear authen
485. s Enabled History Introduced in MSS Version 3 0 Usage When RF Auto Tuning for power is disabled MSS does not dynamically set the power levels when radios are first enabled and also does not tune power during operation with associated clients When RF Auto Tuning for power is enabled MSS does not allow you to manually change the power level Examples The following command enables dynamic power tuning for radios in the rp2 radio profile WX4400 set radio profile rp2 auto tune power config enable success change accepted See Also set ap dap radio auto tune max power on page 335 set ap dap radio auto tune max retransmissions on page 337 set radio profile auto tune channel config on page 349 354 CHAPTER 11 MANAGED ACCESS POINT COMMANDS set radio profile auto tune power backoff timer on page 352 set radio profile auto tune power interval on page 354 set radio profile auto tune power interval Sets the interval at which RF Auto Tuning decides whether to change the power level on radios in a radio profile At the end of each interval MSS processes the results of the RF scans performed during the previous interval and changes radio power levels if needed Syntax set radio profile name auto tune power interval seconds a name Radio profile name a seconds Number of seconds MSS waits before changing radio power levels to adjust to RF changes if needed You can specify from 1 to
486. s 11 22 33 44 55 66 to the black list WX1200 set rfdetect black list 11 22 33 44 55 66 success MAC 11 22 33 44 55 66 is now blacklisted See Also a set rfdetect black list on page 555 display rfdetect black list on page 538 set rf detect countermeasures AN Enables or disables countermeasures for the Mobility Domain Countermeasures are packets sent by a radio to prevent clients from being able to use a rogue access point CAUTION Countermeasures affect wireless service on a radio When a MAP radio is sending countermeasures the radio is disabled for use by network traffic until the radio finishes sending the countermeasures Syntax set rfdetect countermeasures enable disable enable Enables countermeasures disable Disables countermeasures Defaults Countermeasures are disabled by default Access Enabled History Introduced in MSS Version 3 0 Usage This command is valid only on the seed switch of the Mobility Domain Examples The following command enables countermeasures for the Mobility Domain managed by this seed switch WX1200 set rfdetect countermeasures enable success countermeasures are now enabled See Also Clear rfdetect attack list on page 534 display rfdetect ignore on page 546 set rfdetect countermeasures mac on page 557 set rfdetect countermeasures mac 557 set rfdetect countermeasures mac Starts countermeasures against a specific
487. s supported only on the local WX database If you specify multiple authentication methods in the set authentication dot1x command MSS applies them in the order in which they appear in the command with these results If the first method responds with pass or fail the evaluation is final If the first method does not respond MSS tries the second method and so on However if local appears first followed by a RADIUS server group MSS overrides any failed searches in the local WX database and sends an authentication request to the server group If the user does not support 802 1X MSS attempts to perform MAC authentication for the user In this case if the switch s configuration contains a set authentication mac command that matches the SSID the user is attempting to access and the user s MAC address MSS uses the method specified by the command Otherwise MSS uses local MAC authentication by default If the username does not match an authentication rule for the SSID the user is attempting to access MSS uses the fa thru authentication type configured for the SSID which can be last resort web for WebAAA or none 236 CHAPTER 8 AAA COMMANDS Examples The following command configures EAP TLS authentication in the local WX database for SSID mycorp and 802 1X client Geetha WX4400 set authentication dotlx ssid mycorp Geetha eap tls local success change accepted The following command configures PEAP MS CHAP V2 authent
488. s a MAC address Specify a MAC address using colons to separate the octets for example 00 11 22 aa bb cc port port num Traces on a WX port number user username Traces a user Specify a username of up to 80 alphanumeric characters with no spaces level level Determines the quantity of information included in the output You can set the level with an integer from 1 to 10 where level 10 provides the most information Levels 1 through 5 provide user readable information If you do not specify a level level 5 is the default Defaults The default trace level is 5 a Access Enabled History Introduced in MSS Version 3 0 Examples Type the following command to trace session manager activity for MAC address 00 01 02 03 04 05 WX4400 set trace sm mac addr 00 01 02 03 04 05 success change accepted See Also clear trace on page 590 display trace on page 591 596 CHAPTER 21 TRACE COMMANDS 22 SNOOP COMMANDS Use snoop commands to monitor wireless traffic by using a Distributed MAP as a sniffing device The MAP copies the sniffed 802 11 packets and sends the copies to an observer which is typically a protocol analyzer such as Ethereal or Tethereal For more information including setup instructions for the monitoring station see the Remotely Monitoring Traffic section in the Troubleshooting a WX Switch chapter of the Wireless LAN Switch and Controller Configuration Guide
489. s are authenticated but are not encrypted encrypted Message exchanges are authenticated and encrypted xretries num Specifies the number of times the MSS SNMP engine will resend a notification that has not been acknowledged by the target You can specify from O to 3 retries timeout num Specifies the number of seconds MSS waits for acknowledgement of a notification You can specify from 1 to 5 seconds SNMPv3 with Traps SNMPv2c with Informs set snmp notify target 183 To configure a notification target for traps from SNMPv3 use the following command Syntax set snmp notify target target num ip addr udp port number usm trap user username profile profile name security unsecured authenticated encrypted a target num ID for the target This ID is local to the WX switch and does not need to correspond to a value on the target itself You can specify a number from 1 to 10 ip addr udp port number IP address of the server You also can specify the UDP port number to send notifications to username USM username This option is applicable only when the SNMP version is usm profile profile name Notification profile this SNMP user will use to specify the notification types to send or drop security Specifies the security level and is applicable only unsecured when the SNMP version is usm authenticated unsecured Message exchanges are not encrypted authe
490. s option matches for either direction of a flow and either MAC address can be the source or destination address If you omit a condition all packets match that condition For example if you omit frame type all frame types match the filter For most conditions you can use eq equal to match only on traffic that matches the condition value Use neq not equal to match only on traffic that is not equal to the condition value observer ip addr Specifies the IP address of the station where the protocol analyzer is located If you do not specify an observer the MAP radio still counts the packets that match the filter snap length num Specifies the maximum number of bytes to capture If you do not specify a length the entire packet is copied and sent to the observer 3Com recommends specifying a snap length of 100 bytes or less Defaults No snoop filters are configured by default Access Enabled History Introduced in MSS Version 4 0 Usage Traffic that matches a snoop filter is copied after it is decrypted The decrypted clear version is sent to the observer For best results Do not specify an observer that is associated with the MAP where the snoop filter is running This configuration causes an endless cycle of snoop traffic If the snoop filter is running on a Distributed MAP and the MAP used a DHCP server in its local subnet to configure its IP information and the MAP did not receive a default g
491. s received This number includes octets received in frames that contained errors monitor port counters 79 Table 17 Output for monitor port counters continued Statistics Option Field Description packets Rx Unicast Number of unicast packets received This number does not include packets that contain errors Rx NonUnicast Number of broadcast and multicast packets received This number does not include packets that contain errors Tx Unicast Number of unicast packets transmitted This number does not include packets that contain errors TX NonUnicast Number of broadcast and multicast packets transmitted This number does not include packets that contain errors receive errors Rx Cre Number of frames received by the port that had the correct length but contained an invalid frame check sequence FCS value This statistic includes frames with misalignment errors Rx Error Total number of frames received in which the Physical layer PHY detected an error Rx Short Number of frames received by the port that were fewer than 64 bytes long Rx Overrun Number of frames received by the port that were valid but were longer than 1518 bytes This statistic does not include jumbo packets with valid CRCs transmit errors Tx Cre Number of frames transmitted by the port that had the correct length but contained an invalid FCS value Tx Short N
492. s the SSID must be set to web To use WebAAA for a wired authentication port edit the port configuration with the set port type wired auth command Examples The following commands create a subdirectory named corpa ssid copy a custom login page named corpa login html and a jpg image named corpa logo jpg into that subdirectory and set the Web login page for service profile to corpa login htm WX4400 mkdir corpa ssid success change accepted WX4400 copy tftp 10 1 1 1 corpa login html corpa ssid corpa login html success received 637 bytes in 0 253 seconds 2517 bytes sec WX4400 copy tftp 10 1 1 1 corpa logo jpg corpa ssid corpa logo jpg success received 1202 bytes in 0 402 seconds 2112 bytes sec WX4400 dir corpa ssid file Filename Size Created 388 CHAPTER 11 MANAGED ACCESS POINT COMMANDS file corpa login html 637 bytes Aug 12 2004 15 42 26 file corpa logo jpg 1202 bytes Aug 12 2004 15 57 11 Total 1839 bytes used 206577 Kbytes free WX4400 set service profile corpa service web aaa form corpa ssid corpa login html success change accepted See Also copy on page 567 dir on page 570 display service profile on page 321 mkdir on page 580 set port type wired auth on page 94 set service profile auth fallthru on page 374 set web portal on page 262 set service profile Specifies the static Wired Equivalent Privacy WEP key one of four to wep use for en
493. sage You can specify multiple Network Domain seeds on the WX switch When the WX switch needs to connect to a Network Domain seed it first attempts to connect to the seed with the highest affinity If that seed is unavailable the WX attempts to connect to the seed with the next highest affinity After a connection is made to a non highest affinity seed the WX switch then periodically attempts to connect to the highest affinity seed Examples The following command sets the WX switch as a member of the Network Domain whose seed has the IP address 192 168 1 8 WX1200 set network domain mode member seed ip 192 168 1 8 success change accepted The following command sets the WX switch as a member of a Network Domain whose seed has the IP address 192 168 9 254 and sets the affinity for that seed to 7 If the WX switch specifies other Network Domain seeds and they are configured with the default affinity of 5 then 192 168 9 254 becomes the primary Network Domain seed for this WX switch set network domain peer 281 WX1200 set network domain mode member seed ip 192 168 9 254 affinity 7 success change accepted See Also Clear network domain on page 274 display network domain on page 278 set network domain peer On a Network Domain seed configures one or more WX switches as redundant Network Domain seeds The seeds in a Network Domain share information about the VLANs configured on the member devices so that all the
494. sappearTraps success change accepted set snmp notify target 181 WX1200 set snmp notify profile snmpprof rfdetect send RFDetectSpoofedMacAPTraps success change accepted WX1200 set snmp notify profile snmpprof rfdetect send RFDetectSpoofedSsidAPTraps success change accepted WX1200 set snmp notify profile snmpprof rfdetect send RFDetectUnAuthorizedAPTraps success change accepted WX1200 set snmp notify profile snmpprof rfdetect send RFDetectUnAuthorizedOuiTraps success change accepted WX1200 set snmp notify profile snmpprof rfdetect send RFDetectUnAuthorizedSsidTraps success change accepted See Also Clear snmp notify profile on page 133 set ip snmp server on page 169 set snmp community on page 175 set snmp notify target on page 181 set snmp protocol on page 186 set snmp security on page 187 set snmp usm on page 188 setsnmp notify profile on page 177 set snmp notify Configures a notification target for notifications from SNMP target x A notification target is a remote device to which MSS sends SNMP notifications You can configure the MSS SNMP engine to send confirmed notifications informs or unconfirmed notifications traps Some of the command options differ depending on the SNMP version and the type of notification you specify You can configure up to 10 notification targets SNMPv3 with Informs To configure a notification target for info
495. se the double asterisk wildcard character to specify all usernames or use the single asterisk wildcard character to specify a set of usernames up to or following the first delimiter character either an at sign or a period For details see User Globs on page 26 Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command removes 802 1X authentication for network users with usernames ending in thiscorp com who try to access SSID finance WX4400 clear authentication dotlx ssid finance thiscorp com See Also Clear authentication admin on page 204 Clear authentication console on page 205 Clear authentication last resort on page 207 Clear authentication mac on page 208 Clear authentication proxy on page 209 display aaa on page 219 set authentication dot1x on page 233 clear authentication last resort 207 clear authentication last resort Removes a last resort authentication rule Syntax clear authentication last resort ssid ssid name wired a ssid ssid name SSID name to which this authentication rule applies wired Clears a rule used for access over a WX switch s wired authentication port Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command removes a last resort authentication rule for wired authentication access WxX4400 clear authe
496. security model all Enables all supported versions of SNMP enable Enables the specified SNMP version s disable Disables the specified SNMP version s Defaults All SNMP versions are disabled by default Access Enabled History Introduced in MSS Version 4 0 Usage SNMP requires the switch s system IP address to be set SNMP will not work without the system IP address You also must enable the SNMP service using the set ip snmp server command Examples The following command enables all SNMP versions WX1200 set snmp protocol all enable success change accepted See Also set ip snmp server on page 169 set snmp community on page 175 set snmp security 187 set snmp notify target on page 181 set snmp security on page 187 set snmp usm on page 188 display snmp status on page 153 set snmp security Sets the minimum level of security MSS requires for SNMP message exchanges Syntax set snmp security unsecured authenticated encrypted auth req unsec notify unsecured SNMP message exchanges are not secure This is the only value supported for SNMPv1 and SNMPv2c authenticated SNMP message exchanges are authenticated but are not encrypted encrypted SNMP message exchanges are authenticated and encrypted auth req unsec notify SNMP message exchanges are authenticated but are not encrypted and notifications are neither authentic
497. sending probe any requests probe requests with a null SSID name to solicit probe responses from other access points Syntax set rfdetect active scan enable disable enable Enables active RF detection scanning disable Disables active RF detection scanning Defaults Active scanning is enabled by default Access Enabled History Introduced in MSS Version 3 0 Usage You can enter this command on any WX switch in the Mobility Domain The command takes effect only on that switch Examples The following command disables active scanning on a WX switch WX1200 set rfdetect active scan disable success off channel scanning is disabled set rfdetect attack list Adds an entry to the attack list The attack list specifies the MAC addresses of devices that MSS should issue countermeasures against whenever the devices are detected on the network The attack list can contain the MAC addresses of APs and clients Syntax set rfdetect attack list mac addr mac addr MAC address you want to attack Defaults The attack list is empty by default Access Enabled History Introduced in MSS Version 4 0 Usage The attack list applies only to the WX switch on which the list is configured WX switches do not share attack lists set rfdetect black list 555 When on demand countermeasures are enabled with the set radio profile countermeasures configured command only those devices co
498. ser is accessing this session display sessions network 529 Table 92 Additional display sessions network verbose Output Field Description Client MAC MAC address of the session user GID Global session ID a unique session number within a Mobility Domain State Status of the session AUTH ASSOC REQ Client is being associated by the 802 1X protocol AUTH AND ASSOC Client is being associated by the 802 1X protocol and the user is being authenticated AUTHORIZING User has been authenticated for example by the 802 1X protocol and an AAA method and is entering AAA authorization AUTHORIZED User has been authorized by an AAA method ACTIVE User s AAA attributes have been applied and the user is active on the network DEASSOCIATED One of the following Wireless client has sent the WX switch a disassociate message User associated with one of the current WX switch s MAP access points has appeared at another WX switch in the Mobility Domain ROAMING AWAY The W switch has been sent a request to transfer the user who is roaming to another WX switch STATUS UPDATED WX switch is receiving a final update from a MAP access point about the user who has roamed away WEB_AUTHING User is being authenticated by WebAAA WIRED AUTH ING User is being authenticated by the 802 1X protocol on a wired authentication port KILLING User s session is being cleared
499. ser who is authenticated by a MAC address To remove a MAC user group profile in RADIUS see the documentation for your RADIUS server Syntax clear mac user mac addr group mac addr MAC address of the user in hexadecimal numbers separated by colons You can omit leading zeros Defaults None clear mac usergroup 213 Access Enabled History Introduced in MSS Version 3 0 Usage Removing a MAC user from a MAC user group removes the group name from the user s profile but does not delete the user group from the local WX database To remove the group use clear mac usergroup Examples The following command deletes the user profile for a user at MAC address 01 02 03 04 05 06 from its user group WX4400 clear mac user 01 02 03 04 05 06 group success change accepted See Also clear mac usergroup on page 213 display aaa on page 219 set mac user on page 248 clear mac usergroup Removes a user group from the local database on the WX switch for a group of users who are authenticated by a MAC address To delete a MAC user group in RADIUS see the documentation for your RADIUS server Syntax clear mac usergroup group name group name Name of an existing MAC user group Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage To remove a user from a MAC user group use the clear mac user group command Examples The following
500. service profile sp2 cipher ccmp enable success change accepted See Also a set service profile cipher tkip on page 378 set service profile cipher wep104 on page 379 set service profile cipher wep40 on page 380 set service profile wpa ie on page 391 set service profile cipher tkip Disables or reenables Temporal Key Integrity Protocol TKIP encryption in a service profile Syntax set service profile name cipher tkip enable disable a name Service profile name enable Enables TKIP encryption for WPA clients disable Disables TKIP encryption for WPA clients Defaults When the WPA IE is enabled TKIP encryption is enabled by default Access Enabled History Introduced in MSS Version 3 0 Usage To use TKIP you must also enable the WPA IE Examples The following command disables TKIP encryption in service profile sp2 WX4400 set service profile sp2 cipher tkip disable success change accepted See Also set service profile cipher ccmp on page 377 set service profile cipher wep104 on page 379 set service profile cipher wep40 on page 380 set service proftile cipher wep104 379 set service profile tkip mc time on page 386 set service profile wpa ie on page 391 set service profile cipher wep104 Enables dynamic Wired Equivalent Privacy WEP with 104 bit keys in a service profile Syntax set service profile name cipher wep104 enable disable
501. set dap fingerprint 331 Usage Changing the LED blink mode does not alter operation of the MAP access point Only the behavior of the LEDs is affected Examples The following command enables LED blink mode on the MAP access points connected to ports 3 and 4 WX1200 set ap 3 4 blink enable success change accepted set dap fingerprint Verifies a MAP s fingerprint on a WX switch If MAP WX security is required by a WX switch a MAP can establish a management session with the switch only if you have verified the MAP s identity by verifying its fingerprint on the switch Syntax set dap num fingerprint hex a num Number of the Distributed MAP whose fingerprint you are verifying hex The 16 digit hexadecimal number of the fingerprint Use a colon between each digit Make sure the fingerprint you enter matches the fingerprint used by the MAP Defaults None Access Enabled History Introduced in MSS 4 0 Usage MAPs are configured with an encryption key pair at the factory The fingerprint for the public key is displayed on a label on the back of the MAP in the following format RSA aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa If a MAP is already installed and operating you can use the display dap status command to display the fingerprint The display dap config command lists a MAP s fingerprint only if the fingerprint has been verified in MSS If the fingerprint has not been verified the
502. set port type ap 1 3 5 model ap2750 poe enable This may affect the power applied on the configured ports Would you like to continue y n nly The following command sets ports 1 through 3 and port 5 for MAP access point model AP7250 and enables PoE on the ports WX1200 set port type ap 1 3 5 model ap7250 poe enable This may affect the power applied on the configured ports Would you like to continue y n nly The following command sets ports 1 through 3 and port 5 for MAP access point model AP8250 and enables PoE on the ports WX1200 set port type ap 1 3 5 model ap8250 poe enable This may affect the power applied on the configured ports Would you like to continue y n nly The following command sets ports 1 through 3 and port 5 for MAP access point model AP8750 and enables PoE on the ports WX1200 set port type ap 1 3 5 model ap8750 poe enable This may affect the power applied on the configured ports Would you like to continue y n nly 94 CHAPTER 4 PORT COMMANDS set port type wired auth gt The following command resets port 5 by clearing it WX1200 clear port type 5 This may disrupt currently authenticated users Are you sure y n nly success change accepted See Also clear dap on page 64 Clear port type on page 68 set ap dap radio antennatype on page 334 set dap on page 81 set port type wired auth on page 94 set radio profile 11g only on page 347 set system countrycode on
503. setting is 0x00000000 all flags disabled and the default options list is run nos boot 0 The default device setting is the boot partition specified by the most recent set boot partition command typed at the Enabled level of the CLI or boot 0 if the command has never been typed Access Boot prompt History Introduced in MSS Version 3 0 Usage After you type the change command the system interactively displays the current setting of each parameter and prompts you for the new setting When prompted type the new setting press Enter to accept the current setting or type period to change the setting to its default value To back up to the previous parameter type hyphen For information about each of the boot parameters you can set see display on page 628 Examples The following command enters the configuration mode for the currently active boot profile changes the device to boot and leaves the other parameters with their current settings boot gt change Changing the default configuration is not recommended Are you sure that you want to proceed y n BOOT TYPE Lel DEVICE boot0 boot1 FILENAME default FLAGS 0x00000000 OPTIONS run nos boot 0 624 CHAPTER 24 BOOT PROMPT COMMANDS The following command enters the configuration mode for the currently active boot profile and configures the WX switch in this example an WXR100 to boot using a TFTP server boot gt
504. sions max sessions max sessions display dotix 507 Type the following command to display 802 1X statistics WX4400 display dotlx stats 802 1X statistic Enters Connecting Logoffs While Connec Success While Authen lt q Timeouts Failures Whil Reauths Whi le Authen Enters Authenticating ting tica tica ting While Authenticating Authenticating ting Starts While Authenticating Logoffs While Authenticating Starts While Authenticated Logoffs While Authenticated Bad Packets Received Table 87 explains the counters in the display dot1x stats output 508 CHAPTER 17 802 1X MANAGEMENT COMMANDS Table 87 display dot1x stats Output Field Description Enters Connecting Number of times that the WX switch state transitions to the CONNECTING state from any other state Logoffs While Connecting Number of times that the WX switch state transitions from CONNECTING to DISCONNECTED as a result of receiving an EAPoL Logoff message Enters Authenticating Number of times that the state wildcard transitions Success While Authenticating Number of times the WX switch state transitions from AUTHENTICATING from AUTHENTICATED as a result of an EAP Response Identity message being received from the supplicant client Timeouts While Authenticating Number of times that the WX switch state wildcard Failures While Aut
505. soft MS DOS Windows Windows XP and Windows NT are registered trademarks of Microsoft Corporation All other company and product names may be trademarks of the respective companies with which they are associated ENVIRONMENTAL STATEMENT It is the policy of 3Com Corporation to be environmentally friendly in all operations To uphold our policy we are committed to Establishing environmental performance standards that comply with national legislation and regulations Conserving energy materials and natural resources in all operations Reducing the waste generated by all operations Ensuring that all waste conforms to recognized environmental standards Maximizing the recyclable and reusable content of all products Ensuring that all products can be recycled reused and disposed of safely Ensuring that all products are labelled according to recognized environmental standards Improving our environmental record on a continual basis End of Life Statement 3Com processes allow for the recovery reclamation and safe disposal of all end of life electronic components Regulated Materials Statement 3Com products do not contain any hazardous or ozone depleting material Environmental Statement about the Documentation The documentation for this product is printed on paper that comes from sustainable managed forests it is fully biodegradable and recyclable and is completely chlorine free The varnish is environmentally friendly and the in
506. splay aaa on page 219 set user group on page 260 clear usergroup Removes a user group and its attributes from the local database on the WX switch for users with passwords To delete a user group in RADIUS see the documentation for your RADIUS server Syntax clear usergroup group name group name Name of an existing user group 218 CHAPTER 8 AAA COMMANDS Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage Removing a user group from the local WX database does not remove the user profiles of the group s members from the database Examples The following command deletes the cardiology user group from the local database WX4400 clear usergroup cardiology success change accepted See Also Clear usergroup attr on page 218 display aaa on page 219 set usergroup on page 261 clear usergroup attr Removes an authorization attribute from a user group in the local database on the WX switch To remove an authorization attribute in RADIUS see the documentation for your RADIUS server Syntax clear usergroup group name attr attribute name group name Name of an existing user group attribute name Name of an attribute used to authorize all the users in the group for a particular service or session characteristic For a list of authorization attributes see Table 44 on page 249 Defaults None Access Enabled History
507. splay roaming vlan 108 splay security 12 restrict 109 splay security acl 450 splay security acl editbuffer 450 splay security acl hits 451 splay security acl info 452 splay security acl map 453 splay security acl resource usage 454 splay service profile 321 splay sessions 522 splay sessions network 525 splay snmp community 151 splay snmp counters 152 splay snmp notify profile 152 splay snmp notify target 152 splay snmp status 153 splay snmp usm 154 splay snoop 604 splay snoop info 604 splay snoop map 605 splay snoop stats 606 splay spantree 398 splay spantree backbonefast 400 splay spantree blockedports 401 splay spantree portfast 402 splay spantree portvlancost 403 splay spantree statistics 403 splay spantree uplinkfast 409 splay summertime 154 splay system 43 splay timedate 155 splay timezone 155 splay trace 591 splay tunnel 110 splay version 576 splay vlan config 111 aaoo L load config 578 ls 632 M md5 580 mkdir 580 monitor port counters 76 N next 633 P ping 156 Q quickstart 48 quit 34 R reset 634 reset ap dap 324 reset port 81 reset system 582 rmdir 584 rollback security acl 458 et 560 F fver 630 S save config 584 save trace 592 set ap dap bias 328 set ap dap blink 330 332 set ap dap name 333 set ap dap radio antennatype 334 set ap dap radio auto tune max power 335 set ap dap radio aut
508. splays information about network session 27 WX1200 display sessions network session id 27 Global Id SESS 27 000430 835586 58dfe5a State ACTIVE Port Radio 3 1 MAC Address 00 00 2d 6 44 77 User Name EXAMPLE Natasha IP Address 10 10 40 17 Vlan Name vlan eng Tag 1 Session Timeout 1800 Authentication Method PEAP using server 10 10 70 20 Session statistics as updated from AP Unicast packets in 653 Unicast bytes in 46211 Unicast packets out 450 Unicast bytes out 50478 ulticast packets in 317 ulticast bytes in 10144 umber of packets with encryption errors 0 umber of bytes with encryption errors 0 Last packet data rate 2 Last packet signal strength 67 dBm Last packet data S N ratio 55 Table 91 describes the output of this command For descriptions of the fields of display sessions network session id output see Table 93 on page 530 Table 91 display sessions network summary Output Field Description User Name Up to 30 characters of the name of the authenticated user of this session Sess ID Locally unique number that identifies this session An asterisk next to the session ID indicates fully active sessions IP or MAC Address IP address of the session user or the user s MAC address if the user has not yet received an IP address VLAN Name Name of the VLAN associated with the session Port Radio Number of the port and radio through which the u
509. ssid any peap mschapv2 sgl sg2 sg3 accounting dotlx Nin ssid mycorp stop only sg2 accounting admin Natasha start stop local hentication last resort ssid guestssid local user Nin Password Filter Filter 082c6c64060b Id acl 999 in Id acl 999 out user last resort guestssid Vlan Name k2 user last resort any Vlan Name foo mac user 01 02 03 04 05 06 usergroup eastcoasters sess ion timeout 99 encrypted Table 42 display aaa Output Table 42 describes the fields that can appear in display aaa output Field Description Default Values RADIUS default values for all parameters authport UDP port on the WX switch for transmission of RADIUS authorization and authentication messages The default port is 1812 acctport UDP port on the WX switch for transmission of RADIUS accounting records The default is port 1813 timeout Number of seconds the WX switch waits for a RADIUS server to respond before retransmitting 1 5 seconds The default i nn acct timeout Number of seconds the WX switch waits for a RADIUS server to respond to an accounting request before retransmitting The default is 5 seconds retrans Number of times the WX switch retransmits a message before determining a RADIUS server unresponsive The default is 3 times display aaa 221 Table 42 display aaa Output continued deadtime Number of minutes the WX switch waits after det
510. ssid mycorp local success change accepted See Also Clear authentication last resort on page 207 display aaa on page 219 set authentication admin on page 229 set authentication console on page 231 set authentication dot1x on page 233 set authentication mac on page 239 set authentication web on page 242 set authentication mac 239 set authentication mac Configures authentication and defines where it is performed for specified non 802 1X users with network access through a media access control MAC address Syntax set authentication mac ssid ssid name wired mac addr glob method1 method2 method3 method4 a ssid ssid name SSID name to which this authentication rule applies To apply the rule to all SSIDs type any wired Applies this authentication rule specifically to users connected to a wired authentication port mac addr glob A single user or set of users with access via a MAC address Specify a MAC address or use the wildcard character to specify a set of MAC addresses For details see MAC Address Globs on page 27 methodl1 method2 method3 method4 At least one of up to four methods that MSS uses to handle authentication Specify one or more of the following methods in priority order MSS applies multiple methods in the order you enter them A method can be one of the following local Uses the local database of usernames and user groups on
511. st MAC addressed to which the last 802 11 packet detected from the client was addressed Last Rogue Status Check Number of seconds since the WX switch looked on the air for the AP with which the rogue client is associated The switch looks for the client s AP by sending a packet from the wired side of the network addressed to the client and watching the air for a wireless packet containing the client s MAC address display rfdetect Displays the current status of countermeasures against rogues in the countermeasures Mobility Domain Syntax display rfdetect countermeasures Defaults None Access Enabled History Output no longer lists rogues for which countermeasures have not been started in MSS Version 4 0 Usage This command is valid only on the seed switch of the Mobility Domain Examples The following example displays countermeasures status for the Mobility Domain WX4400 display rfdetect countermeasures Total number of entries 190 Rogue MAC Type Countermeasures WX IPaddr Radio Mac 00 0b 0e 00 71 c0O intfr 00 0b 0e 44 55 66 10 1 1 23 00 0b 0e 03 00 80 rogue 00 0b 0e 11 22 33 10 1 1 23 Port Radio Channel dap 4 1 6 dap 2 1 11 542 CHAPTER 19 RF DETECTION COMMANDS Table 97 describes the fields in this display Table 97 display rfdetect countermeasures Output Field Description Rogue MAC BSSID of the rogue Type Classification of the rogue device rogue
512. stored in the nonvolatile log buffer or the trace buffer Syntax display log trace number of messages facility facility name matching string severity severity level trace Displays the log messages in the trace buffer number of messages Displays the number of messages specified as follows A positive number for example 100 displays that number of log entries starting from the oldest in the log A negative number for example 100 displays that number of log entries starting from newest in the log A number preceded by a slash for example 100 displays that number of the most recent log entries in the log starting with the least recent facility facility name Area of MSS that is sending the log message Type a space and a question mark after display log trace facility for a list of valid facilities matching string Displays messages that match a string for example a username or IP address severity severity level Displays messages at a severity level greater than or equal to the level specified Specify one of the following emergency The WX switch is unusable alert Action must be taken immediately a critical You must resolve the critical conditions If the conditions are not resolved the WX can reboot or shut down error The WX is missing data or is unable to form a connection warning A possible problem exists
513. story Introduced in MSS Version 3 0 Examples To view information about sessions of administrative users type the following command WX4400 gt display sessions admin Tty Username Time s Type tty0 3644 Console tty2 tech 6 Telnet tty3 sshadmin 381 SSH 3 admin sessions To view information about console users sessions type the following command WxX4400 gt display sessions console Tty Username Time s console 8573 1 console session To view information about Telnet users sessions type the following command WxX4400 gt display sessions telnet Tty Username Time s 524 CHAPTER 18 SESSION MANAGEMENT COMMANDS To view information about Telnet client sessions type the following command WxX4400 display sessions telnet client Session Server Address Server Port Client Port 0 192 168 1 81 23 48000 1 10 10 1 22 23 48001 Table 89 describes the fields of the display sessions admin display sessions console and display sessions telnet displays Table 89 display sessions admin display sessions console and display sessions telnet Output Field Description users connected through the console port Username Up to 30 characters of the name of an authenticated user Time s Number of seconds the session has been active Type Type of administrative session a Console SSH a Telnet Table 90 describes the fields of the display sessions telnet client display Table 90 display sessions
514. suite must be enabled The WPA IE also must be enabled Examples The following command changes the countermeasures wait time for service profile sp3 to 30 000 ms 30 seconds WX4400 set service profile sp3 tkip mc time 30000 success change accepted See Also set service profile cipher tkip on page 378 set service profile wpa ie on page 391 set service profile web portal form 387 set service profile web portal form Specifies a custom login page to serve to WebAAA users who request the SSID managed by the service profile Syntax set service profile name web portal form url name Service profile name a url WX subdirectory name and HTML page name of the login page Specify the full path For example corpa ssid corpa html Defaults The 3Com Web login page is served by default Access Enabled History Introduced in MSS Version 3 0 Option name changed from web aaa form to web portal form to reflect change to portal based implementation in MSS Version 4 0 Usage 3Com recommends that you create a subdirectory for the custom page and place all the page s files in that subdirectory Do not place the custom page in the root directory of the switch s user file area If the custom login page includes gif or jog images their path names are interpreted relative to the directory from which the page is served To use WebAAA the fallthru authentication type in the service profile that manage
515. supplicant client Syntax clear dotlx max req Defaults The default number is 20 Access Enabled History Introduced in MSS Version 3 0 Examples To reset the number of 802 1X requests the WX can send to the default setting type the following command WX4400 clear dotlx max req success change accepted See Also display dot1x on page 505 set dot1x max req on page 511 clear dot1x port control Resets all wired authentication ports on the WX switch to default 802 1X authentication Syntax clear dotlx port control By default all wired authentication ports are set to auto and they process authentication requests as determined by the set authentication dot1X command Access Enabled History Introduced in MSS Version 3 0 502 CHAPTER 17 802 1X MANAGEMENT COMMANDS Usage This command is overridden by the set dot1x authcontrol command The clear dot1x port control command returns port control to the method configured This command applies only to wired authentication ports Examples Type the following command to reset the wired authentication port control WX4400 clear dotlx port control success change accepted See Also display dot1x on page 505 set dot1x port control on page 512 clear dot1x quiet period Resets the quiet period after a failed authentication to the default setting Syntax clear dotlx quiet period Defaults The default is 60 secon
516. switch WX4400 clear radius proxy client all success change accepted See Also set radius proxy client on page 492 clear radius proxy port Removes RADIUS proxy ports configured for third party APs Syntax clear radius proxy port all Defaults None Access Enabled History Introduced in MSS 4 0 Examples The following command clears all RADIUS proxy port entries from the switch WX4400 clear radius proxy port all success change accepted See Also set radius proxy port on page 493 clear radius server 489 clear radius server Removes the named RADIUS server from the WX configuration Syntax clear radius server server name a server name Name of a RADIUS server configured to perform remote AAA services for the WX switch Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command removes the RADIUS server rs42 from a list of remote AAA servers WxX4400 clear radius server rs42 success change accepted See Also display aaa on page 219 set radius server on page 494 clear server group Removes a RADIUS server group from the configuration or disables load balancing for the group Syntax clear server group group name load balance group name Name of a RADIUS server group configured to perform remote AAA services for WX switches load balance Ability of group members to share dem
517. t are committed saved in the running configuration and nonvolatile storage or the contents of security ACLs in the edit buffer before they are committed Syntax display security acl info acl name all editbuffer acl name Name of an existing security ACL to display ACL names must start with a letter and are case insensitive all Displays the contents of all security ACLs editbuffer Displays the contents of the specified security ACL or all security ACLs that are stored in the edit buffer after being created with set security acl If you do not use this parameter only committed ACLs are shown Defaults None Access Enabled History Introduced in MSS Version 3 0 The ac name all option is no longer required display security acl info is valid and displays the same information as security acl info all in MSS Version 4 1 display security aclmap 453 Examples To display the contents of all security ACLs committed on a WX switch type the following command WX4400 display security acl info ACL information for all set security acl ip acl 123 hits 5 462 1 permit IP source IP 192 168 1 11 0 2 deny IP source IP 192 168 2 11 0 0 set security acl ip acl_134 hits 3 0 255 destination IP any enable hits destination IP any T 1 permit IP source IP 192 168 0 1 0 0 0 0 destination IP any enable hits set security acl ip acl_135 hits 2 0 1 deny IP source
518. t the minimum data rate or higher for all clients the radio continues reducing power in 1 dBm increments until it returns to its normal power level A radio also can increase power in 1 dBm increments if more than the allowed percentage of packets received by the radio from a client are retransmissions After a radio increases power all clients must be at the minimum data rate or higher and the maximum retransmissions must be within the allowed percentile before the radio begins reducing power again Examples The following command increases the minimum data rate on radio 1 which is an 802 11b g radio on the MAP access port on port 6 to 11 Mbps WX1200 set ap 6 radio 1 min client rate 11 success change accepted See Also set radio profile auto tune power backoff timer on page 352 set radio profile auto tune power config on page 353 set ap dap radio mode Enables or disables a radio on a MAP access point Syntax set ap port list dap dap num auto radio 1 2 mode enable disable a ap port list List of ports connected to the MAP access point s on which to turn a radio on or off dap dap num Number of a Distributed MAP on which to turn a radio on or off dap auto Sets the radio mode for MAPs managed by the MAP configuration profile See set dap auto on page 325 radio 1 Radio 1 of the MAP 342 CHAPTER 11 MANAGED ACCESS POINT COMMANDS radio 2 Radio 2 of
519. t in the core themselves Do not enable the feature on WX switches that are in the network core Examples The following command enables uplink fast convergence WxX4400 set spantree uplinkfast enable success change accepted See Also display spantree uplinkfast on page 409 13 IGMP SNOOPING COMMANDS Use Internet Group Management Protocol IGMP snooping commands to configure and manage multicast traffic reduction on a WX Commands by usage This chapter presents IGMP snooping commands alphabetically Use the Table 74 to locate commands in this chapter based on their use Table 74 IGMP Commands by Usage Type Command IGMP Snooping State set igmp on page 433 display igmp on page 422 Proxy Reporting set igmp proxy report on page 438 Pseudo querier set igmp querier on page 441 display igmp querier on page 427 Timers set igmp qi on page 439 set igmp oqi on page 437 set igmp qri on page 440 set igmp Imqi on page 434 set igmp rv on page 442 Router Solicitation set igmp mrsol on page 436 set igmp mrsol mrsi on page 436 Multicast Routers set igmp mrouter on page 435 display igmp mrouter on page 426 Multicast Receivers set igmp receiver on page 441 display igmp receiver table on page 429 Statistics display igmp statistics on page 431 clear igmp statistics on page 422 422 CHAPTER 13 IGMP SNOOPING COMMANDS clear igmp statistics
520. t mobility profile name magnolia port 2 success change accepted WX1200 set mobility profile mode enable success change accepted WX1200 set user Jose attr mobility profile magnolia success change accepted set mobility profile mode 257 The following command adds port 3 to the magnolia Mobility Profile which is already assigned to port 2 WX1200 set mobility profile name magnolia port 3 success change accepted See Also Clear mobility profile on page 215 display mobility profile on page 224 set mac user attr on page 249 set mac usergroup attr on page 254 set mobility profile mode on page 257 set user attr on page 259 set usergroup on page 261 set mobility profile mode AN Enables or disables the Mobility Profile feature on the WX switch CAUTION When the Mobility Profile feature is enabled a user is denied access if assigned a Mobility Profile attribute in the local WX switch database or RADIUS server when no Mobility Profile of that name exists on the WX switch Syntax set mobility profile mode enable disable enable Enables the use of the Mobility Profile feature on the WX switch a disable Specifies that all Mobility Profile attributes are ignored by the WX switch Defaults The Mobility Profile feature is disabled by default Access Enabled History Introduced in MSS Version 3 0 Examples To enable the use of the Mobility Profile feature
521. t preference Configures a gigabit Ethernet port on a WX4400 to use the RJ 45 copper interface when available as the active link instead of the fiber interface Syntax set port preference port list rj45 a port list List of physical ports MSS sets the preference on all the specified ports 41345 Prefers the copper interface Defaults When both the copper and fiber interfaces of a gigabit Ethernet port are connected the GBIC fiber interface is the active link The RJ 45 copper link is unused Access Enabled History Introduced in MSS Version 3 0 Usage This command applies only to the WX4400 If you set the preference to RJ 45 copper on a port that already has an active fiber link MSS immediately changes the link to the copper interface set port speed 89 Examples The following command sets the preference of port 2 ona WX4400 to RJ 45 copper WX4400 set port preference 2 rj45 See Also Clear port preference on page 67 display port preference on page 72 set port speed Changes the speed of a port Syntax set port speed port list 10 100 1000 auto a port list List of physical ports MSS sets the port speed on all the specified ports 10 Sets the port speed of a 10 100 Ethernet port to 10 Mbps and sets the operating mode to full duplex 100 Sets the port speed of a 10 100 Ethernet port to 100 Mbps and sets the operating mode to full d
522. t service profile wep active multicast index on page 388 set service profile wep active unicast index on page 389 set service profile wep key index on page 390 set service profile shared key auth on page 384 display service profile on page 321 clear service profile on page 289 RF Auto Tuning set radio profile auto tune channel config on page 349 set radio profile auto tune channel holddown on page 350 set radio profile auto tune channel interval on page 351 set radio profile auto tune power backoff timer on page 352 set radio profile auto tune power config on page 353 set radio profile auto tune power interval on page 354 set ap dap radio auto tune max power on page 335 set ap dap radio auto tune max retransmissions on page 337 set ap dap radio auto tune min client rate on page 340 display auto tune neighbors on page 311 display auto tune attributes on page 309 286 CHAPTER 11 MANAGED ACCESS POINT COMMANDS Table 49 Map Access Point Commands by Usage continued Type Command MAP WxX Security set dap fingerprint on page 331 set dap security on page 345 Radio State set ap dap radio mode on page 341 Dual Homing set ap dap bias on page 328 Load Balancing set ap dap group on page 332 display ap dap group on page 303 MAP set ap dap name on page 333 Administration and Maintenance set a
523. t service profile wpa ie on page 391 reset ap dap Restarts a MAP access point Syntax reset ap port list dap dap num ap port list List of ports connected to the MAP access points to restart dap dap num Number of a Distributed MAP to reset Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage When you enter this command the MAP access point drops all sessions and reboots CAUTION Restarting a MAP access point can cause data loss for users who are currently associated with the MAP Examples The following command resets the MAP access point on port 6 WX1200 reset ap 6 This will reset specified AP devices Would you like to continue y n y success rebooting ap attached to port 6 set dap auto 325 set dap auto Creates a profile for automatic configuration of Distributed MAPs Syntax set dap auto Defaults None Access Enabled History Introduced in MSS 4 0 Usage Table 65 lists the configurable profile parameters and their defaults The only parameter that requires configuration is the profile mode The profile is disabled by default To use the profile to configure Distributed MAPs you must enable the profile using the set dap auto mode enable command The profile uses the default radio profile by default You can change the profile using the set dap auto radio radio profile command You can use set dap auto comma
524. t sign or a period For details see User Globs MAC Address Globs and VLAN Globs on page 26 radius server group A group of RADIUS servers used for authentication Defaults None Access Enabled History Introduced in MSS 4 0 Usage AAA for third party AP users has additional configuration requirements See the Configuring AAA for Users of Third Party APs section in the Configuring AAA for Network Users chapter of the Wireless LAN Switch and Controller Configuration Guide Examples The following command configures a proxy authentication rule that matches on all usernames associated with SSID mycorp MSS uses RADIUS server group srvrgro7 to proxy RADIUS requests and hence to authenticate and authorize the users WX4400 set authentication proxy ssid mycorp srvrgrpl See Also Clear authentication proxy on page 209 set radius proxy client on page 492 set radius proxy port on page 493 242 CHAPTER 8 AAA COMMANDS set authentication web Configures an authentication rule to allow a user to log in to the network using a web page served by the WX switch The rule can be activated if the user is not otherwise granted or denied access by 802 1X or granted access by MAC authentication Syntax set authentication web ssid ssid name wired user glob methodl method2 method3 method4 user glob A single user or a set of users Specify a username use the d
525. t statistics These are the same Statistics displayed by the display igmp statistics command 426 CHAPTER 13 IGMP SNOOPING COMMANDS Table 75 Output for display igmp continued Field Description VLAN VLAN name MSS displays information separately for each VLAN IGMP is enabled IGMP state disabled See Also display igmp mrouter on page 426 display igmp querier on page 427 display igmp receiver table on page 429 display igmp statistics on page 431 display igmp mrouter Displays the multicast routers in a WX s subnet on one VLAN or all VLANs Routers are listed separately for each VLAN according to the port number through which the wireless LAN switch can reach the router Syntax display igmp mrouter vlan vlan id vlan vlan id VLAN name or number If you do not specify a VLAN MSS displays the multicast routers in all VLANs Defaults None Access All History Introduced in MSS Version 3 0 Examples The following command displays the multicast routers in VLAN orange WX1200 display igmp mrouter vlan orange Multicast routers for vlan orange Port Mrouter IPaddr Mrouter MAC Type TTL 192 28 7 5 00 01 02 03 04 05 dvmrp 33 Table 76 describes the fields in this display display igmp querier 427 Table 76 Output for display igmp mrouter Field Description Multicast routers for vlan VLAN containing the multicast routers Ports are listed separately for each V
526. t the WX switch uses for accounting timeout seconds Number of seconds the WX switch waits for the RADIUS server to respond before retransmitting You can specify from 1 to 65 535 seconds retransmit number Number of transmission attempts made before declaring an unresponsive RADIUS server unavailable You can specify from 1 to 100 retries deadtime minutes Number of minutes the WX switch waits after declaring an unresponsive RADIUS server unavailable before retrying that RADIUS server Specify between 0 zero and 1440 minutes 24 hours A zero value causes the switch to identify unresponsive servers as available set radius server 495 key string Password shared secret key the WX switch uses to authenticate to the RADIUS server You must provide the same password that is defined on the RADIUS server The password can be 1 to 32 characters long with no spaces or tabs author password password Password used for authorization to a RADIUS server for MAC users Specify a password of up to 32 alphanumeric characters with no spaces or tabs Defaults Default values are listed below auth port UDP port 1812 acct port UDP port 1813 timeout 5 seconds retransmit 3 the total number of attempts including the first attempt deadtime 0 zero minutes The WX switch does not designate unresponsive RADIUS servers as unavailable key No key author password
527. tect mobility domain Total number of entries 194 Flags i infrastructure a ad hoc u unresolved c CCMP t TKIP 1 104 bit WEP 4 40 bit WEP w WEP non WPA BSSID Vendor Type Flags SSID 0 0 3 074 503d52Ce8 9 7 Cisco intfr i w r27 ciscol200 2 00 07 50 d5 dc 78 Cisco intfr i w r116 ciscol200 2 00 09 b7 7b 8a 54 Cisco Intr IFs 00 0a 5e 4b 4a c0 3Com intfr i public 00 0a 5e 4b 4a c2 3Com intfr i w 3Comwlan 00 0a 5e 4b 4a c4 3Com intfr ic 3Com ccmp 00 0a 5e 4b 4a c6 3Com intfr i w 3Com tkip 00 0a 5e 4b 4a c8 3Com intfr i w 3Com voip 00 0a 5e 4b 4a ca 3Com intfr i 3Com webaaa The lines in this display are compiled from data from multiple listeners MAP radios If an item has the value unresolved not all listeners agree on the value for that item Generally an unresolved state occurs only when a MAP or a Mobility Domain is still coming up and lasts only briefly The following command displays detailed information for rogues using SSID 3com webaaa WX1200 display rfdetect mobility domain ssid 3Com webaaa BSSID 00 0a 5e 4b 4a ca Vendor 3Com SSID 3Com webaaa Type intfr Adhoc no Crypto types clear Wx IPaddress 10 8 121 102 Port Radio Ch 3 1 11 Mac 00 0b 0e 00 0a 6a Device type interfering Adhoc no Crypto types clear RSSI 85 SSID 3Com webaaa 548 CHAPTER 19 RF DETECTION COMMANDS BSSID 00 0b 0e 00 7a 8a Vendor 3Com SSID 3com webaaa Type intfr Adhoc no Cr
528. ted The following command configures the channel and transmit power on the 802 11b g radio on the MAP access point connected to port 1 WX1200 set ap 1 radio 1 channel 1 tx power 10 success change accepted See Also display ap dap config on page 290 set ap dap radio channel on page 339 set dap security gt Sets security requirements for management sessions between a WX switch and its Distributed MAPs This feature applies to Distributed MAPs only not to directly connected MAPs configured on MAP access ports The maximum transmission unit MTU for encrypted MAP management traffic is 1498 bytes whereas the MTU for unencrypted management traffic is 1474 bytes Make sure the devices in the intermediate network between the WX switch and Distributed MAP can support the higher MTU Syntax set dap security require optional none require Requires all Distributed MAPs to have encryption keys that have been verified in the CLI by an administrator If a MAP does not have an encryption key or the key has not been verified the WX does not establish a management session with the MAP optional Allows MAPs to be managed by the switch even if they do not have encryption keys or their keys have not been verified by an administrator Encryption is used for MAPs that support it none Encryption is not used even for MAPs that support it Defaults The default setting is optional Access
529. ted MAP 1 is DAPO7 Access Enabled History Introduced in MSS Version 3 0 Default Distributed MAP name changed from DMPnum to DAPnum in MSS Version 4 1 334 CHAPTER 11 MANAGED ACCESS POINT COMMANDS Examples The following command changes the name of the MAP access point on port 1 to techpubs WX1200 set ap 1 name techpubs success change accepted See Also display ap dap config on page 290 set ap dap radio antennatype Sets the model number for an external antenna Syntax set ap port list dap dap num radio 1 2 antennatype ANT1060 ANT1120 ANT1180 ANT5060 ANT5120 ANT5180 ANT 1360 OUT ANT 5360 OUT ANT 5120 OUT internal ap port list List of ports connected to the MAP access points on which to set the channel dap dap num Number of a Distributed MAP on which to set the channel radio 1 Radio 1 of the MAP radio 2 Radio 2 of the MAP This option does not apply to single radio models antennatype ANT1060 ANT1120 ANT1180 internal 802 11b g external antenna models ANnT1060 60 802 11b g antenna ANT1120 120 802 11b g antenna ANT1180 180 802 11b g antenna internal uses the internal antenna instead antennatype ANT5060 ANT5120 ANT5180 internal 802 11a external antenna models antT5060 60 802 11a antenna ANT5120 120 802 11a antenna ANT5180 180 802 11a antenna
530. ted to the MAP access points on which to set the channel dap dap num Number of a Distributed MAP on which to set the channel 336 CHAPTER 11 MANAGED ACCESS POINT COMMANDS dap auto Sets the maximum power for radios configured by the MAP configuration profile See set dap auto on page 325 radio 1 Radio 1 of the MAP radio 2 Radio 2 of the MAP This option does not apply to single radio models power level Maximum power setting RF Auto Tuning can assign to the radio expressed as the number of decibels in relation to 1 milliwatt dBm You can specify a value from 1 up to the maximum value allowed for the country of operation The power level can be a value from 1 to 20 Defaults The default maximum power setting that RF Auto Tuning can set on a radio is the highest setting allowed for the country of operation or highest setting supported on the hardware whichever is lower Access Enabled History Introduced in MSS Version 3 0 Option auto added for configuration of the MAP configuration profile Examples The following command sets the maximum power that RF Auto Tuning can set on radio 1 on the MAP access point on port 6 to 12 dBm WX1200 set ap 6 radio 1 auto tune max power 12 success change accepted See Also set ap dap radio auto tune max retransmissions on page 337 set radio profile auto tune power backoff timer on page 352 set radio profile auto tun
531. telnet client Output Field Description Session Session number assigned by MSS when the client session is established Server Address IP address of the remote device Server Port TCP port number of the remote device s TCP server Client Port TCP port number MSS is using for the client side of the session See Also Clear sessions on page 519 display sessions network 525 display sessions network Displays summary or verbose information about all network sessions or network sessions for a specified username or set of usernames MAC address or set of MAC addresses VLAN or set of VLANs or session ID Syntax display sessions network user user glob mac addr mac addr glob ssid ssid name vlan vlan glob session id session id wired verbose user user glob Displays all network sessions for a single user or set of users Specify a username use the double asterisk wildcard character to specify all usernames or use the single asterisk wildcard character to specify a set of usernames up to or following the first delimiter character either an at sign or a period For details see User Globs on page 26 mac addr mac addr glob Displays all network sessions for a MAC address Specify a MAC address in hexadecimal numbers separated by colons Or use the wildcard character to specify a set of MAC addresses For details see MAC Address Globs on page 2
532. the MAP This option does not apply to single radio models mode enable Enables a radio mode disable Disables a radio Defaults MAP access point radios are disabled by default Access Enabled History Introduced in MSS Version 3 0 Option auto added for configuration of the MAP configuration profile Usage To enable or disable one or more radios to which a profile is assigned use the set ap radio radio profile command To enable or disable all radios that use a specific radio profile use the set radio profile command Examples The following command enables radio 1 on the MAP access points connected to ports 1 through 5 WX1200 set ap 1 5 radio 1 mode enable success change accepted The following command enables radio 2 on ports 1 through 3 WX1200 set ap 1 3 radio 2 mode enable success change accepted See Also Clear ap dap radio on page 286 display ap dap config on page 290 set ap dap radio radio profile on page 343 set radio profile mode on page 362 set ap dap radio radio profile 343 set ap dap radio radio profile Assigns a radio profile to a MAP radio and enables or disables the radio Syntax set ap port list dap dap num auto radio 1 2 radio profile name mode enable disable ap port list List of ports dap dap num Number of a Distributed MAP dap auto Sets the radio profile for the MAP configuration profile
533. the WX switch for authentication server group name Uses the defined group of RADIUS servers for authentication You can enter up to four names of existing RADIUS server groups as methods For more information see Usage Defaults By default authentication is deactivated for all MAC users which means MAC address authentication fails by default When using RADIUS for authentication a MAC user s MAC address is also used as the authorization password for that user and no global authorization password is set Access Enabled History Introduced in MSS Version 3 0 240 CHAPTER 8 AAA COMMANDS Usage You can configure different authentication methods for different groups of MAC addresses by globbing For details see User Globs MAC Address Globs and VLAN Globs on page 26 If you specify multiple authentication methods in the set authentication mac command MSS applies them in the order in which they appear in the command with these results If the first method responds with pass or fail the evaluation is final If the first method does not respond MSS tries the second method and so on However if local appears first followed by a RADIUS server group MSS ignores any failed searches in the local WX database and sends an authentication request to the RADIUS server group If the switch s configuration contains a set authentication mac command that matches the SSID the user is attempt
534. the command history buffer for the current CLI session Syntax clear history Defaults None Access All History Introduced in MSS Version 3 0 Examples To clear the history buffer type the following command WX4400 clear history success command buffer was flushed See Also history on page 47 clear prompt Resets the system prompt to its previously configured value If the prompt was not configured previously this command resets the prompt to its default Syntax clear prompt Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples To reset the prompt type the following command wildebeest clear prompt success change accepted Wx4400 See Also set prompt on page 54 For information about default prompts see Command Prompts on page 24 40 CHAPTER 3 SYSTEM SERVICE COMMANDS clear system AN Clears the system configuration of the specified information CAUTION If you change the IP address any currently configured Mobility Domain operations cease You must reset the Mobility Domain Syntax clear system contact countrycode idle timeout ip address location name contact Resets the name of contact person for the WX switch to null countrycode Resets the country code for the WX switch to null idle timeout Resets the number of seconds a CLI management session can remain idle to the defau
535. the switch designated_root MAC address of the root bridge designated cost Total path cost to reach the root bridge designated_bridge Bridge to which this switch forwards traffic away from the root bridge designated_port STP port through which this switch forwards traffic away from the root bridge top_change_ack Value of the topology change acknowledgment flag in the next configured bridge protocol data unit BPDU to be transmitted on the associated port The flag is set in reply to a topology change notification BPDU display spantree statistics 407 Table 71 Output for display spantree statistics continued Field Description config_pending Indicates whether a configured BPDU is to be transmitted on expiration of the hold timer for the port port_inconsistency Indicates whether the port is in an inconsistent state config BPDU s xmitted Number of BPDUs transmitted from the port A number in parentheses indicates the number of configured BPDUs transmitted by the WX switch for this VLAN s spanning tree config BPDU s received Number of BPDUs received by this port A number in parentheses indicates the number of configured BPDUs received by the WX switch for this VLAN s spanning tree tcn BPDU s xmitted Number of topology change notification TCN BDPUs transmitted on this port tcn BPDU s received Number of TCN BPDUs received on this po
536. thin a 60 second period Note The WPA fields are displayed only when the WPA IE is enabled vlan name session timeout service type See Also Authorization attributes that are applied by default to a user accessing the SSID managed by this service profile in addition to any attributes assigned to the user by a RADIUS server or the local database See Table 44 on page 249 for a list of authorization attributes and values that can be assigned to network users set service profile auth dot1x on page 373 set service profile auth fallthru on page 374 set service profile auth psk on page 375 set service profile beacon on page 376 set service profile cipher ccmp on page 377 set service profile cipher tkip on page 378 set service profile cipher wep104 on page 379 set service profile cipher wep40 on page 380 set service profile psk phrase on page 381 set service profile psk raw on page 382 set service profile rsn ie on page 383 set service profile shared key auth on page 384 324 CHAPTER 11 MANAGED ACCESS POINT COMMANDS set service profile ssid name on page 384 set service profile ssid type on page 385 set service profile tkip mc time on page 386 set service profile web portal form on page 387 set service profile wep active multicast index on page 388 set service profile wep active unicast index on page 389 set service profile wep key index on page 390 se
537. threshold After the retransmissions fall below the threshold the radio reduces power by 1 dBm As long as retransmissions remain below the threshold the radio continues reducing power in 1 dBm increments until it returns to its default power level A radio also can increase power in 1 dBm increments if a client falls below the minimum allowed data rate After a radio increases power all clients must be at the minimum data rate or higher and the maximum retransmissions must be within the allowed percentile before the radio begins reducing power again Examples The following command changes the max retransmissions value to 20 WX1200 set ap 6 radio 1 auto tune max retransmissions 20 success change accepted See Also set ap dap radio auto tune max power on page 335 set radio profile auto tune power backoff timer on page 352 set radio profile auto tune power config on page 353 set radio profile auto tune power interval on page 354 set fap dap radio channel 339 set ap dap radio channel Sets a MAP radio s channel Syntax set ap port list dap dap num radio 1 2 channel channel number ap port list List of ports connected to the MAP access points on which to set the channel dap dap num Number of a Distributed MAP on which to set the channel radio 1 Radio 1 of the MAP radio 2 Radio 2 of the MAP This option does not apply to single radio models chan
538. tication console 205 clear authentication dot1x 206 clear authentication last resort 207 clear authentication mac 208 clear authentication proxy 209 clear authentication web 209 clear location policy 210 clear mac user 211 clear mac user attr 212 clear mac user group 212 clear mac usergroup 213 clear mac usergroup attr 214 clear mobility profile 215 clear user 215 clear user attr 216 clear user group 217 clear usergroup 217 clear usergroup attr 218 display aaa 219 display accounting statistics 222 display location policy 224 10 display mobility profile 224 set accounting admin console 225 set accounting dot1x mac web last resort 227 set authentication admin 229 set authentication console 231 set authentication dot1x 233 set authentication last resort 236 set authentication mac 239 set authentication proxy 241 set authentication web 242 set location policy 244 set mac user 248 set mac user attr 249 set mac usergroup attr 254 set mobility profile 255 set mobility profile mode 257 set user 258 set user attr 259 set user group 260 set usergroup 261 set web portal 262 MOBILITY DOMAIN COMMANDS Commands by Usage 265 clear mobility domain 266 clear mobility domain member 266 display mobility domain config 267 display mobility domain status 267 set mobility domain member 269 set mobility domain mode member seed ip 270 set mobility domain mode seed domain name 271 NETWORK DOMAIN C
539. tication web 243 Usage You can configure different authentication methods for different groups of users by globbing For details see User Globs on page 26 You can configure a rule either for wireless access to an SSID or for wired access through a WX switch s wired authentication port If the rule is for wireless access to an SSID specify the SSID name or specify any to match on all SSID names If the rule is for wired access specify wired instead of an SSID name If you specify multiple authentication methods in the set authentication web command MSS applies them in the order in which they appear in the command with these results If the first method responds with pass or fail the evaluation is final If the first method does not respond MSS tries the second method and so on However if local appears first followed by a RADIUS server group MSS overrides any failed searches in the local WX database and sends an authentication request to the server group MSS uses a WebAAA rule only under the following conditions The client is not denied access by 802 1X or does not support 802 1X The client s MAC address does not match a MAC authentication rule The fallthru method is web For a wireless authentication rule the fallthru method is specified by the set service profile auth fallthru command For a wired authentication rule the fallthru method is specified by the auth fall thru option of the set port
540. tion Protocol EAP certificate which authenticates the WX switch to 802 1X supplicants clients web Stores the certificate authority s WebAAA certificate which authenticates the WX to clients who use WebAAA 472 CHAPTER 15 CRYPTOGRAPHY COMMANDS wWx4 400 PEM formatted certificate ASCII text representation of the PKCS 7 certificate consisting of up to 5120 characters that you have obtained from the certificate authority Defaults None Access Enabled History Introduced in MSS Version 3 0 Webaaa option renamed to web in MSS Version 4 1 Usage To use this command you must already have generated a certificate request with the crypto generate request command sent the request to the certificate authority and obtained a signed copy of the WX switch certificate as a PKCS 7 object file Then do the following Open the PKCS 7 object file with an ASCII text editor such as Notepad Or Vi 2 Enter the crypto certificate command on the CLI command line 3 When MSS prompts you for the PEM formatted certificate paste the PKCS 7 object file onto the command line The WX switch verifies the validity of the public key associated with this certificate before installing it to prevent a mismatch between the WX switch s private key and the public key in the installed certificate Examples The following command installs a certificate crypto certificate admin Enter P EM encoded certificate
541. tion ping Send echo packets to hosts quit Exit from the Admin session reset Reset us reset help for more information rollback Remove changes to the edited ACL table save Save the running configuration to persistent storage set Set us set help for more information telnet telnet IP address server port traceroute Print the route packets take to network host See Also Using CLI Help on page 31 history Displays the command history buffer for the current CLI session Syntax history Defaults None Access All History Introduced in MSS Version 3 0 Examples To show the history of your session type the following command WxX4400 gt history Show History most recent first 00 display config 01 display version 02 enable 48 CHAPTER 3 SYSTEM SERVICE COMMANDS See Also a Clear history on page 39 quickstart Runs a script that interactively helps you configure a new switch For more information see the CLI quickstart Command section of the WX Setup Methods chapter in the Wireless LAN Switch and Controller Configuration Guide CAUTION The quickstart command is for configuration of a new switch only After prompting you for verification the command erases the switch s configuration before continuing If you run this command on a switch that already has a configuration the configuration will be erased In addition error messages such as Critical AP Notice for directly c
542. tiple frames before transmission Syntax set radio profile name frag threshold threshold a name Radio profile name threshold Maximum frame length in bytes You can enter a value from 256 through 2346 Defaults The default fragmentation threshold for MAP radios is 2346 bytes Access Enabled History Introduced in MSS Version 3 0 Usage You must disable all radios that are using a radio profile before you can change parameters in the profile Use the set radio profile mode command Examples The following command changes the fragmentation threshold for radio profile ro7 to 1500 bytes WX4400 set radio profile rpl frag threshold 1500 success change accepted See Also display radio profile on page 317 set radio profile mode on page 362 set radio profile long retry 359 set radio profile long retry Changes the long retry threshold for the MAP radios in a radio profile The long retry threshold specifies the number of times a radio can send a long unicast frame without receiving an acknowledgment A long unicast frame is a frame that is equal to or longer than the Request to Send RTS threshold Syntax set radio profile name long retry threshold name Radio profile name threshold Number of times the radio can send the same long unicast frame You can enter a value from 1 through 15 Defaults The default long unicast retry threshold for MAP radios is 5 attempts
543. tive to the other radios However if the clients are VoIP phones a relatively high number of clients does not necessarily mean overutilization since voice clients consume less bandwidth on average than data clients MIC Error Ct Number of times the radio received a TKIP encrypted frame with an invalid MIC Normally the value of this counter should always be O If the value is not 0 check the system log for MIC error messages and contact 3Com TAC TKIP Decrypt Err Number of times a decryption error occurred with a packet encrypted with TKIP See the description for CCMP Pkt Decrypt Err CCMP Pkt Replays Number of CCMP packets that were resent to the MAP by a client See the description for TKIP Pkt Replays RadioResets Number of times the radio has been reset Generally a reset occurs as a result of RF noise It is normal for this counter to increment a few times per day Transmit Retries Number of times the radio retransmitted a unicast packet because it was not acknowledged The MAP uses this counter to adjust the transmit data rate for a client in order to minimize retries The ratio of transmit retries to transmitted packets TxUniPkt indicates the overall transmit quality A ratio of about 1 retry to 10 transmitted packets indicates good transmit quality A ratio of 3 or more to 10 indicates poor transmit quality This counter includes unacknowledged probes Some clients do not resp
544. to authenticate and encrypt RADIUS communication Defaults The default UDP port number for access requests is 1812 The default UDP port number for stop accounting records is 1813 Access Enabled History Introduced in MSS 4 0 Usage AAA for third party AP users has additional configuration requirements See the Configuring AAA for Users of Third Party APs section in the Configuring AAA for Network Users chapter of the Wireless LAN Switch and Controller Configuration Guide set radius proxy port 493 Examples The following command configures a RADIUS proxy entry for a third party AP RADIUS client at 10 20 20 9 sending RADIUS traffic to the default UDP ports 1812 and 1813 on the WX WX4400 set radius proxy client address 10 20 20 9 key radkeyl success change accepted See Also Clear radius proxy client on page 488 set authentication proxy on page 241 set radius proxy port on page 493 set radius proxy port Configures the WX port connected to a third party AP as a RADIUS proxy for the SSID supported by the AP Syntax set radius proxy port port list tag tag value ssid ssid name port port list WX port s connected to the third party AP tag tag value 802 1Q tag value in packets sent by the third party AP for the SSID ssid ssid name SSID supported by the third party AP Defaults None Access Enabled History Introduced in MSS 4 0 Usage
545. to KILLING Localid 9 globalid SESSION 9 893249336 moved from ACTIVE to KILLING client 00 06 25 09 39 5d To clear the session of user Natasha type the following command WX1200 clear sessions network user Natasha To clear the sessions of users whose name begins with the characters Jo type the following command WX1200 clear sessions network user Jo To clear the sessions of all users on VLAN red type the following command WX1200 clear sessions network vlan red See Also display sessions on page 522 display sessions network on page 525 display sessions Displays session information and statistics for all users with administrative access to the WX switch or for administrative users with either console or Telnet access Syntax display sessions admin console telnet client admin Displays sessions for all users with administrative access to the WX switch through a Telnet or SSH connection or a console plugged into the switch console Displays sessions for all users with administrative access to the WX switch through a console plugged into the switch display sessions 523 telnet Displays sessions for all users with administrative access to the WX switch through a Telnet connection telnet client Displays Telnet sessions from the CLI to remote devices Defaults None Access All except for display sessions telnet client which has enabled access Hi
546. to a radio on a Distributed MAP A snoop filter does take effect until you map it to a radio and enable the filter Syntax set snoop map filter name dap dap num radio 1 2 filter name Name of the snoop filter dap dap num Number of a Distributed MAP to which to map the snoop filter radio 1 Radio 1 of the MAP radio 2 Radio 2 of the MAP This option does not apply to single radio models Defaults Snoop filters are unmapped by default Access Enabled History Introduced in MSS Version 4 0 Usage You can map the same filter to more than one radio You can map up to eight filters to the same radio If more than one filter has the same observer the MAP sends only one copy of a packet that matches a filter to the observer After the first match the MAP sends the packet and stops comparing the packet against other filters for the same observer If the filter does not have an observer the MAP still maintains a counter of the number of packets that match the filter See display snoop stats on page 606 Examples The following command maps snoop filter snoop1 to radio 2 on Distributed MAP 3 WX1200 set snoop map snoopl dap 3 radio 2 success change accepted See Also Clear snoop map on page 598 set snoop on page 599 set snoop mode on page 603 display snoop map on page 605 display snoop stats on page 606 set snoop mode 603 set snoop mode Enables a sn
547. to noise ratio of the last packet received by the MAP access point Clear sessions network on page 521 532 CHAPTER 18 SESSION MANAGEMENT COMMANDS 19 RF DETECTION COMMANDS MSS automatically performs RF detection scans on enabled and disabled radios to detect rogue access points A rogue access point is a BSSID MAC address associated with an SSID that does not belong to a 3Com switch and is not a member of the ignore list configured on the seed switch of the Mobility Domain The ignore list is a list of third party friendly BSSIDs that are not rogues MSS can issue countermeasures against rogue devices to prevent clients from being able to use them You can configure RF detection parameters only on the seed switch of a Mobility Domain Commands by Usage This chapter presents RF detection commands alphabetically Use Table 94 to locate the commands in this chapter based on their use Table 94 RF Detection Commands by Usage Type Command Rogue Information display rfdetect clients on page 539 display rfdetect mobility domain on page 546 display rfdetect data on page 544 display rfdetect visible on page 552 display rfdetect counters on page 542 Countermeasures display rfdetect countermeasures on page 541 Permitted Vendor set rfdetect vendor list on page 561 List 534 CHAPTER 19 RF DETECTION COMMANDS Table 94 RF Detection Commands by Usage continued Type Command displa
548. trict on page 99 clear security 12 restrict counters on page 100 Tunnel Affinity set vlan tunnel affinity on page 118 FDB Entries set fdb on page 113 display fdb on page 102 display fdb count on page 105 clear fdb on page 98 FDB Aging Timeout set fdb agingtime on page 114 display fdb agingtime on page 104 98 CHAPTER 5 VLAN COMMANDS clear fdb Deletes an entry from the forwarding database FDB Syntax clear fdb perm static dynamic port port list vlan vlan id tag tag value perm Clears permanent entries A permanent entry does not age out and remains in the database even after a reboot reset or power cycle You must specify a VLAN name or number with this option static Clears static entries A static entry does not age out but is removed from the database after a reboot reset or power cycle You must specify a VLAN name or number with this option dynamic Clears dynamic entries A dynamic entry is automatically removed through aging or after a reboot reset or power cycle You are not required to specify a VLAN name or number with this option port port list Clears dynamic entries that match destination ports in the port list You are not required to specify a VLAN name or number with this option vlan vlan id VLAN name or number required for removing permanent and static entries For dynamic entries specifying a VLAN removes entries that match on
549. troduced in MSS Version 3 0 Usage Aging applies only to dynamic entries To reset the ARP aging timeout to its default value use the set arp agingtime 1200 command Examples The following command changes the ARP aging timeout to 1800 seconds WX1200 set arp agingtime 1800 success set arp aging time to 1800 seconds The following command disables ARP aging WX1200 set arp agingtime 0 success set arp aging time to 0 seconds See Also setarp on page 158 telnet on page 195 160 CHAPTER 7 IP SERVICES COMMANDS set interface Configures an IP interface on a VLAN Syntax set interface vlan id ip ip addr mask ip addr mask length vlan id VLAN name or number ip addr mask P address and subnet mask in dotted decimal notation for example 10 10 10 10 255 255 255 0 ip addr mask length IP address and subnet mask length in CIDR format for example 10 10 10 10 24 Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage You can assign one IP interface to each VLAN If an interface is already configured on the VLAN you specify this command replaces the interface If you replace an interface that is in use as the system IP address replacing the interface can interfere with system tasks that use the system IP address including the following a Mobility domain operations Topology reporting for dual homed MAP access points a Default source IP ad
550. ts an EAP request to a supplicant client before ending the authentication session Syntax set dotlx max req number of retransmissions number of retransmissions Specify a value between 0 and 10 Defaults The default number of EAP retransmissions is 2 Access Enabled History Introduced in MSS Version 3 0 Usage To support SSIDs that have both 802 1X and static WEP clients MSS sends a maximum of two ID requests even if this parameter is set to a higher value Setting the parameter to a higher value does affect all other types of EAP messages Examples Type the following command to set the maximum number of EAP request retransmissions to three attempts WX4400 set dotlx max req 3 success dotlx max request set to 3 See Also Clear dot1x max req on page 501 display dot1x on page 505 512 CHAPTER 17 802 1X MANAGEMENT COMMANDS set dot1x port control Determines the 802 1X authentication behavior on individual wired authentication ports or groups of ports Syntax set dot1x port control forceauth forceunauth auto port list forceauth Forces the specified wired authentication port s to unconditionally authorize all 802 1X authentication attempts with an EAP success message forceunauth Forces the specified wired authentication port s to unconditionally reject all 802 1X authentication attempts with an EAP failure message auto Allows the specified wired auth
551. tted with the topology change flag set by this WX switch when it is the root bridge after detection of a topology change It is equal to the sum of the switch s maximum age and forwarding delay parameters topology change detected Indicates whether a topology change has been detected by the switch topology change count Number of times the topology change has occurred topology change last recvd from MAC address of the bridge from which the WX switch last received a topology change display spantree uplinkfast 409 Table 71 Output for display spantree statistics continued Field Description dynamic max age Number of times the maximum age parameter was transition changed dynamically port BPDU ok count Number of valid port BPDUs received msg age expiry count Number of expired messages link loading Indicates whether the link is oversubscribed BPDU in processing Indicates whether BPDUs are currently being processed num of similar BPDU s Number of similar BPDUs received on a port that need to to process be processed received_inferior_bpdu Indicates whether the port has received an inferior BPDU or a response to a Root Link Query RLQ BPDU next state Port state before it is set by STP src MAC count Number of BPDUs with the same source MAC address total src MAC count Number of BPDUs with all the source MAC addresses curr_src_mac Source MAC address of the cu
552. tween 1 and 32 alphanumeric characters with no spaces Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage MSS does not allow the subdirectory to be removed unless it is empty Delete all files from the subdirectory before attempting to remove it Examples The following example removes subdirectory corp2 WX4400 rmdir corp2 success change accepted See Also dir on page 570 mkdir on page 580 save config Saves the running configuration to a configuration file Syntax save config filename filename Name of the configuration file Specify between 1 and 128 alphanumeric characters with no spaces To save the file in a subdirectory specify the subdirectory name followed by a forward slash in front of the filename For example backup_configs config_c Defaults By default MSS saves the running configuration as the configuration filename used during the last reboot set boot backup configuration 585 Access Enabled History Introduced in MSS Version 3 0 Usage If you do not specify a filename MSS replaces the configuration file loaded during the most recent reboot To display the filename of the configuration file MSS loaded during the most recent reboot use the display boot command The command completely replaces the specified configuration file with the running configuration Examples The following command saves the running configuration to the
553. type MSS applies default settings appropriate for the port type Table 19 lists the default settings that MSS applies when you set a port s type to ap Table 19 Wired Authentication Port Details Port Parameter Setting VLAN membership Removed from all VLANs You cannot assign a MAP access port to a VLAN MSS automatically assigns MAP access ports to VLANs based on user traffic Spanning Tree Not applicable Protocol STP 802 1X Uses authentication parameters configured for users Port groups Not applicable IGMP snooping Enabled as users are authenticated and join VLANs Maximum user sessions 1 one Fallthru authentication None type For 802 1X clients wired authentication works only if the clients are directly attached to the wired authentication port or are attached through a hub that does not block forwarding of packets from the client to the PAE group address 01 80 c2 00 00 03 Wired authentication works in accordance with the 802 1X specification which prohibits a client from sending traffic directly to an authenticator s MAC address until the client is authenticated Instead of sending traffic to the authenticator s MAC address the client sends packets to the PAE group address 96 CHAPTER 4 PORT COMMANDS The 802 1X specification prohibits networking devices from forwarding PAE group address packets because this would make it possible for multiple authenticators to acquire the same c
554. type wired auth command Examples The following command configures a WebAAA rule in the local WX database for SSID ourcorp and userglob rnd WX4400 set authentication web ssid ourcorp rnd local success change accepted See Also Clear authentication proxy on page 209 244 CHAPTER 8 AAA COMMANDS display aaa on page 219 set authentication admin on page 229 set authentication console on page 231 set authentication dot1x on page 233 set authentication last resort on page 236 set location policy Creates and enables a location policy on an WX switch The location policy enables you to locally set or change authorization attributes for a user after the user is authorized by AAA without making changes to the AAA server Syntax set location policy deny if ssid operator ssid name wlan operator vlan glob user operator user glob port port list dap dap num before rule number modify rule number Syntax set location policy permit vlan vlan name inacl inacl name outacl outacl name if ssid operator ssid name vlan operator vlan glob user operator user glob port port list dap dap num before rule number modify rule number deny Denies access to the network to users with characteristics that match the location policy rule permit Allows access to the network or to a specified VLAN and or assigns a particular security ACL to users with characteristics that
555. ubstitution buffer Load use load help for more information Exit from the Admin session onitor use monitor help for more information Send echo packets to hosts Exit from the Admin session Reset us reset help for more information Remove changes to the edited ACL table Save the running configuration to persistent storage Set us set help for more information telnet IP address server port Print the route packets take to network host For more information on help see help on page 46 To see a subset of the online help type the command for which you want more information For example to show all the commands that begin with the letter type the following command Show interfaces maintained by the interface manager Show igmp information Show interfaces Show ip information 32 CHAPTER 1 USING THE COMMAND LINE INTERFACE To see all the variations type one of the commands followed by a question mark For example WX1200 display ip alias display ip aliases dns display DNS status https display ip https route display ip route table telnet display ip telnet To determine the port on which Telnet is running type the following command WX1200 display ip telnet Server Status Port Enabled 23 Understanding Command Descriptions Each command description in the 3Com Mobility System Software Command Reference contains the following elements A command name which
556. ucted Called Station Id MAC address of the MAP access point through which the client reached the network See Also Clear accounting on page 203 display aaa on page 219 set accounting admin console on page 225 224 CHAPTER 8 AAA COMMANDS display location policy Id Clauses Displays the list of location policy rules that make up the location policy on an WX switch Syntax display location policy Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command displays the list of location policy rules in the location policy on an WX switch WX4400 display location policy 1 deny if user eq theirfirm com 2 permit vlan guest_1 if vlan neq wodefirm com 3 permit vlan bld4 tac inacl tac_24 in if user eq ny wodefirm com See Also Clear location policy on page 210 set location policy on page 244 display mobility profile Displays the named Mobility Profile If you do not specify a Mobility Profile name this command shows all Mobility Profile names and port lists on the WX Syntax display mobility profile name a name Name of an existing Mobility Profile Defaults None Access Enabled History Introduced in MSS Version 3 0 set accounting admin console 225 Examples The following command displays the Mobility Profile magnolia WX1200 display mobility profile magnolia Mobility Profiles
557. ulticast groups The information fields containing this information are described separately The display igmp mrouter command shows the same information Port Number of the physical port through which the WX can reach the router Mrouter IPaddr IP address of the multicast router interface Mrouter MAC MAC address of the multicast router interface Type How the WX learned that the port is a multicast router port conf Static multicast port configured by an administrator a madv Multicast advertisement a quer IGMP query a dvmrp Distance Vector Multicast Routing Protocol DVMRP a pimv1 Protocol Independent Multicast PIM version 1 pimv2 PIM version 2 display igmp 425 Table 75 Output for display igmp continued Field Description TIL Number of seconds before this entry ages out if not refreshed For static multicast router entries the time to live TTL value is undef Static multicast router entries do not age out Group IP address of a multicast group The display igmp receiver table command shows the same information as these receiver fields Port Physical port through which the WX can reach the group s receiver Receiver IP IP address of the client receiving the group Receiver MAC MAC address of the client receiving the group TIL Number of seconds before this entry ages out if the WX does not receive a group membership message from t
558. ulticast routers You can specify a value from 1 through 65 535 vlan vlan id VLAN name or number If you do not specify a VLAN the timer change applies to all VLANs Defaults The default last member query interval is 10 tenths of a second 1 second Access Enabled History Introduced in MSS Version 3 0 Examples The following command changes the last member query interval on VLAN orange to 5 tenths of a second WX1200 set igmp lmqi 5 vlan orange success change accepted See Also set igmp oqi on page 437 set igmp qi on page 439 set igmp mrouter on page 435 setigmp mrouter 435 set igmp mrouter Adds or removes a port in a WXs5s list of ports on which it forwards traffic to multicast routers Static multicast ports are immediately added to or removed from the list of router ports and do not age out Syntax set igmp mrouter port port list enable disable a port port list Port list MSS adds or removes the specified ports in the list of static multicast router ports enable Adds the port to the list of static multicast router ports disable Removes the port from the list of static multicast router ports Defaults By default no ports are static multicast router ports Access Enabled History Introduced in MSS Version 3 0 Usage You cannot add MAP access ports or wired authentication ports as static multicast ports However MSS can dynamically add thes
559. umber of frames transmitted by the port that were fewer than 64 bytes long Tx Fragment Total number of frames transmitted that were less than 64 octets long and had invalid CRCs Tx Abort Total number of frames that had a link pointer parity error 80 CHAPTER 4 PORT COMMA NDS Table 17 Output for monitor port counters continued Statistics Option Field Description collisions Single Coll Total number of frames transmitted that experienced one collision before 64 bytes of the frame were transmitted on the network Multiple Coll Total number of frames transmitted that experienced more than one collision before 64 bytes of the frame were transmitted on the network Excessive Coll Total number of frames that experienced more than 16 collisions during transmit attempts These frames are dropped and not transmitted Total Coll Best estimate of the total number of collisions on this Ethernet segment receive etherstats Rx 64 Number of packets received that were 64 bytes long Rx 127 Number of packets received that were from 65 hrough 127 bytes long Rx 255 Number of packets received that were from 128 hrough 255 bytes long Rx 511 Number of packets received that were from 256 hrough 511 bytes long Rx 1023 Number of packets received that were from 512 hrough 1023 bytes long Rx 1518 Number of pa
560. unting admin console on page 225 display accounting statistics on page 222 204 CHAPTER 8 AAA COMMANDS clear authentication admin Removes an authentication rule for administrative access through Telnet or Web Manager Syntax clear authentication admin user glob a user glob A single user or set of users Specify a username use the double asterisk wildcard character to specify all usernames or use the single asterisk wildcard character to specify a set of usernames up to or following the first delimiter character either an at sign or a period For details see User Globs on page 26 Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command clears authentication for administrator Jose Wx4400 clear authentication admin Jose success change accepted See Also Clear authentication console on page 205 Clear authentication dot1x on page 206 Clear authentication last resort on page 207 Clear authentication mac on page 208 Clear authentication proxy on page 209 display aaa on page 219 set authentication admin on page 229 clear authentication console 205 clear authentication console Removes an authentication rule for administrative access through the Console Syntax clear authentication console user glob user glob A single user or set of users Specify a username use the double aster
561. uplex 1000 Sets the port speed of a gigabit Ethernet port to 1000 Mbps and sets the operating mode to full duplex auto Enables a port to detect the speed and operating mode of the traffic on the link and set itself accordingly Defaults All ports are set to auto Access Enabled History Introduced in MSS Version 3 0 Examples The following command sets the port speed on ports 1 and 3 through 4 to 10 Mbps and sets the operating mode to full duplex WX1200 set port speed 1 3 4 10 90 CHAPTER 4 PORT COMMANDS set port trap Enables or disables Simple Network Management Protocol SNMP linkup and linkdown traps on an individual port Syntax set port trap port list enable disable a port list List of physical ports enable Enables the Telnet server disable Disables the Telnet server Defaults SNMP linkup and linkdown traps are disabled by default Access Enabled History Introduced in MSS Version 3 0 Usage The set port trap command overrides the global setting of the set snmp trap command The set port type command does not affect the global trap information displayed by the display snmp configuration command For example if you globally enable linkup and linkdown traps but then disable the traps on a single port the display snmp configuration command still indicates that the traps are globally enabled Examples The following command enables SNMP
562. ured for a user is sooner than the start date configured for the user group the user is in the user s network access can begin as soon as the user start date The user does not need to wait for the user group s start date Examples The following command assigns user Tamara to VLAN orange WX4400 set user Tamara attr vlan name orange success change accepted The following command assigns Tamara to the Mobility Profile tulip WX4400 set user Tamara attr mobility profile tulip success change accepted The following command limits the days and times when user Student can access the network to 5 p m to 2 a m every weekday and all day Saturday and Sunday WX4400 set user Studentl attr time of day Wk1700 0200 Sa Su success change accepted See Also Clear user attr on page 216 display aaa on page 219 set user group Adds a user to a user group The user must have a password and a profile that exists in the local database on the WX switch To configure a user in RADIUS see the documentation for your RADIUS server Syntax set user username group group name username Username of a user with a password group name Name of an existing user group for password users Defaults None set usergroup 261 Access Enabled History Introduced in MSS Version 3 0 Usage MSS does not require users to belong to user groups To create a user group user the command set usergroup Exam
563. ures that WX switches and MAP access points give preferential treatment to high priority traffic such as voice and video To override the prioritization for specific traffic use access controls lists ACLs to set the Class of Service CoS for the packets See Security ACL Commands on page 445 Commands by Usage This chapter presents QOS commands alphabetically Use Table 27 to locate commands in this chapter based on their use Table 27 QOS Commands by Usage Type Command QOS Settings display qos on page 123 display qos dscp table on page 124 set qos cos to dscp map on page 121 set qos dscp to cos map on page 122 clear qos on page 120 120 CHAPTER 6 QUALITY OF SERVICE COMMANDS clear qos Resets the switch s mapping of Differentiated Services Code Point DSCP values to internal QoS values The switch s internal QoS map ensures that prioritized traffic remains prioritized while transiting through the WX switch A WX switch uses the QoS map to do the following a Classify inbound packets by mapping their DSCP values to one of eight internal QoS values a Classify outbound packets by marking their DSCP values based on the switch s internal QoS values Syntax clear qos cos to dscp map from qos dscp to cos map from dscp cos to dscp map Resets the mapping between the specified internal QoS value and the DSCP values with which MSS marks outbound packets QoS values
564. user 592 set trace authorization 593 set trace authorization mac addr 593 set trace authorization port 593 set trace authorization user 593 set trace dot1x 594 set trace dot1x mac addr 594 set trace dot1x port 594 set trace dot1x user 594 set trace sm 595 set trace sm mac addr 595 set trace sm port 595 set trace sm user 595 set user 258 set user attr 259 set user group 260 set user password 258 646 INDEX set usergroup 261 set usergroup attr 261 set vlan name 116 set vlan port 117 set vlan tunnel affinity 118 set web portal 262 T telnet 195 test 635 traceroute 197 V version 636
565. ust have the MAP in its configuration Also the switch that booted the MAP must be in the same Mobility Domain as the switch where you use the command If a Distributed MAP is configured on this WX switch or another WX switch in the same Mobility Domain but does not have an active connection the command does not display information for the MAP To show connection information for Distributed MAPs use the display dap global command on one of the switches where the MAPs are configured Examples The following command displays information for all Distributed MAPs configured on this WX switch that have active connections WX1200 display dap connection Total number of entries 2 DAP Serial Id DAP IP Address WX IP Address 2 M9DE48B012F00 10 10 2 27 10 3 8 111 4 M9DE48B123400 10 10 3 34 10 3 8 111 314 CHAPTER 11 MANAGED ACCESS POINT COMMANDS The following command displays connection information specifically for a Distributed MAP with serial ID M9DE48B6EADOO WX1200 display dap connection serial id M9DE48B6EAD00 Total number of entries 1 DAP Serial Id DAP IP Address WX IP Address 9 M9DE48B6EAD00 10 10 4 88 10 9 9 11 Table 60 describes the fields in this display Table 60 Output of display dap connection Field Description DAP Connection ID you assigned to the Distributed MAP If the connection is configured on another WX switch this field contains a hyphen Serial Id Serial ID of the
566. ut the HTTPS management port Syntax display ip https Defaults None Access All History Introduced in MSS Version 3 0 Examples The following command shows the status and port number for the HTTPS management interface to the WX switch WX4400 display ip https HTTPS is enabled HTTPS is set to use port 443 Last 10 Connections IP Address Last Connected Time Ago s 10 10 10 56 2003 05 09 15 51 26 pst 349 Table 36 describes the fields in this display 146 CHAPTER 7 IP SERVICES COMMANDS Table 36 Output for display ip https Field Description HTTPS is State of the HTTPS server enabled disabled Enabled a Disabled HTTPS is set to use port TCP port number on which the WX switch listens for HTTPS connections Last 10 connections List of the last 10 devices to establish connections to the WX switch s HTTPS server IP Address IP address of the device that established the connection If a browser connects to a WX switch from behind a proxy then only the proxy IP address is shown If multiple browsers connect using the same proxy the proxy address appears only once in the output Last Connected Time when the WX switch established the HTTPS connection to the WX switch Time Ago s See Also Number of seconds since the device established the HTTPS connection to the WX switch Clear ip telnet on page 131 display ip telnet on page 148 setip htt
567. uth enable disable enable Permits reauthentication disable Denies reauthentication Defaults Reauthentication is enabled by default Access Enabled History Introduced in MSS Version 3 0 Examples Type the following command to enable reauthentication of supplicants clients WX4400 set dotlx reauth enable success dotlx reauthentication enabled 514 CHAPTER 17 802 1X MANAGEMENT COMMANDS See Also display dot1x on page 505 set dot1x reauth max on page 514 set dot1x reauth period on page 515 set dot1x reauth max Sets the number of reauthentication attempts that the WX switch makes before the supplicant client becomes unauthorized Syntax set dotlx reauth max number of attempts a number of attempts Specify a value between 1 and 10 Defaults The default number of reauthentication attempts is 2 Access Enabled History Introduced in MSS Version 3 0 Usage If the number of reauthentications for a wired authentication client is greater than the maximum number of reauthentications allowed MSS sends an EAP failure packet to the client and removes the client from the network However MSS does not remove a wireless client from the network under these circumstances Examples Type the following command to set the number of authentication attempts to 8 WX4400 set dotlx reauth max 8 success dotlx max reauth set to 8 See Also display dot1x on page 50
568. uthorization mac addr 00 01 02 03 04 05 success change accepted 594 CHAPTER 21 TRACE COMMANDS See Also Clear trace on page 590 display trace on page 591 set trace dot1x Traces 802 1X sessions Syntax set trace dot1lx mac addr mac address port port n uml user username level level mac addr mac address Traces a MAC address Specify a MAC address using colons to separate the octets for example 00 11 22 aa bb cc port port num Traces on a WX port number a user username Traces a user Specify a username of up to 80 alphanumeric characters with no spaces level level Determines the quantity of information included in the output You can set the level with an integer from 1 to 10 where level 10 provides the most information Levels 1 through 5 provide user readable information If you do not specify a level level 5 is the default Defaults The default trace level is 5 Access Enabled History Introduced in MSS Version 3 0 Examples The following command starts a trace for the 802 1X sessions for MAC address 00 01 02 03 04 05 WX4400 set trace dot1lx mac addr 00 01 02 03 04 05 success change accepted See Also clear trace on page 590 display trace on page 591 set tracesm 595 set trace sm Traces session manager activity Syntax set trace sm mac addr mac address port port num user username level level mac addr mac address Trace
569. uto tune power config 353 radio profile auto tune power interval 354 radio profile beacon interval 347 355 radio profile countermeasures 356 radio profile dtim interval 357 cs set radio profile frag threshold 358 set radio profile long retry 359 E set radio profile max rx lifetime 360 set radio profile max tx lifetime 361 set radio profile mode 362 set radio profile preamble length 364 set radio profile rts threshold 365 set radio profile service profile 366 set radio profile short retry 369 set radio profile wmm 370 set radius 490 set radius client system ip 491 set radius deadtime 490 set radius key 490 set radius retransmit 490 set radius server 494 set radius timeout 490 set refetect ssid list 560 set rfdetect active scan 554 set rfdetect attack list 554 set rfdetect countermeasures 556 set rfdetect countermeasures mac 557 set rfdetect ignore 558 set rfdetect log 559 set rfdetect signature 560 set rfdetect vendor list 561 set security 12 restrict 114 set security acl 459 set security acl hit sample rate 466 set security acl ip icmp 459 set security acl ip ip 459 set security acl ip tcp 459 set security acl ip udp 459 set security acl map 464 set server group 496 set server group load balance 497 set service profile auth dot1x 373 set service profile auth fallthru 374 set service profile auth psk 375 set service profile beacon 376 set service profile cipher ccmp 377 set service
570. val on the root bridge Root Forward Delay Forwarding delay value on the root bridge Bridge ID MAC ADDR This WX switch s MAC address Bridge ID Priority This WX switch s bridge priority Bridge Max Age This WX switch s maximum acceptable age for hello packets Bridge Hello Time This WX switch s hello interval Bridge Forward Delay This WX switch s forwarding delay value Port Port number Only network ports are listed STP does not apply to 3Com Wireless LAN Managed Access Point AP2750 ports or wired authentication ports Vlan VLAN ID 400 CHAPTER 12 STP COMMANDS Table 69 Output for display spantree continued Field Description Port State STP state of the port Blocking The port is not forwarding Layer 2 traffic but is listening to and forwarding STP control traffic Disabled The port is not forwarding any traffic including STP control traffic The port might be administratively disabled or the link might be disconnected Forwarding The port is forwarding Layer 2 traffic Learning The port is learning the locations of other WX switches in the spanning tree before changing state to forwarding Listening The port is comparing its own STP information with information in STP control packets received by the port to compute the spanning tree and change state to blocking or forwarding Cost STP cost of the port Pr
571. ver set interface dhcp server on page 162 display dhcp server on page 140 clear interface Removes an IP interface Syntax clear interface vlan id ip a vilan id VLAN name or number Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage If the interface you want to remove is configured as the system IP address removing the address can interfere with system tasks that use the system IP address including the following Mobility domain operations 128 CHAPTER 7 IP SERVICES COMMANDS Topology reporting for dual homed MAP access points a Default source IP address used in unsolicited communications such as AAA accounting reports and SNMP traps Examples The following command removes the IP interface configured on VLAN mauve WX1200 clear interface mauve ip success cleared ip on vlan mauve See Also set interface on page 160 set interface dhcp client on page 161 display interface on page 142 clear ip alias Removes an alias which is a string that represents an IP address Syntax clear ip alias name name Alias name Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command removes the alias server WX1200 clear ip alias serverl success change accepted See Also display ip alias on page 143 clear ip dns domain 129 clear ip dns domain Removes the default DNS domain
572. ves the entry from the ARP table Host IP address hostname or alias HW Address MAC address mapped to the IP address hostname or alias VLAN VLAN the entry is for Type Entry type DYNAMIC Entry was learned from network traffic and ages out if unused for longer than the ARP aging timeout LOCAL Entry for the WX switch s MAC address Each VLAN has one local entry for the WX switch s MAC address PERMANENT Entry does not age out and remains in the configuration even following a reboot STATIC Entry does not age out but is removed after a reboot State Entry state See Also RESOLVING MSS sent an ARP request for the entry and is waiting for the reply RESOLVED Entry is resolved set arp on page 158 set arp agingtime on page 159 display dhcp client Displays DHCP client information for all VLANs Syntax display dhcp client Defaults None Access All History Introduced in MSS Version 4 0 display dhcp client 139 Examples The following command displays DHCP client information WX1200 display dhcp client Interface corpvlan 4 Configuration Status Enabled DHCP State IF_UP Lease Allocation 65535 seconds Lease Remaining 65532 seconds IP Address 10 36 5110 Subnet Mask 290 a2 094290 60 Default Gateway LOs ger Esil DHCP Server Oege LA DNS Servers LO 3e L29 DNS Domain Name mycorp com Table 30 describes the fie
573. vice profiles that contain static WEP keys to the same radio profile Examples The following command configures WEP key index 1 for service profile so2 to aabbccddee WxX4400 set service profile sp2 wep key index 1 key aabbccddee success change accepted See Also set service profile wep active multicast index on page 388 set service profile wep active unicast index on page 389 set service profile wpa ie 391 set service profile wpa ie Enables the WPA information element IE in wireless frames The WPA IE advertises the WPA authentication methods and cipher suites supported by radios in the radio profile mapped to the service profile Syntax set service profile name wpa ie enable disable name Service profile name enable Enables the WPA IE disable Disables the WPA IE Defaults The WPA IE is disabled by default Access Enabled History Introduced in MSS Version 3 0 Usage When the WPA IE is enabled the default authentication method is 802 1X There is no default cipher suite You must enable the cipher suites you want the radios to support Examples The following command enables the WPA IE in service profile sp2 WxX4400 set service profile sp2 wpa ie enable success change accepted See Also set service profile auth dot1x on page 373 set service profile auth psk on page 375 set service profile cipher ccmp on page 377 set service profile ciphe
574. wed number of collisions Typically this occurs only during periods of heavy traffic on the network TxMultiColl Number of transmitted frames that encountered more than one collision TxUnderruns Number of frames that were not transmitted or retransmitted due to temporary lack of hardware resources TxCarrierLoss Number of frames transmitted despite the detection of a deassertion of CRS during the transmission TxDeferred Number of frames deferred before transmission due to activity on the link display ap dap group 303 display ap dap group Displays configuration information and load balancing status for MAP access point groups Syntax display ap dap group name name Name of a MAP group or Distributed MAP group Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples The following command displays information for MAP access point group oadbalance WX1200 display ap group loadbalancel Load Balance Grp Port Clients Status Refused loadbalancel I 1 Accepting 0 loadbalancel 6 6 Refusing 2 Table 55 describes the fields in this display Table 55 Output for display ap group Field Description Load Balance Grp Name of the MAP access point group Port WX port number Clients Number of active client sessions on the MAP access point Status Association status of the MAP access point a Accepting The MAP access point is accepting n
575. which MSS always consults first for resolving DNS queries a secondary Makes the server a secondary server MSS consults a secondary server only if the primary server does not reply Defaults None Access Enabled Usage You can configure a WX switch to use one primary DNS server and up to five secondary DNS servers Examples The following commands configure a WX switch to use a primary DNS server and two secondary DNS servers WX1200 set ip dns server 10 10 10 50 24 primary success change accepted WX1200 set ip dns server 10 10 20 69 24 secondary success change accepted WX1200 set ip dns server 10 10 30 69 24 secondary success change accepted See Also Clear ip dns domain on page 129 Clear ip dns server on page 129 display ip dns on page 144 setip dns on page 164 setip dns domain on page 165 set ip https server 167 set ip https server AN Enables the HTTPS server on a wireless LAN switch The HTTPS server is required for Web Manager access to the switch CAUTION If you disable the HTTPS server Web Manager access to the WX switch is also disabled Syntax set ip https server enable disable a enable Enables the HTTPS server disable Disables the HTTPS server Defaults The HTTPS server is disabled by default Access Enabled History The default is changed to disabled in 3 1 In addition the HTTPS server is no longer required for WebAAA
576. which the MAP is connected is configured as a network port instead of a MAP access port and if the network port is a member of a VLAN If a Distributed MAP is configured on a WX switch in another Mobility Domain the MAP can appear in the output until the MAP is able to establish a connection with a WX switch in its Mobility Domain After the MAP establishes a connection the entry for the MAP ages out and no longer appears in the command s output Entries in the command output s table age out after two minutes Examples The following command displays information for two Distributed MAPs that are not configured WX1200 display dap unconfigured Total number of entries 2 Serial Id Model IP Address Port Vlan M9DE48B012F00 AP2750 10 3 8 54 5 default M9DE48B123400 AP2750 10 3 8 57 6 vilan eng display radio profile 317 Table 62 describes the fields in this display Table 62 Output for display dap unconfigured Field Description Serial Id Serial ID of the Distributed MAP Model MAP model number IP Address IP address of the MAP This is the address that the MAP receives from a DHCP server The MAP uses this address to send a Find WX message to request configuration information from WX switches However the MAP cannot use the address to establish a connection unless the MAP first receives a configuration from a WX switch Port Port number on which this WX switch received the MAP s Find WX message VLAN
577. witch type the following command WX4400 display security acl ACL table ACL Type Class Mapping acl 123 IP Static Port 2 In acl 133 IP Static Port 4 In acl 124 IP Static To view a summary of the security ACLs in the edit buffer type the following command WX4400 display security acl editbuffer ACL edit buffer table ACL Type Status acl 122 IP Not committed acl 132 IP Not committed acl 144 IP Not committed See Also a Clear security acl on page 446 display security acl info on page 452 set security acl on page 459 display security acl hits Displays the number of packets filtered by security ACLs hits on the WX switch Each time a packet is filtered by a security ACL the hit counter increments Syntax display security acl hits Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage For MSS to count hits for a security ACL you must specify hits in the set security acl commands that define ACE rules for the ACL 452 CHAPTER 14 SECURITY ACL COMMANDS Examples To display the security ACL hits on a WX switch type the following command WX4400 display security acl hits ACL hit counters Index Counter ACL name 1 0 acl 2 2 0 act IzS 3 916 acl_123 See Also set security acl hit sample rate on page 466 set security acl on page 459 display security acl info Displays the contents of a specified security ACL or all security ACLs tha
578. within the radio profiles that are mapped to the service profile Syntax set service profile name auth fallthru last resort none web portal last resort Automatically authenticates the user and allows access to the SSID requested by the user without requiring a username and password none Denies authentication and prohibits the user from accessing the SSID The fallthru authentication type none is different from the authentication method none you can specify for administrative access The fallthru authentication tyoe none denies access to a network user In contrast the authentication method none allows access to the WX switch by an administrator See set authentication admin on page 229 and set authentication console on page 231 web portal Serves the user a web page from the WX switch s nonvolatile storage for secure login to the network Defaults The default fallthru authentication type is web auth If a username does not match a userglob in an authentication rule for the SSID requested by the user the WX switch that is managing the radio the user is connected to redirects the user to a web page located on the WX switch The user must type a valid username and password on the web page to access the SSID set service profile auth psk 375 Access Enabled History Introduced in MSS Version 3 0 Option for WebAAA fallthru authentication type changed from web auth to web portal
579. xt Sets off command syntax or sample commands and system responses Bold text Highlights commands that you enter or items you select Italic text Designates command variables that you replace with appropriate values or highlights publication titles or words requiring special emphasis square brackets Enclose optional parameters in command syntax curly brackets Enclose mandatory parameters in command syntax vertical bar Separates mutually exclusive options in command syntax Keyboard key names If you must press two or more keys simultaneously the key names are linked with a plus sign Example Press Ctrl Alt Del Words in italics Italics are used to a Emphasize a point Denote a new term at the place where it is defined in the text a Highlight an example string such as a username or SSID Documentation The MSS documentation set includes the following documents a Wireless LAN Switch Manager 3WXM Release Notes These notes provide information about the system software release including new features and bug fixes a Wireless LAN Switch and Controller Release Notes These notes provide information about the system software release including new features and bug fixes a Wireless LAN Switch and Controller Quick Start Guide This guide provides instructions for performing basic setup of secure 802 1X and guest WebAAA access for configuring a
580. y code on a WX switch you must reconfigure all MAP access points MAP Access Point Commands by Usage This chapter presents MAP access point commands alphabetically Use Table 49 to locate commands in this chapter based on their use Table 49 Map Access Point Commands by Usage Type Command Automatic set dap auto on page 325 Configuration of Distributed MAPs set dap auto mode on page 327 set ap dap bias on page 328 set ap dap blink on page 330 set ap dap group on page 332 set ap dap radio auto tune max power on page 335 set ap dap radio auto tune max retransmissions on page 337 284 CHAPTER 11 MANAGED ACCESS POINT COMMANDS Table 49 Map Access Point Commands by Usage continued Type Command set ap dap radio auto tune min client rate on page 340 set ap dap radio mode on page 341 set ap dap radio radio profile on page 343 set dap auto radiotype on page 326 set ap dap upgrade firmware on page 346 External Antenna set ap dap radio antennatype on page 334 Radio Profile Assignment set ap dap radio radio profile on page 343 set radio profile mode on page 362 clear radio profile on page 288 set radio profile service profile on page 366 display radio profile on page 317 SSID Assignment set service profile ssid name on page 384 set service profile ssid type on page 385
581. y default authentication is deactivated for all console users and the default authentication method in a console authentication rule is none MSS requires no username or password by default These users can press Enter at the prompts for administrative access 3Com recommends that you change the default setting unless the WX switch is in a secure physical location Access Enabled History Introduced in MSS Version 3 0 Usage You can configure different authentication methods for different groups of users For details see User Globs MAC Address Globs and VLAN Globs on page 26 If you specify multiple authentication methods in the set authentication console command MSS applies them in the order in which they appear in the command with these results If the first method responds with pass or fail the evaluation is final If the first method does not respond MSS tries the second method and so on However if local appears first followed by a RADIUS server group MSS ignores any failed searches in the local WX database and sends an authentication request to the RADIUS server group Examples To set the console port so that it does not enforce username password authentication for administrators type the following command WX4400 set authentication console none success change accepted See Also Clear authentication console on page 205 display aaa on page 219 set authentication admin on pag
582. y exist MSS creates a new radio profile Use the enable or disable option to enable or disable all the radios using a profile To assign the profile to one or more radios use the set ap radio radio profile command To change a parameter in a radio profile you must first disable all the radios in the profile After you complete the change you can reenable the radios To enable or disable specific radios without disabling all of them use the set ap radio command 364 CHAPTER 11 MANAGED ACCESS POINT COMMANDS Examples The following command configures a new radio profile named rp1 WX4400 set radio profile rpl success change accepted The following command enables the radios that use radio profile rp7 WX4400 set radio profile rpl mode enable The following commands disable the radios that use radio profile ro7 change the beacon interval then reenable the radios WX4400 set radio profile rpl mode disable WX4400 set radio profile rpl beacon interval 200 WX4400 set radio profile rpl mode enable The following command enables the WPA IE on MAP radios in radio profile rp2 WX4400 set radio profile rp2 wpa ie enable success change accepted See Also display ap dap config on page 290 display radio profile on page 317 set ap dap radio mode on page 341 set ap dap radio radio profile on page 343 set radio profile preamble length Changes the preamble length for which an 802 11b g MAP r
583. y report 438 setigmp qi 439 set igmp qri 440 set igmp querier 441 set igmp receiver 441 setigmp rv 442 SECURITY ACL COMMANDS Security ACL Commands by Usage 445 clear security acl 446 clear security acl map 447 commit security acl 449 display security acl 450 display security acl hits 451 display security acl info 452 display security acl map 453 display security acl resource usage 454 rollback security acl 458 set security acl 459 set security acl map 464 set security acl hit sample rate 466 15 16 17 CRYPTOGRAPHY COMMANDS Commands by Usage 469 crypto ca certificate 470 crypto certificate 471 crypto generate key 473 crypto generate request 474 crypto generate self signed 476 crypto oto 478 crypto pkcs12 479 display crypto ca certificate 481 display crypto certificate 482 display crypto key ssh 483 RADIUS AND SERVER GROUP COMMANDS Commands by Usage 485 clear radius 486 clear radius client system ip 487 clear radius proxy client 488 clear radius proxy port 488 clear radius server 489 clear server group 489 set radius 490 set radius client system ip 491 set radius proxy client 492 set radius proxy port 493 set radius server 494 set server group 496 set server group load balance 497 802 1X MANAGEMENT COMMANDS Commands by Usage 499 clear dot1x bonded period 500 clear dot1x max req 501 clear dot1x port control 501 clear dot1x quiet period 502 clear dot1x reauth max
584. y rfdetect vendor list on page 551 clear rfdetect vendor list on page 537 Permitted SSID List set rfdetect ssid list on page 560 display rfdetect ssid list on page 550 clear rfdetect ssid list on page 536 Client Black List set rfdetect black list on page 555 display rfdetect black list on page 538 clear rfdetect black list on page 535 Attack List set rfdetect attack list on page 554 display rfdetect attack list on page 537 clear rfdetect attack list on page 534 Ignore List set rfdetect ignore on page 558 display rfdetect ignore on page 546 clear rfdetect ignore on page 535 MAP Signatures set rfdetect signature on page 560 Log Messages set rfdetect log on page 559 clear rfdetect attack list Removes a MAC address from the attack list Syntax clear rfdetect attack list mac addr a mac addr MAC address you want to remove from the attack list Defaults None Access Enabled History Introduced in MSS Version 4 0 Examples The following command clears MAC address 11 22 33 44 55 66 from the attack list wx4400 clear rfdetect attack list 11 22 33 44 55 66 success 11 22 33 44 55 66 is no longer in attacklist clear rfdetect black list 535 See Also Clear rfdetect attack list on page 534 display rfdetect attack list on page 537 clear rfdetect black list Removes a MAC address from the client black list Syntax clear rfdetect black l
585. yntax set security aclip acl name permit cos cos deny tcp source ip addr mask operator port port2 destination ip addr mask operator port port2 precedence precedence tos tos established before editbuffer index modify editbuffer index hits By UDP packets Syntax set security aclip acl name permit cos cos deny udp source ip addr mask operator port port2 destination ip addr mask operator port port2 precedence precedence tos tos before editbuffer index modify editbuffer index hits acl name Security ACL name ACL names must be unique within the WX switch must start with a letter and are case insensitive Specify an ACL name of up to 32 of the following characters a Letters a through z and A through Z a Numbers O through 9 Hyphen underscore _ and period 3Com recommends that you do not use the same name with different capitalizations for ACLs For example do not configure two separate ACLs with the names ac _123 and ACL_123 In an ACL name do not include the term all default action map help or editbuffer permit Allows traffic that matches the conditions in the ACE cos cos For permitted packets a class of service CoS level for packet handling Specify a value from O through 7 a 1 or 2 Background Packets are queued in MAP forwarding queue 4 set security acl 461 a Oor 3 Best effort Packets are queued in MAP forwarding queu
586. you use strings that cannot easily be guessed by unauthorized users For example do not use the well known strings public and private If you are using SNMPv3 you can configure SNMPv3 users to use authentication and to encrypt SNMP data Examples The following command configures the read write community good_community Wx4400 set snmp community read write good community success change accepted The following command configures community string switchmgr with access level notify read write WxX4400 set snmp community name switchmgrl1 notify read write success change accepted See Also Clear snmp community on page 133 set snmp notify profile 177 set ip snmp server on page 169 set snmp notify target on page 181 set snmp notify profile on page 177 set snmp protocol on page 186 set snmp security on page 187 set snmp usm on page 188 display snmp community on page 151 set snmp notify profile Configures an SNMP notification profile A notification profile is a named list of all the notification types that can be generated by a switch and for each notification type the action to take drop or send when an event Occurs You can configure up to ten notification profiles Syntax set snmp notify profile default profile name drop send notification type all default profile name Name of the notification profile you are creating or modifying The profile name can be up to 32 alphanumeric
587. ype The counters begin incrementing again For error reporting the cyclic redundancy check CRC errors include misalignment errors Jumbo packets with valid CRCs are not counted A short packet can be reported as a short packet a CRC error or an overrun In some circumstances the transmitted octets counter might increment a small amount for a port with nothing attached 78 CHAPTER 4 PORT COMMANDS Examples The following command starts the port statistics monitor beginning with octet statistics the default WX4400 monitor port counters As soon as you press Enter MSS clears the window and displays statistics at the top of the window Port Status Rx Octets Tx Octets 1 Up 27965420 34886544 To cycle the display to the next set of statistics press the Spacebar In this example packet statistics are displayed next Port Status Rx Unicast Rx NonUnicast Tx Unicast Tx NonUnicast 1 Up 54620 62144 68318 62556 Table 17 describes the port statistics displayed by each statistics option The Port and Status fields are displayed for each option Table 17 Output for monitor port counters Statistics Option Field Description Displayed for All Port Port the statistics are displayed for opuons Status Port status The status can be Up or Down cone Rx Octets Total number of octets received by the port This number includes octets received in frames that contained errors Tx Octets Total number of octet
588. ype Received Transmitted Dropped General Queries 0 0 0 GS Queries 0 0 0 Report V1 0 0 0 Report V2 5 1 4 Leave 0 0 0 router Adv 0 0 0 router Term 0 0 0 router Sol 50 101 0 DVMRP 4 4 0 PIM V1 0 0 0 PIM V2 0 0 0 Topology notifications 0 Packets with unknown IGMP type 0 Packets with bad length 0 Packets with bad checksum 0 Packets dropped 4 Table 79 describes the fields in this display 432 CHAPTER 13 IGMP SNOOPING COMMANDS Table 79 Output of display igmp statistics Field Description IGMP statistics VLAN name Statistics are listed separately for each VLAN for vlan IGMP message Type of IGMP message type General Queries General group membership queries sent by the multicast querier multicast router or pseudo querier GS Queries Group specific queries sent by the multicast querier to determine whether there are receivers for a specific group Report V1 IGMP version 1 group membership reports sent by clients who want to be receivers for the groups Report V2 IGMP version 2 group membership reports sent by clients who want to be receivers for the groups Leave IGMP version 2 leave messages sent by clients who want to stop receiving traffic for a group Leave messages apply only to IGMP version 2 Mrouter Adv Multicast router advertisement packets A multicast router sends this type of packet to advertise the IP address of the sending interface as a multicast router
589. ypto types clear Wx IPaddress 10 8 121 102 Port Radio Ch 3 1 1 Mac 00 0b 0e 00 0a 6a Device type interfering Adhoc no Crypto types clear RSSI 75 SSID 3Com webaaa WX IPaddress 10 3 8 103 Port Radio Ch dap 1 1 1 Mac 00 0b 0e 76 56 82 Device type interfering Adhoc no Crypto types clear RSSI 76 SSID 3Com webaaa Two types of information are shown The lines that are not indented show the BSSID vendor and information about the SSID The indented lines that follow this information indicate the listeners MAP radios that detected the SSID Each set of indented lines is for a separate MAP listener In this example two BSSIDs are mapped to the SSID Separate sets of information is shown for each of the BSSIDs and information about the listeners for each BSSID are shown The following command displays detailed information for a BSSID WX1200 display rfdetect mobility domain bssid 00 0b 0e 00 04 dl1 BSSID 00 0b 0e 00 04 d1l Vendor Cisco SSID notmycorp Type rogue Adhoc no Crypto types clear WX IPaddress 10 8 121 102 Port Radio Ch 3 2 56 Mac 00 0b 0e 00 0a 6b Device type rogue Adhoc no Crypto types clear RSSI 72 SSID notmycorp Wx IPaddress 10 3 8 103 Port Radio Ch dap 1 1 157 Mac 00 0b 0e 76 56 82 Device type rogue Adhoc no Crypto types clear RSSI 72 SSID notmycorp Table 99 and Table 100 describe the fields in these displays display rfdetect mobility domain 549 Table 9
590. ystem on page 582 588 CHAPTER 20 FILE MANAGEMENT COMMANDS 21 A TRACE COMMANDS Use trace commands to perform diagnostic routines While MSS allows you to run many types of traces this chapter describes commands for those traces you are most likely to use For a complete listing of the types of traces MSS allows type the set trace command CAUTION Using the set trace command can have adverse effects on system performance 3Com recommends that you use the lowest levels possible for initial trace commands and slowly increase the levels to get the data you need Commands by Usage This chapter presents trace commands alphabetically Use Table 107 to locate commands in this chapter based on their use Table 107 Trace Commands by Usage Type Command Trace set trace sm on page 595 set trace dot1x on page 594 set trace authentication on page 592 set trace authorization on page 593 display trace on page 591 save trace on page 592 clear trace on page 590 clear log trace on page 590 590 CHAPTER 21 TRACE COMMANDS clear log trace Deletes the log messages stored in the trace buffer Syntax clear log trace Defaults None Access Enabled History Introduced in MSS Version 3 0 Examples To delete the trace log type the following command WX4400 clear log trace See Also display log buffer on page 610 set log on page 614 clear trace Deletes
591. zes users entering the network on WX ports 1 and 2 to use the floor2 VLAN overriding any settings from AAA WX4400 set location policy permit vlan floor2 if port 1 2 The following command places all users who are authorized for SSID tempvendor_a into VLAN kiosk_1 WX1200 set location policy permit vlan kiosk_1 iff ssid eq tempvendor a success change accepted See Also Clear location policy on page 210 display location policy on page 224 248 CHAPTER 8 AAA COMMANDS set mac user Configures a user profile in the local database on the WX switch for a user who can be authenticated by a MAC address and optionally adds the user to a MAC user group To configure a MAC user profile in RADIUS see the documentation for your RADIUS server Syntax set mac user mac addr group group name mac addr MAC address of the user in hexadecimal numbers separated by colons You can omit leading zeros group name Name of an existing MAC user group Defaults None Access Enabled History Introduced in MSS Version 3 0 Usage MSS does not require MAC users to belong to user groups Users authenticated by MAC address can be authenticated only for network access through the WX switch MSS does not support passwords for MAC users Examples The following command creates a user profile for a user at MAC address 01 02 03 04 05 06 and assigns the user to the eastcoasters user group WX4400 set m
Download Pdf Manuals
Related Search